search

umap-project / umap

uMap lets you create maps with OpenStreetMap layers in a minute and embed them in your site.
https://umap-project.org
Other
1.19k stars 227 forks source link

Configure LDAP Auth with Umap #1742

Closed tech62 closed 7 months ago

tech62 commented 7 months ago

Hello,

We are in our entreprise and we need to integrate our userbase from LDAP / AD with Umap. Is it possible ? do you have any docs to achieve that ?

Thanks !

davidbgk commented 7 months ago

We use social-core for the auth backend. I guess it makes it possible. The related setting will be AUTHENTICATION_BACKENDS.

tech62 commented 7 months ago

Social Core doesn't support LDAP :/ , i'm trying to make something work with django-auth-ldap.

yohanboniface commented 7 months ago

This should be possible. uMap use normal Django auth process, so you should be able to use this app or another, as soon as you use the correct Django settings (for eg. AUTHENTICATION_BACKENDS).

tech62 commented 4 months ago

I've worked to integrate LDAP backend, if you want to integrate it in the next release,

add django-auth-ldap python-ldap in the project. The documentation is below for the wiki :) Tested and work on my prototype.

BEFORE

Install apt-get install libsasl2-dev python-dev-is-python3 libldap2-dev libssl-dev pip install django-auth-ldap python-ldap

ActiveDirectory side

Adjusting the configuration in umap.conf

At the top of the umap.conf before or after from umap.settings.base import * # pylint: disable=W0614,W0401 add : From django_auth_ldap.config import LDAPSearch, GroupOfNamesType, ldap, LDAPGroupQuery

Adjust with your needs and copy this code in the umap.conf

# Start of LDAP Backend configuration

AUTH_LDAP_SERVER_URI = "ldap://DC_IP_ADDRESS"
AUTH_LDAP_BIND_DN = "user@domain.lab"
AUTH_LDAP_BIND_PASSWORD = "YOUR_PASSWORD"

# Search base for users
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "CN=Users,DC=domain,DC=lab", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)

# Map attributes with AD
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

# Restrict access
AUTH_LDAP_REQUIRE_GROUP = (
        LDAPGroupQuery("CN=umap_superusers,CN=Users,DC=domain,DC=lab") | LDAPGroupQuery("CN=umap_users,CN=Users,DC=domain,DC=lab")
)

# Search base for groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "CN=Users,DC=domain,DC=lab",
    ldap.SCOPE_SUBTREE,
    "(objectClass=group)"
)

# GroupName Attribute
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="CN")

# Assign group
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_MIRROR_GROUPS = True

# Assign roles
# Users must have active and staff role to be able to access at the admin panel (limited to pictograms permissions in my case)
# SuperUsers need to have active, staff and superuser roles to be able to access at the admin panel
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active" : ["CN=umap_superusers,CN=Users,DC=domain,DC=lab","CN=umap_users,CN=Users,DC=domain,DC=lab"],
    "is_staff": ["CN=umap_superusers,CN=Users,DC=domain,DC=lab","CN=umap_users,CN=Users,DC=domain,DC=lab"],
    "is_superuser": ["CN=umap_superusers,CN=Users,DC=domain,DC=lab"],
}
## End of LDAP backend configuration

@davidbgk @yohanboniface