search

mathesar-foundation / mathesar

Web application providing an intuitive user experience to databases.
https://mathesar.org/
GNU General Public License v3.0
2.35k stars 323 forks source link

Not really possible to override settings #3048

Closed spapas closed 10 months ago

spapas commented 1 year ago

Description

I want to override the mathsar settings in order to allow LDAP login using django-auth-ldap. I changed the config/settings/production.py file that mentions: # Override default settings and added the needed configuration.

This worked fine however that file is under version control so if it is changed on the origin I'll get a conflict and would need to also merge my changes. The usual way to implement this functionality is to add a non tracked local.py file that would contain any extra configuration for each environment (either dev or production) and import that file from the corresponding file. I.e the production.py would be changed to:

# Override default settings               

try:
    from .local import *
except ImportError:
    pass

This way, if the local.py file is there it will be used to override the config but if it isnt' there it will be ignored.

Expected behavior

Being able to override django settings for my environment without keeping a fork.

To Reproduce

Change the production.py file and you'll see that it's version controlled so it can't be easily changed!

Environment

Not needed

Additional context

I'd be happy to provide a PR implementing the functionality described here, i.e allow an untracked local.py file to override django settings for each user/environment.

kgodey commented 1 year ago

@spapas We'd be happy to accept a PR for this functionality. Thanks!

It would be great if you could also let us know how integrating django-auth-ldap is going. We've had other requests for implementing SSO integration (see this discussion) and we're exploring different options for how to implement that.

spapas commented 1 year ago

Hello @kgodey you are welcome, I've provided the PR on #3064.

About the LDAP integration, it already works fine and it's very easy: First install

django-auth-ldap==2.4.0 python-ldap==3.4.3

And then add a local.py (after #3064 is merged) with the following contents

import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion

AUTHENTICATION_BACKENDS = [
    "django_auth_ldap.backend.LDAPBackend",
    'django.contrib.auth.backends.ModelBackend'
]

AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
AUTH_LDAP_SERVER_URI = ""

AUTH_LDAP_USER_SEARCH = None
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}
AUTH_LDAP_PROFILE_ATTR_MAP = {}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_SERVER_URI = "ldap://login1.example.com"

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("ou=People,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
)

(of course you need to add your LDAP settings). Then users would be able to login with the LDAP credentials. When they login they'll get an "Error No databases found" message but their user account would be created. Then you can login with a superuser and give them the proper permissions so when they login again they'll be able to use mathesar normally.

After #3064 is merged I'll be happy to add a PR documenting that in the docs.

Using django-auth-ldap is not real SSO because you'll need to login again in mathesar. However it is very simple and most organizations support LDAP (mainly through AD). On the other hand, SSO solutions are very complex and are very painful to be implemented resulting in only big and "enterprise-y" organizations having them.

kgodey commented 1 year ago

Thank you for the detailed response @spapas, this is very helpful to know!

seancolsen commented 10 months ago

I'm troubleshooting some strange behavior with our GitHub project synchronization, so I'm re-opening and then closing this issue, just to see if it fixes the problem I'm observing. Apologies for the notifications!