search

Banno / getsentry-ldap-auth

A Sentry extension to add an LDAP server as an authention source.
Apache License 2.0
163 stars 54 forks source link

Sentry LDAP Plugin ignored with latest Version #32

Open sattlerio opened 6 years ago

sattlerio commented 6 years ago

Hi,

with the latest version I am facing the problem that sentry does not recognized this plugin as Auth Backend. The Module does not show up in the auth backends, neither does the login over it work. With the same config it worked for older sentry versions.

Here is my config:


#########
#  LDAP #
#########
AUTH_LDAP_SERVER_URI = 'ldap://XXXXX
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'ou=users,dc=ldap,dc=XXXXXX,dc=io',
    ldap.SCOPE_SUBTREE,
    '(mail=%(user)s)',
)

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'cn',
    'email': 'displayName'
}
AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'XXXXX'

AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_SENTRY_USERNAME_FIELD = 'cn'
SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    '',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'My Organization Name'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_USERNAME_FIELD = '(|(cn=%(user))(uid=%(user)))'

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel('DEBUG')

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)
TomaszJanusz commented 6 years ago

Same problem. For even more interesting, plugin is listed in Packages section.

tekkeitserktok commented 6 years ago

I can't login with LDAP, any updates on this ? Thank you !

aleksihakli commented 6 years ago

I just tested Sentry 9.0 installation in a development environment with getsentry-ldap-auth 2.7 and similar looking settings (specifically AUTHENTICATION_BACKENDS setting is identical to yours) and have working LDAP authentication.

My LDAP plugin settings are as follows for Microsoft AD:

from sentry.conf.server import *

# LDAP support
# https://github.com/Banno/getsentry-ldap-auth
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# Disable this in production; this is just for testing purposes in a staging environment
AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_ALLOW}
AUTH_LDAP_SERVER_URI = env('SENTRY_AUTH_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('SENTRY_AUTH_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('SENTRY_AUTH_LDAP_BIND_PASSWORD')

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'OU=Users,DC=ad,DC=example,DC=com',
    ldap.SCOPE_SUBTREE,
    '(sAMAccountName=%(user)s)',
)

AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
    'name': 'displayName',
}

AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'OU=Groups,DC=ad,DC=example,DC=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=group)'
)

AUTH_LDAP_DENY_GROUP = None
AUTH_LDAP_MIRROR_GROUPS = False  # does not work with Sentry
AUTH_LDAP_FIND_GROUP_PERMS = False

AUTH_LDAP_CACHE_GROUPS = False
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry'
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = False
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = 'example.com'

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel('DEBUG')
kepi commented 6 years ago

Same problem here. @aleksihakli do you see ldap plugin in auth backends when it is working?

aleksihakli commented 6 years ago

Yeah, with the configuration I posted above I can see the LDAP backend ('sentry_ldap_auth.backend.SentryLdapBackend') as the last entry in AUTHENTICATION_BACKENDS tuple at URL /manage/status/environment/ and it works OK.

A funny note in Sentry 9+ is that you need to add a local password for your user for accessing that configuration URL; LDAP bind password doesn't actually work for the /manage/status/environment/ for whatever reason.

AmyLewis commented 6 years ago

I tested Sentry 9.0 + sentry_ldap_auth 2.7 with the Sentry config below, and the LDAP plugin in auth backends is working.


import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

SENTRY_MANAGED_USER_FIELDS = ("email", "password")

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = env('SENTRY_LDAP_ORG')
AUTH_LDAP_SENTRY_ORGANIZATION_MEMBER_TYPE = "member"
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = "example.com"

AUTH_LDAP_SERVER_URI = env('SENTRY_AUTH_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('SENTRY_AUTH_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('SENTRY_AUTH_LDAP_BIND_PASSWORD')

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
                                   ldap.SCOPE_SUBTREE,
                                   "(uid=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'displayName',
    'email': 'mail'
}

AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_DEBUG_LEVEL: 0,
    ldap.OPT_REFERRALS: 0,
}

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_ldap_auth.backend.SentryLdapBackend',
)

Here are some suggestions for you to debug:

Sentry will check if user in any organization, If you received No Organization Aceess, make sure your organizations contains the value of AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION.

sergeohl commented 6 years ago

@AmyLewis how do you do

Add some log and run sentry, to see how it works and where it fails.

