'Standard' Active Directory authentication

[timgiles]

We need to add AD (Active Directory) authentication for our use of CKAN and thought that producing a 'standard' package for this might benefit others looking to do the same. Having researched a little, we would look to 'Create an ‘authenticator extension’ that sub-classes the Python LDAP module'.

If anyone has any advice or code that could cut down the development time - please drop a comment.

[rossjones]

Might be worth checking with @ntoll as I believe he's working on something like this atm.

[marcesher]

Hi all,

was anything ever done with this? I'm looking for guidance on hooking up CKAN to Active Directory / Kerberos.

Thanks!

[ntoll]

There's a CKAN-ADFS plugin, but that's more SSO than Active Directory (the AD in ADFS). Microsoft's marketing department has a lot to answer for. YMMV.

https://github.com/nhsengland/ckanext-adfs

[jqnatividad]

We tried using https://github.com/conwetlab/ckanext-oauth2 to and Auth0.com's auth-as-a-service to get AD authentication, but didn't get too far, as it wasn't a client-driven requirement, and we just wanted to see if its quickly doable.

You may want to look into it, as they have other neat stuff like Rules, user mgmt, social login, two-factor auth, etc as part of the service.

And @ntoll, I went ahead and updated extensions.ckan.org to include ckanext-adfs and ckanext-introjs :smile:

[ghost]

Did anything else happen with this?

[rossjones]

Apparently https://github.com/NaturalHistoryMuseum/ckanext-ldap supports Active Directory (according to the readme). I haven't tried it personally.

[timgiles]

Hi,

We implemented that extension (ckanext-ldap) - with a few institutional specific changes. It works well, easy to set up. There are a few places where the author added ToDos. As a base extension for AD, it works well.

On 25 September 2015 at 09:22, Ross Jones notifications@github.com wrote:

Apparently https://github.com/NaturalHistoryMuseum/ckanext-ldap supports Active Directory (according to the readme). I haven't tried it personally.

— Reply to this email directly or view it on GitHub https://github.com/ckan/ideas-and-roadmap/issues/52#issuecomment-143148085 .

[boykoc]

@ntoll do you know if the NHS ckanext-adfs extension is still in use? The last commit is pretty old.

[ntoll]

Hi @boykoc, I have no idea since I've not been involved with the project since 2015. But remember, this is a government outfit, so it could be with us until the next century... ;-)

By the looks of the login page (https://data.england.nhs.uk/user/login) it is.

[amercader]

@davidmiller might know.

Also I can vouch for NaturalHistoryMuseum/ckanext-ldap, it has always worked fine with us

[boykoc]

@ntoll and @amercader thank you for the feedback and input, it's appreciated.

I'm looking at CKAN with azure ADFS integration but it's always nice to hear whats still active and used.

[ntoll]

To be honest, the biggest problem we faced with the NHS site was working out how to configure Azure to work properly with our website. I hope the documentation has improved since 2015, my recollection was that Azure was undergoing transition so not all the examples worked, the terminology was changing and the screen shots didn't look like the actual user interface. I imagine this will have been fixed by now.

Best of luck!