LDAP Authentication. Create two envars REDASH_LDAP_USE_SSL and REDASH…

…_LDAP_AUTH_BIND (#2776) * Add two new envars. REDASH_LDAP_USE_SSL which determines if the connection will use ssl and LDAP_AUTH_BIND which determines if the binding is SIMPLE or ANONYMOUS * Add use_ssl paremeter * Rename LDAP_AUTH_BIND to LDAP_AUTH_METHOD and modify LDAP_SSL using parse_boolean * Fix typo * import ANONYMOUS constant from ldap3 * Add NTLM authentication * Add comment to authentication method envar
getredash · Feb 28, 2019 · 83668a6 · 83668a6
1 parent c9a4f07
commit 83668a6
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py
@@ -7,7 +7,7 @@
 from flask_login import current_user, login_required, login_user, logout_user
 
 try:
-    from ldap3 import Server, Connection, SIMPLE
+    from ldap3 import Server, Connection, SIMPLE, ANONYMOUS, NTLM
 except ImportError:
     if settings.LDAP_LOGIN_ENABLED:
         logger.error("The ldap3 library was not found. This is required to use LDAP authentication (see requirements.txt).")
@@ -59,8 +59,8 @@ def login(org_slug=None):
 
 
 def auth_ldap_user(username, password):
-    server = Server(settings.LDAP_HOST_URL)
-    conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=SIMPLE, auto_bind=True)
+    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
+    conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_METHOD, auto_bind=True)
 
     conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
 

diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py
@@ -87,6 +87,10 @@ def all_settings():
 # If the organization setting auth_password_login_enabled is not false, then users will still be
 # able to login through Redash instead of the LDAP server
 LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false'))
+# Bind LDAP using SSL. Default is False
+LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false'))
+# Choose authentication method(SIMPLE, ANONYMOUS or NTLM). Default is SIMPLE
+LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE')
 # The LDAP directory address (ex. ldap://10.0.10.1:389)
 LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None)
 # The DN & password used to connect to LDAP to determine the identity of the user being authenticated.