Documentation: How to configure and enable basic LDAP/AD User Authentication for Oncall

[ghost]

I was having trouble getting basic LDAP/Active Directory authentication enabled in my instance of Oncall due to the config options provided. In the end I figured out that all that is needed is to enable the following:

• Enable module: 'oncall.auth.modules.ldap_example'
• Enable and configure ldap_url
• Enable and configure ldap_user_suffix
• Enable and configure ldap_cert_path

Here is a proper example:

# Example configuration for LDAP-based auth
  module: 'oncall.auth.modules.ldap_example'
  ldap_url: 'ldaps://my.domain.com'
  ldap_user_suffix: '@my.domain.com'
  ldap_cert_path: '/home/oncall/configs/corp_cert.pem'

Everything else in the module config block should be commented out.

All of the other configs including ldap_bind_user, ldap_bind_password, ldap_base_dn, and ldap_search_filter wasn't needed as I assume they are used by the ldap_import module.

Is it recommended to submit a PR to add notes on separating out the different module options in the config.yaml? If not, what is the best way to submit contributions to the official documentation at https://oncall.tools/docs/ (documentation is hosted on read the docs)?

[jordo1138]

@joedissmeyer I have a PR for a doc change open now, they use github and sphinx to build the docs so you can modify the source of the docs here https://github.com/linkedin/oncall/tree/master/docs/source and make the PR based on changes in the example like you showed in this issue

[jordo1138]

@joedissmeyer i'm actually getting WARNING:oncall.auth.modules.ldap_example:{'info': 'Invalid DN', 'desc': 'Invalid DN syntax'} when using your format in the example when someone tries to login...did you ever run across this error?

I get the same error whether I use the example config or comment out everything except for what @joedissmeyer has mentioned he needed here just for ldap auth, no the user import

ldap_base_dn: 'ou=People,dc=Enterprise,dc=XXXXX,dc=com'

This base DN string works for other ldap integrations with many other apps in my environment I tried to finding why its throwing this err from the ldap_example.py but its not clear to me yet one other thing to note, by bind user and pw are both '' as auth isn't required in my ldap setup for a bind user or pw

 auth_user = username + self.user_suffix
    try:
        if self.bind_user:
            # use search filter to find DN of username
            connection.simple_bind_s(self.bind_user, self.bind_password)
            sfilter = self.search_filter % username
            result = connection.search_s(self.base_dn, ldap.SCOPE_SUBTREE, sfilter, ['dn'])
            if len(result) < 1:
                return False
            auth_user = result[0][0]

        connection.simple_bind_s(auth_user, password)

    except ldap.INVALID_CREDENTIALS:
        return False
    except (ldap.SERVER_DOWN, ldap.INVALID_DN_SYNTAX) as err:
        logger.warn("%s", err)
        return None
    return True

[ghost]

@jordo1138 Unfortunately no, I never encountered the "invalid DN syntax" error with Oncall but I do remember seeing this type of error in other situations in the past with other apps (particularly with other projects using OpenLDAP to interact with Microsoft Active Directory). Are you using active directory? If so, here is something to try:

For all situations the ldap_url should just be the domain name itself. For example, ldaps://my.domain.com. But in my case (for my specific configuration) I ended up having to define a specific AD controller due to an issue with my certificate defined in ldap_cert_path. For example, my ldap_url setting has this --- ldaps://mydomaincontroller.domain.com. I know this is less than ideal but it is what it is for my case. Try that. Define a specific AD controller. Other than this I'm not sure what else can be done to fix/workaround that issue.

Another note: I am running the newest version of Oncall code (as of 2018.09.10) with all updated python modules, including the newest python-ldap module v3.1.0 installed via pip. Older versions of python-ldap could be a possible cause...

I hope this helps.

[jordo1138]

Thanks, I’ll check it out, anon bind seemed to be the issue, and worked with a user, now I’m just trying to see why my objects aren’t found when logging in, should be straight forward but might be something with our ad setup or the ldap plugin. I’ll update to the latest

On Mon, Sep 10, 2018 at 2:48 PM Joseph Dissmeyer notifications@github.com wrote:

@jordo1138 https://github.com/jordo1138 Unfortunately no, I never encountered the "invalid DN syntax" error with Oncall but I do remember seeing this type of error in other situations in the past with other apps (particularly with other projects using OpenLDAP to interact with Microsoft Active Directory). Are you using active directory? If so, here is something to try:

For all situations the ldap_url should just be the domain name itself. For example, ldaps://my.domain.com. But in my case (for my specific configuration) I ended up having to define a specific AD controller due to an issue with my certificate defined in ldap_cert_path. For example, my ldap_url setting has this --- ldaps://mydomaincontroller.domain.com. I know this is less than ideal but it is what it is for my case. Try that. Define a specific AD controller. Other than this I'm not sure what else can be done to fix/workaround that issue.

Another note: I am running the newest version of Oncall code (as of 2018.09.10) with all updated python modules, including the newest python-ldap module v3.1.0 installed via pip. Older versions of python-ldap could be a possible cause...

I hope this helps.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/linkedin/oncall/issues/209#issuecomment-420072652, or mute the thread https://github.com/notifications/unsubscribe-auth/AIIWyLkKyIQZSoYFUYEHwNoW7GdsUy8Mks5uZt4-gaJpZM4WVeJ2 .

[osalmasan]

Hi @joedissmeyer , Are you using Active Directory on your end? We have two domains, windows based domain and linux based domain. I have no problem integrating this one on linux based domain. But my other setup which is Active Directory, my user can't login even with the right credentials. I'm starting to think this has something to do with their unix uid not enabled in AD.

[ghost]

@osalmasan Yes we are using Active Directory with a single domain.

[adityavijjanT]

Can we use ldap instead of ldaps and ip address instead of domain name. Eg: ldap://10.10.10.10

[ghost]

I would also like to know this, does ldap:// work? Also is a certificate required for this or can this be done without one?

Thanks!

[adityavijjanT]

Yes ldap:// works and no certificate is required.

[osalmasan]

@joedissmeyer We are also using Active Directory and followed your steps in configuring AD authentication. I noticed that only those AD accounts with Unix Attributes can authenticate to the oncall app. Is this a normal scenario? I am using ldap://

[abra620]

can any one explain how to add users using IDAP..? I don't have experience on IDAP couldn't find useful answer on google.