I'm not familiar with sentry I tried to add that but I don't have any log in file or console :( import logging logger = logging.getLogger('django_auth_ldap') logger.addHandler(logging.StreamHandler()) logger.addHandler(logging.FileHandler(r"/tmp/ldap.log")) logger.setLevel('DEBUG')

janceChun commented 6 years ago

The following code is work for me !!!😁😁

  1. set the dockfile 
    FROM sentry:9.0-onbuild
RUN apt-get update && apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev
RUN pip install sentry-ldap-auth

    2.set the sentry.conf.py

    
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

AUTH_LDAP_SERVER_URI = 'ldap://xxxxx:xxxx' AUTH_LDAP_BIND_DN = 'xxxxx' AUTH_LDAP_BIND_PASSWORD = 'xxxxx'

AUTH_LDAP_USER_SEARCH = LDAPSearch( 'xxxx', ldap.SCOPE_SUBTREE, '(mail=%(user)s)', )

AUTH_LDAP_GROUP_SEARCH = LDAPSearch( '', ldap.SCOPE_SUBTREE, '(objectClass=groupOfUniqueNames)' )

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType() AUTH_LDAP_REQUIRE_GROUP = None AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = { 'name': 'cn', 'email': 'mail' }

AUTH_LDAP_FIND_GROUP_PERMS = False AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'Sentry' AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member' AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False

SENTRY_MANAGED_USER_FIELDS = ('email', 'first_name', 'last_name', 'password', )

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + ( 'sentry_ldap_auth.backend.SentryLdapBackend', )

optional, for debugging

import logging logger = logging.getLogger('django_auth_ldap') logger.addHandler(logging.StreamHandler()) logger.addHandler(logging.FileHandler('/tmp/ldap2.log')) logger.setLevel('DEBUG')

LOGGING['overridable'] = ['sentry', 'django_auth_ldap'] LOGGING['loggers']['django_auth_ldap'] = { 'handlers': ['console'], 'level': 'DEBUG' }



[reference:https://yyhh.org/blog/2017/12/ldap-authentication-premise-sentry-server-using-freeipa](https://yyhh.org/blog/2017/12/ldap-authentication-premise-sentry-server-using-freeipa)
sgyy1994 commented 6 years ago

The upstairs is great.

sotona- commented 5 years ago

Hi. I'm trying to add LDAP auth to sentry with this https://github.com/Banno/getsentry-ldap-auth/issues/32#issuecomment-405823382 config and have some trouble. When i'm trying to login backend successfully makes bind to LDAP server and successfully finds a user. After that backend makes second bind to server without username and password. And unsuccessfully tries to make three search requests. If I set AUTH_LDAP_BIND_AS_AUTHENTICATING_USER to True, backend tries to bind w/o credentials in first time.

suuzee commented 5 years ago

@aleksihakli I want to ask an unrelated question, how to view the log of ldap? Thank you!

aleksihakli commented 5 years ago

Configure the LDAP plugin logging correctly using the Django and Django LDAP plugin documentation.

jeffersonluismartins commented 5 years ago

@janceChun can you post your struture configuration? In your configuration, the django LDAP returns INVALID_CREDENTIALS when I try to connect with my user. I changed all configures that I found on the internet and your configuration, at least, it's almost there. Can you post your struture configuration (CN=XX,OU=XX, or ldap.example.com, etc), please? Thank you

lorn commented 5 years ago

I build a Sentry docker image that receives the configuration to LDAP using env_var feel free to test and ask help: https://github.com/locaweb/docker-sentry-ldap/ or https://hub.docker.com/r/locaweb/docker-sentry-ldap

sgohl commented 4 years ago

Anybody got this working with sentry 10 ? especially Active Directory?