feat(controller): Adding LDAP/AD auth support

Author: phspagiari

build.sh

@@ -16,7 +16,7 @@ DEBIAN_FRONTEND=noninteractive
 # HACK: install git so we can install bacongobbler's fork of django-fsm
 # install openssh-client for temporary fleetctl wrapper
 apt-get update && \
-    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git
+    apt-get install -yq python-dev libffi-dev libpq-dev libyaml-dev git libldap2-dev libsasl2-dev
 
 # install pip
 curl -sSL https://raw.githubusercontent.com/pypa/pip/6.0.8/contrib/get-pip.py | python -

deis/settings.py

@@ -8,6 +8,10 @@
 import string
 import sys
 import tempfile
+import ldap
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
 
 PROJECT_ROOT = os.path.normpath(os.path.join(os.path.dirname(__file__), '..'))
 
@@ -138,6 +142,7 @@
     'django.contrib.sites',
     'django.contrib.staticfiles',
     # Third-party apps
+    'django_auth_ldap',
     'guardian',
     'json_field',
     'gunicorn',
@@ -151,6 +156,7 @@
 )
 
 AUTHENTICATION_BACKENDS = (
+    "django_auth_ldap.backend.LDAPBackend",
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
 )
@@ -324,6 +330,16 @@
 #  server       - Hostname based on CoreOS server hostname
 UNIT_HOSTNAME = 'default'
 
+# LDAP DEFAULT SETTINGS (Overrided by confd later)
+LDAP_ENDPOINT = ""
+BIND_DN = ""
+BIND_PASSWORD = ""
+USER_BASEDN = ""
+USER_FILTER = ""
+GROUP_BASEDN = ""
+GROUP_FILTER = ""
+GROUP_TYPE = ""
+
 # Create a file named "local_settings.py" to contain sensitive settings data
 # such as database configuration, admin email, or passwords and keys. It
 # should also be used for any settings which differ between development
@@ -334,9 +350,41 @@
 except ImportError:
     pass
 
-
 # have confd_settings within container execution override all others
 # including local_settings (which may end up in the container)
 if os.path.exists('/templates/confd_settings.py'):
     sys.path.append('/templates')
     from confd_settings import *  # noqa
+
+# LDAP Backend Configuration
+# Should be always after the confd_settings import.
+LDAP_USER_SEARCH = LDAPSearch(
+    base_dn=USER_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=%%(user)s)" % USER_FILTER
+)
+LDAP_GROUP_SEARCH = LDAPSearch(
+    base_dn=GROUP_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=%s)" % (GROUP_FILTER, GROUP_TYPE)
+)
+AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
+AUTH_LDAP_BIND_DN = BIND_DN
+AUTH_LDAP_BIND_PASSWORD = BIND_PASSWORD
+AUTH_LDAP_USER_SEARCH = LDAP_USER_SEARCH
+AUTH_LDAP_GROUP_SEARCH = LDAP_GROUP_SEARCH
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+    "username": USER_FILTER,
+}
+AUTH_LDAP_GLOBAL_OPTIONS = {
+    ldap.OPT_X_TLS_REQUIRE_CERT: False,
+    ldap.OPT_REFERRALS: False
+}
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+AUTH_LDAP_MIRROR_GROUPS = True
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = False

requirements.txt

@@ -9,6 +9,7 @@ django-cors-headers==1.0.0
 django-fsm==2.2.0
 django-guardian==1.2.5
 django-json-field==0.5.7
+django-auth-ldap==1.2.5
 djangorestframework==3.0.5
 docker-py==0.7.2
 gunicorn==19.3.0
@@ -19,3 +20,4 @@ PyYAML==3.11
 setproctitle==1.1.8
 static==1.1.1
 South==1.0.2
+python-ldap==2.4.19

templates/confd_settings.py

@@ -45,3 +45,16 @@
 WEB_ENABLED = bool({{ getv "/deis/controller/webEnabled" }})
 {{ end }}
 UNIT_HOSTNAME = '{{ if exists "/deis/controller/unitHostname" }}{{ getv "/deis/controller/unitHostname" }}{{ else }}default{{ end }}'
+
+# AUTH
+# LDAP
+{{ if exists "/deis/controller/auth/ldap/endpoint" }}
+LDAP_ENDPOINT = '{{ if exists "/deis/controller/auth/ldap/endpoint" }}{{ getv "/deis/controller/auth/ldap/endpoint"}}{{ else }} {{ end }}'
+BIND_DN = '{{ if exists "/deis/controller/auth/ldap/bind/dn" }}{{ getv "/deis/controller/auth/ldap/bind/dn"}}{{ else }} {{ end }}'
+BIND_PASSWORD = '{{ if exists "/deis/controller/auth/ldap/bind/password" }}{{ getv "/deis/controller/auth/ldap/bind/password"}}{{ else }} {{ end }}'
+USER_BASEDN = '{{ if exists "/deis/controller/auth/ldap/user/basedn" }}{{ getv "/deis/controller/auth/ldap/user/basedn"}}{{ else }} {{ end }}'
+USER_FILTER = '{{ if exists "/deis/controller/auth/ldap/user/filter" }}{{ getv "/deis/controller/auth/ldap/user/filter"}}{{ else }} {{ end }}'
+GROUP_BASEDN = '{{ if exists "/deis/controller/auth/ldap/group/basedn" }}{{ getv "/deis/controller/auth/ldap/group/basedn"}}{{ else }} {{ end }}'
+GROUP_FILTER = '{{ if exists "/deis/controller/auth/ldap/group/filter" }}{{ getv "/deis/controller/auth/ldap/group/filter"}}{{ else }} {{ end }}'
+GROUP_TYPE = '{{ if exists "/deis/controller/auth/ldap/group/type" }}{{ getv "/deis/controller/auth/ldap/group/type"}}{{ else }} {{ end }}'
+{{ end }}