From 78250751ce5229fcc05c6fb090007e31cc0b8593 Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 30 Aug 2018 17:36:33 +0300 Subject: [PATCH 1/7] Add two new envars. REDASH_LDAP_USE_SSL which determines if the connection will use ssl and LDAP_AUTH_BIND which determines if the binding is SIMPLE or ANONYMOUS --- redash/authentication/ldap_auth.py | 4 ++-- redash/settings/__init__.py | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index 1fafe5ef1a..b3ad798c69 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -58,8 +58,8 @@ def login(org_slug=None): def auth_ldap_user(username, password): - server = Server(settings.LDAP_HOST_URL) - conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=SIMPLE, auto_bind=True) + server = Server(settings.LDAP_HOST_URL, settings.LDAP_SSL) + conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_BIND, auto_bind=True) conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY]) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index 2115d8aa27..676d5ba9cb 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -81,6 +81,10 @@ def all_settings(): # If the organization setting auth_password_login_enabled is not false, then users will still be # able to login through Redash instead of the LDAP server LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false')) +# Bind LDAP using SSL. Default is False +LDAP_SSL = os.environ.get('REDASH_LDAP_USE_SSL', 'false') +#Choose authentication method(SIMPLE or ANONYMOUS). Default is SIMPLE +LDAP_AUTH_BIND = os.environ.get('REDASH_LDAP_AUTH_BIND', 'SIMPLE') # The LDAP directory address (ex. ldap://10.0.10.1:389) LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None) # The DN & password used to connect to LDAP to determine the identity of the user being authenticated. From ad307d18426b40b9c2b01980d04460cab6b22edc Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 30 Aug 2018 17:51:08 +0300 Subject: [PATCH 2/7] Add use_ssl paremeter --- redash/authentication/ldap_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index b3ad798c69..6ede926935 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -58,7 +58,7 @@ def login(org_slug=None): def auth_ldap_user(username, password): - server = Server(settings.LDAP_HOST_URL, settings.LDAP_SSL) + server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL) conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_BIND, auto_bind=True) conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY]) From d2ac664cd5c230faec0f5916c87f9812fe90de7d Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 30 Aug 2018 19:03:48 +0300 Subject: [PATCH 3/7] Rename LDAP_AUTH_BIND to LDAP_AUTH_METHOD and modify LDAP_SSL using parse_boolean --- redash/authentication/ldap_auth.py | 2 +- redash/settings/__init__.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index 6ede926935..f1126fcb7f 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -59,7 +59,7 @@ def login(org_slug=None): def auth_ldap_user(username, password): server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL) - conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_BIND, auto_bind=True) + conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_METHOD, auto_bind=True) conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY]) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index 676d5ba9cb..761753cfb7 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -82,9 +82,9 @@ def all_settings(): # able to login through Redash instead of the LDAP server LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false')) # Bind LDAP using SSL. Default is False -LDAP_SSL = os.environ.get('REDASH_LDAP_USE_SSL', 'false') +LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false')) #Choose authentication method(SIMPLE or ANONYMOUS). Default is SIMPLE -LDAP_AUTH_BIND = os.environ.get('REDASH_LDAP_AUTH_BIND', 'SIMPLE') +LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE') # The LDAP directory address (ex. ldap://10.0.10.1:389) LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None) # The DN & password used to connect to LDAP to determine the identity of the user being authenticated. From 756d424eccc473032fa641b4e15567b89ab32c58 Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 30 Aug 2018 19:06:03 +0300 Subject: [PATCH 4/7] Fix typo --- redash/settings/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index 761753cfb7..b20940c8f3 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -83,7 +83,7 @@ def all_settings(): LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false')) # Bind LDAP using SSL. Default is False LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false')) -#Choose authentication method(SIMPLE or ANONYMOUS). Default is SIMPLE +# Choose authentication method(SIMPLE or ANONYMOUS). Default is SIMPLE LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE') # The LDAP directory address (ex. ldap://10.0.10.1:389) LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None) From 14bd16575776139a078cbbfc9ce65d3b43b77f37 Mon Sep 17 00:00:00 2001 From: MrCirca Date: Fri, 31 Aug 2018 13:28:24 +0300 Subject: [PATCH 5/7] import ANONYMOUS constant from ldap3 --- redash/authentication/ldap_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index f1126fcb7f..55553a99fa 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -7,7 +7,7 @@ from flask_login import current_user, login_required, login_user, logout_user try: - from ldap3 import Server, Connection, SIMPLE + from ldap3 import Server, Connection, SIMPLE, ANONYMOUS except ImportError: if settings.LDAP_LOGIN_ENABLED: logger.error("The ldap3 library was not found. This is required to use LDAP authentication (see requirements.txt).") From 49d7621e583f7caa1812c22a5e396f5048e66db1 Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 27 Sep 2018 15:20:34 +0300 Subject: [PATCH 6/7] Add NTLM authentication --- redash/authentication/ldap_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/authentication/ldap_auth.py b/redash/authentication/ldap_auth.py index 55553a99fa..e3f1aa9b27 100644 --- a/redash/authentication/ldap_auth.py +++ b/redash/authentication/ldap_auth.py @@ -7,7 +7,7 @@ from flask_login import current_user, login_required, login_user, logout_user try: - from ldap3 import Server, Connection, SIMPLE, ANONYMOUS + from ldap3 import Server, Connection, SIMPLE, ANONYMOUS, NTLM except ImportError: if settings.LDAP_LOGIN_ENABLED: logger.error("The ldap3 library was not found. This is required to use LDAP authentication (see requirements.txt).") From 2d53b867399a53ed1dc5b72321d00c827b47d5e8 Mon Sep 17 00:00:00 2001 From: MrCirca Date: Thu, 27 Sep 2018 15:37:50 +0300 Subject: [PATCH 7/7] Add comment to authentication method envar --- redash/settings/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py index b20940c8f3..9c2d58b68c 100644 --- a/redash/settings/__init__.py +++ b/redash/settings/__init__.py @@ -83,7 +83,7 @@ def all_settings(): LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false')) # Bind LDAP using SSL. Default is False LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false')) -# Choose authentication method(SIMPLE or ANONYMOUS). Default is SIMPLE +# Choose authentication method(SIMPLE, ANONYMOUS or NTLM). Default is SIMPLE LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE') # The LDAP directory address (ex. ldap://10.0.10.1:389) LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None)