From 83668a6840075eb979c9cb0aeae9a680153416ee Mon Sep 17 00:00:00 2001 From: "G. Tsirkas" Date: Thu, 28 Feb 2019 10:05:41 +0200 Subject: [PATCH] LDAP Authentication. Create two envars REDASH_LDAP_USE_SSL and REDASH_LDAP_AUTH_BIND (#2776) * Add two new envars. REDASH_LDAP_USE_SSL which determines if the connection will use ssl and LDAP_AUTH_BIND which determines if the binding is SIMPLE or ANONYMOUS * Add use_ssl paremeter * Rename LDAP_AUTH_BIND to LDAP_AUTH_METHOD and modify LDAP_SSL using parse_boolean * Fix typo * import ANONYMOUS constant from ldap3 * Add NTLM authentication * Add comment to authentication method envar --- redash/authentication/ldap_auth.py | 6 +++--- redash/settings/__init__.py | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index cc38a5f72c..39fb38cb92 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -7,7 +7,7 @@ from flask_login import current_user, login_required, login_user, logout_user try: - from ldap3 import Server, Connection, SIMPLE + from ldap3 import Server, Connection, SIMPLE, ANONYMOUS, NTLM except ImportError: if settings.LDAP_LOGIN_ENABLED: logger.error("The ldap3 library was not found. This is required to use LDAP authentication (see requirements.txt).") @@ -59,8 +59,8 @@ def login(org_slug=None): def auth_ldap_user(username, password): - server = Server(settings.LDAP_HOST_URL) - conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=SIMPLE, auto_bind=True) + server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL) + conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_METHOD, auto_bind=True) conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY]) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index ee0f7c4782..5dd7611a78 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -87,6 +87,10 @@ def all_settings(): # If the organization setting auth_password_login_enabled is not false, then users will still be # able to login through Redash instead of the LDAP server LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false')) +# Bind LDAP using SSL. Default is False +LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false')) +# Choose authentication method(SIMPLE, ANONYMOUS or NTLM). Default is SIMPLE +LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE') # The LDAP directory address (ex. ldap://10.0.10.1:389) LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None) # The DN & password used to connect to LDAP to determine the identity of the user being authenticated.