Context Navigation

← Previous Ticket
Next Ticket →

#1791 closed enhancement (worksforme)

ldap authentication

Reported by:	Antoine Martin	Owned by:	J. Max Mena
Priority:	major	Milestone:	2.3
Component:	core	Version:	2.2.x
Keywords:		Cc:

Description

Change History (3)

comment:1 Changed 19 months ago by Antoine Martin

Status:	new → assigned

Done:

ldap authentication module added in r18827 using python-ldap
macos modules added in r18828 + r18829
win32 packaging in r18830
Active Directory compatibility improvements in r18831
environment variables for tuning and debugging: r18832, r18833
support TLS connections to the LDAP server: r18834
option to specify the CACERT file (for using self signed certs) and change the password encoding (which defaults to "utf-8" - spec says "utf-8" but MS AD servers may require "utf-16-le" to support special characters): r18835

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    "--tcp-auth=ldap,host=ldaphostname,port=389,username_format=cn=%username, o=%domain"

Details on the settings, which are all optional:

"host" defaults to "localhost"
"port" defaults to 389
"tls" defaults to 0 (false)
"cacert" defaults to no value
"encoding" defaults to "utf-8"
"username_format": the special strings "%username" and "%domain" will be substituted at runtime. The username is specified by the client. The domain value is taken obtained using socket.getfqdn and removing the hostname part (keeping everything after the first dot).

According to this very helpful blog post: Python LDAP authentication with Microsoft Active Directory, the username_format for AD is just "%username@%domain". That's assuming that the server's domain name is set correctly too, otherwise replace %domain with the desired value.
See also: Configuring and securing PYTHON LDAP Applications

Last edited 19 months ago by Antoine Martin (previous) (diff)

comment:2 Changed 19 months ago by Antoine Martin

Owner:	changed from Antoine Martin to J. Max Mena
Status:	assigned → new

Another ldap backend, this time using the ldap3 python library. This one may be easier to use against AD servers, the username takes the form: "DOMAIN\username".

r18843: add "ldap3" authentication module, man page update, etc
r18844: macos moduleset changes
r18845 + r18846: debug logging tweaks
r19030: optional "recommends" rpm dependency

It uses the same options as the "ldap" authentication module: "host", "port", "tls", "cacert", but not "encoding". And also some new options:

"authentication" defaults to "NTLM", the other options are: "SIMPLE" and "SASL" (should not be used)
"ssl-version" defaults to "TLSv1" (see python ssl: socket creation for more details.
"ssl-validate" defaults to "REQUIRED", other options: "OPTIONAL" and "NONE".

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    --tcp-auth=ldap3,host=localhost,port=389

@maxmylyn: please test both backends against ldap and AD servers.

Last edited 18 months ago by Antoine Martin (previous) (diff)

comment:3 Changed 17 months ago by Antoine Martin

Resolution:	→ worksforme
Status:	new → closed

Note: See TracTickets for help on using tickets.

Download in other formats: