DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.72k stars 1.56k forks source link

LDAP Integration not working #6595

Open de-adshot opened 2 years ago

de-adshot commented 2 years ago

Team,

The ldap integration for Defect Dojo is not working.

Ref - https://github.com/DefectDojo/django-DefectDojo/issues/3981

Any suggestion?

If possible can we have it as officially part of defect dojo for ldap integration?

underrobyn commented 2 years ago

At my company we use LDAP, I made the following code changes for it to work:

To Dockerfile.django and Dockerfile.nginx, added the following dependencies to apt-get install steps:

libldap2-dev \
libsasl2-dev \
ldap-utils \

To requirements.txt added:

python-ldap==3.4.2
django-auth-ldap==4.1.0

To settings.dist.py added the following at the top of the file:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

Then further down added LDAP settings to env dict:

# LDAP
DD_LDAP_SERVER_URI=(str, 'ldap://ldap.mycompany.domain'),
DD_LDAP_BIND_DN=(str, ''),
DD_LDAP_BIND_PASSWORD=(str, ''),

Then under the env dict I added:

AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=groupOfNames)",
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "CN=DD_USER_ACTIVE,DC=mycompany,DC=com"

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com",
    "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com",
    "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com",
}

I also changed the AUTHENTICATION_BACKENDS variable to just be:

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.RemoteUserBackend',
    'django.contrib.auth.backends.ModelBackend',
)

Please bare in mind that I have also set-up access controls with different groups here, you can simplify this if you wish. Read the docs for Django Authentication with LDAP here: https://django-auth-ldap.readthedocs.io/en/latest/

de-adshot commented 2 years ago

@jake-cryptic By any chance will this setting requires ldap to be reachable while just deploying and will mysql connection fails if ldap is not reachable?

image

damiencarol commented 2 years ago

@de-adshot I think your error message is not linked to LDAP configuration. It seems a bad configuration of the DB parameter in the celery containers (beat and worker)

de-adshot commented 2 years ago

By any chance, AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com", "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com", "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com", }

The above CN bolded groups are mandatory?

And as the name states what is the staff and superuser roles are designated for in dd?

de-adshot commented 2 years ago

Dear @damiencarol and @jake-cryptic,

Any inputs for the above query will be helpful.

And as per the best practices we cannot have the below creds in a plain text, AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')

Any way would you suggest to comply with the policies?

ngocnn97 commented 5 months ago

Trong công việc của tôi, chúng tôi sử dụng LDAP, tôi đã thực hiện các thay đổi mã sau để nó hoạt động:

Đối với Dockerfile.django và Dockerfile.nginx, đã thêm các phần phụ thuộc sau vào cài đặt apt-get bước:

libldap2-dev \
libsasl2-dev \
ldap-utils \

Để yêu cầu được thêm vào:

python-ldap==3.4.2
django-auth-ldap==4.1.0

Để settings.dist.py đã thêm phần sau vào tệp đầu:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

Sau đó, tiếp tục thêm LDAP cài đặt vào env dict:

# LDAP
DD_LDAP_SERVER_URI=(str, 'ldap://ldap.mycompany.domain'),
DD_LDAP_BIND_DN=(str, ''),
DD_LDAP_BIND_PASSWORD=(str, ''),

Sau đó, env command tôi đã bổ sung thêm:

AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=groupOfNames)",
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "CN=DD_USER_ACTIVE,DC=mycompany,DC=com"

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com",
    "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com",
    "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com",
}

Tôi cũng đã thay đổi AUTHENTICATION_BACKENDScác biến thành:

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.RemoteUserBackend',
    'django.contrib.auth.backends.ModelBackend',
)

Xin lưu ý rằng tôi cũng đã thiết lập các biện pháp kiểm soát quyền truy cập vào các nhóm khác nhau tại đây, bạn có thể đơn giản hóa việc này nếu muốn. Đọc tài liệu về Xác thực Django bằng LDAP tại đây: https://django-auth-ldap.readthedocs.io/en/latest/

Hello, I'm using defect-dojo 2.29.1 and trying to use LDAP for authentication

I did exactly what you said but it didn't work, here is my seting.dist.py: image image image

i also tried exec into django-defectdojo-2291-uwsgi-1 and used ldapsearch command and success.

