Skip to content

LDAP Setup

Jump to bottom
Dave Lawrence edited this page Sep 23, 2024 · 9 revisions

Common Login issues

  • Password has expired / user needs to change their password (this causes login to fail with credentials denied)
  • User is not a member of the right groups

Overview

LDAP (Lightweight Directory Access Protocol) is the protocol behind Microsoft Active Directory, which is what most corporate intranets use for logins, Outlook, shared drives etc.

You can configure VariantGrid to use this, instead of having it's own users/passwords.

We make use of the library Django Auth LDAP

Install

# Ubuntu
apt-get install libsasl2-dev libldap2-dev libssl-dev
# RHEL 7
yum install openldap-devel

# Python
python3.8 -m pip install django-auth-ldap

Network setup

Ideally, talk to your IT and have them provide you with the details. Otherwise if you have access to a Unix machine, check out the settings in /etc/sssd/sssd.conf

You need auth_server (looks like "auth/ldap/ad.yourcompany.com") and ldap_search_base (looks like "DC=whatever,DC=yourcompany,DC=com")

Once you have that, try the command line program:

export AUTH_SERVER="had.sa.gov.au"
export LDAP_SEARCH_BASE="OU=People,dc=had,dc=sa,dc=gov,dc=au"
export USERNAME=ihidlaw  # Use your own username here..
export FULL_USERNAME="had\\${USERNAME}"
export PASSWORD=enter_your_password_here

# Note: You use your username/password above, but below we will change what we are looking for to find info on others:

export [email protected]
ldapsearch -x -LLL -h ${AUTH_SERVER} -D ${FULL_USERNAME} -w ${PASSWORD} -b"${LDAP_SEARCH_BASE}" "(mail=${EMAIL_TO_SEARCH_FOR})"

The "(key=value)" at the end is a search term (and search only returns 1 user in this case). This should display information about user and groups. Be sure to note sAMAccountName (| grep sAMAccountName) - this is what you use to login to VariantGrid:

export [email protected]
ldapsearch -x -LLL -h ${AUTH_SERVER} -D ${FULL_USERNAME} -w ${PASSWORD} -b"${LDAP_SEARCH_BASE}" "(mail=${EMAIL_TO_SEARCH_FOR})" | grep sAMAccountName
sAMAccountName: impecol

How Django LDAP works

The Django Auth LDAP Docs are quite good, I only needed to

  • I've found in some systems that you can login with your sAMAccountName, but it won't correctly populate your Django user objects with name/email etc. To get the population to work, you need to login using your distinguished name.
  • If your username is in your distinguished name, you can use direct bind (AUTH_LDAP_USER_DN_TEMPLATE)
  • Otherwise, you will need to run a search to get the distinguished name, then login with that.

Most auth servers require a login to do a search. You can hard code this in AUTH_LDAP_BIND_DN/AUTH_LDAP_BIND_PASSWORD but I didn't want to do this, so modified the backend to run the search using a modification to the login, as follows:

class CustomLDAPBackend(LDAPBackend):
    def authenticate_ldap_user(self, ldap_user, password):
        self.settings.BIND_DN = f"AD\\{ldap_user._username}"
        self.settings.BIND_PASSWORD = password

        try:
            ret = super().authenticate_ldap_user(ldap_user, password)
        finally:
            # Clear settings so no stack traces etc ever list them
            self.settings.BIND_DN = None
            self.settings.BIND_PASSWORD = None
        return ret
Clone this wiki locally