search

apache / superset

Apache Superset is a Data Visualization and Data Exploration Platform
https://superset.apache.org/
Apache License 2.0
62.42k stars 13.72k forks source link

ldap configuration #4840

Closed qin4zhang closed 5 years ago

qin4zhang commented 6 years ago

Make sure these boxes are checked before submitting your issue - thank you!

Superset version

0.22.1

Expected results

login successfully

Actual results

cannot login in

Steps to reproduce

modify config.py from flask_appbuilder.security.manager import AUTH_LDAP AUTH_TYPE = AUTH_LDAP AUTH_LDAP_SERVER = "ldap://server:port" AUTH_LDAP_USE_TLS = False AUTH_LDAP_SEARCH = "dc=" AUTH_LDAP_BIND_USER = "uid=,ou=,dc=,dc=" AUTH_LDAP_BIND_PASSWORD = "" AUTH_LDAP_UID_FIELD = "sAMAccountName" AUTH_LDAP_APPEND_DOMAIN = '**'

console in debug mode: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Starting Superset server in DEBUG mode -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

2018-04-18 19:01:31,195:WARNING:werkzeug: Debugger is active! 2018-04-18 19:01:31,195:INFO:werkzeug: Debugger PIN: 859-227-507 2018-04-18 19:02:03,228:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:03] "GET /login/ HTTP/1.1" 200 - 2018-04-18 19:02:04,699:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:04] "GET /static/appbuilder/css/bootstrap.min.css.map HTTP/1.1" 404 - 2018-04-18 19:02:11,270:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:11] "POST /login/ HTTP/1.1" 302 - 2018-04-18 19:02:11,420:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:11] "GET /login/ HTTP/1.1" 200 - 2018-04-18 19:02:12,952:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:12] "GET /static/appbuilder/css/bootstrap.min.css.map HTTP/1.1" 404 - 2018-04-18 19:02:25,235:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:25] "POST /login/ HTTP/1.1" 302 - 2018-04-18 19:02:25,396:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:25] "GET /login/ HTTP/1.1" 200 - 2018-04-18 19:02:26,905:INFO:werkzeug:172.22.4.100 - - [18/Apr/2018 19:02:26] "GET /static/appbuilder/css/bootstrap.min.css.map HTTP/1.1" 404 -

however, I cannot login in. LDAP log missed.How could I do to solve it ?

mistercrunch commented 6 years ago

This is really a FAB (Flask-AppBuilder) question.

qin4zhang commented 6 years ago

OK, thanks.

jhettler commented 6 years ago

Hi, I am not sure, if it helps, but it could ... we have Microsoft AD and ldap and we are able to successfully login with configuration parameters below.

AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_LDAP_SERVER = "ldap://servername-1.ad.domain.cz"
AUTH_LDAP_SEARCH = "DC=ad,DC=domain,DC=cz"
AUTH_LDAP_BIND_USER = "CN=BISystemUser,OU=Service Accounts,OU=mycompany Users,DC=ad,DC=domain,DC=cz"
AUTH_LDAP_BIND_PASSWORD = "yourPassword"
AUTH_LDAP_UID_FIELD = "sAMAccountName"

We are able to login with BISystemUser/yourPassword with tools like jXplorer or any other LDAP tools.

HTH!

xrmx commented 6 years ago

If our documentation is lacking it would be nice to update it with whatever may help user in configuring LDAP auth.

vincnetas commented 6 years ago

Third issue about LDAP problems, always resolved as external bug. I guess at least documentation could be updated.

https://github.com/apache/incubator-superset/issues/4881 https://github.com/apache/incubator-superset/issues/3221

mistercrunch commented 6 years ago

Contributions to the documentation are welcomed!

bhasin85 commented 5 years ago

Was able to connect to LDAP Test Server http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

With following config

AUTH_TYPE = AUTH_LDAP

# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'

# Uncomment to setup Public role name, no authentication needed
# AUTH_ROLE_PUBLIC = 'Public'

# Will allow user self registration
AUTH_USER_REGISTRATION = True

# The default user self registration role
# AUTH_USER_REGISTRATION_ROLE = "Public"

# When using LDAP Auth, setup the ldap server
AUTH_LDAP_SERVER = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_SEARCH = "dc=example,dc=com"
AUTH_LDAP_BIND_USER = "uid=riemann,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"

For user

User:riemann
Password:password
hayou commented 5 years ago

@bhasin85 : Thanks it works , don't forget to install this package :

pip install python-ldap

Elaine66 commented 5 years ago

Was able to connect to LDAP Test Server http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

With following config

AUTH_TYPE = AUTH_LDAP

# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'

# Uncomment to setup Public role name, no authentication needed
# AUTH_ROLE_PUBLIC = 'Public'

# Will allow user self registration
AUTH_USER_REGISTRATION = True

# The default user self registration role
# AUTH_USER_REGISTRATION_ROLE = "Public"

# When using LDAP Auth, setup the ldap server
AUTH_LDAP_SERVER = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_SEARCH = "dc=example,dc=com"
AUTH_LDAP_BIND_USER = "uid=riemann,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"

For user

User:riemann
Password:password

I am actually following the same logic as you. And superset is running on the server now. But i cannot log-in with my information written in the configuration file.

AUTH_LDAP_BIND_USER = "uid=superset_bot,cn=users,dc=example,dc=com" AUTH_LDAP_BIND_PASSWORD = "my_password"

What I entered in the log-in page: username: superset_bot password: my_password

However, it gives me the error of "Invalid login. Please try again." Does anyone know why?

Screen Shot 2019-06-12 at 3 33 18 PM
lrosenman commented 5 years ago

The userid MUST match what comes back from LDAP once you turn on LDAP.

I got bitten by this too.

Does riemann exist in LDAP with password password?

lrosenman commented 5 years ago

The LDAPBIND* is JUST to allow SuperSet to look at LDAP for users/password, not to log into the app.

ziusware commented 5 years ago

Can anyone tell me if I can use more than one domain?

thamboojr commented 2 months ago

Was able to connect to LDAP Test Server http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ With following config

AUTH_TYPE = AUTH_LDAP

# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'

# Uncomment to setup Public role name, no authentication needed
# AUTH_ROLE_PUBLIC = 'Public'

# Will allow user self registration
AUTH_USER_REGISTRATION = True

# The default user self registration role
# AUTH_USER_REGISTRATION_ROLE = "Public"

# When using LDAP Auth, setup the ldap server
AUTH_LDAP_SERVER = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_SEARCH = "dc=example,dc=com"
AUTH_LDAP_BIND_USER = "uid=riemann,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"

For user

User:riemann
Password:password

I am actually following the same logic as you. And superset is running on the server now. But i cannot log-in with my information written in the configuration file.

AUTH_LDAP_BIND_USER = "uid=superset_bot,cn=users,dc=example,dc=com" AUTH_LDAP_BIND_PASSWORD = "my_password"

What I entered in the log-in page: username: superset_bot password: my_password

However, it gives me the error of "Invalid login. Please try again." Does anyone know why? Screen Shot 2019-06-12 at 3 33 18 PM

Did you manage to fix this? I am facing the same issue.