Can u help me, pls !

acindm commented 5 months ago

Trong công việc của tôi, chúng tôi sử dụng LDAP, tôi đã thực hiện các thay đổi mã sau để nó hoạt động:在我的工作中,我们使用 LDAP,我进行了以下代码更改以使其正常工作: Đối với Dockerfile.django và Dockerfile.nginx, đã thêm các phần phụ thuộc sau vào cài đặt apt-get bước:对于 Dockerfile.django 和 Dockerfile.nginx,将以下依赖项添加到 apt-get 步骤安装中:

libldap2-dev \
libsasl2-dev \
ldap-utils \

Để yêu cầu được thêm vào:对于要添加的请求:

python-ldap==3.4.2
django-auth-ldap==4.1.0

Để settings.dist.py đã thêm phần sau vào tệp đầu:若要 settings.dist.py,请将以下内容添加到头文件中:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

Sau đó, tiếp tục thêm LDAP cài đặt vào env dict:然后,继续将 LDAP 设置添加到环境字典中:

# LDAP
DD_LDAP_SERVER_URI=(str, 'ldap://ldap.mycompany.domain'),
DD_LDAP_BIND_DN=(str, ''),
DD_LDAP_BIND_PASSWORD=(str, ''),

Sau đó, env command tôi đã bổ sung thêm:然后我添加了 env 命令:

AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "DC=mycompany,DC=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=groupOfNames)",
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "CN=DD_USER_ACTIVE,DC=mycompany,DC=com"

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "CN=DD_USER_ACTIVE,DC=mycompany,DC=com",
    "is_staff": "CN=DD_USER_STAFF,DC=mycompany,DC=com",
    "is_superuser": "CN=DD_USER_ADMIN,DC=mycompany,DC=com",
}

Tôi cũng đã thay đổi AUTHENTICATION_BACKENDScác biến thành:我还将变量更改 AUTHENTICATION_BACKENDS 为:

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.RemoteUserBackend',
    'django.contrib.auth.backends.ModelBackend',
)

Xin lưu ý rằng tôi cũng đã thiết lập các biện pháp kiểm soát quyền truy cập vào các nhóm khác nhau tại đây, bạn có thể đơn giản hóa việc này nếu muốn. Đọc tài liệu về Xác thực Django bằng LDAP tại đây: https://django-auth-ldap.readthedocs.io/en/latest/请注意,我还在此处设置了对不同组的访问控制,如果需要,可以简化此操作。在此处阅读有关使用 LDAP 进行 Django 身份验证的文档:https://django-auth-ldap.readthedocs.io/en/latest/

Hello, 你好 I'm using defect-dojo 2.29.1 and trying to use LDAP for authentication我正在使用 defect-dojo 2.29.1 并尝试使用 LDAP 进行身份验证

I did exactly what you said but it didn't work, here is my seting.dist.py:我完全按照你说的做了,但没有用,这是我 seting.dist.py: image image image

i also tried exec into django-defectdojo-2291-uwsgi-1 and used ldapsearch command and success.我还尝试将 exec 放入 django-defectdojo-2291-UWSGI-1 并使用 ldapsearch 命令并成功。

Can u help me, pls !你能帮帮我吗,请!

Hello I had the same problem, have you solved it yet? I also tried exec into django-defectdojo-2291-uwsgi-1 and used ldapsearch command and success, but i still can't log in with ldap authentication.

rmontone commented 5 months ago

Hello! Can someone help me? I follow the docs: https://documentation.defectdojo.com/dev/integrations/ldap-authentication/, but when i run ./dc-up.sh the code says: 2024-06-14_17-16

I dont understand why is not working.