Skip to content

veox/taiga-contrib-ldap-auth-ensky

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
taiga_contrib_ldap_auth
taiga_contrib_ldap_auth
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
AUTHORS.md
AUTHORS.md
 
 
LICENSE
LICENSE
 
 
MANIFEST.in
MANIFEST.in
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 

Repository files navigation

Taiga contrib ldap auth

Taiga.io plugin for LDAP authentication.

Installation

Install the PIP package taiga-contrib-ldap-auth in your taiga-back python virtualenv:

  pip install taiga-contrib-ldap-auth

If needed, change pip to pip3 to use the Python 3 version.

Configuration

taiga-back

Add the following to settings/local.py:

INSTALLED_APPS += ["taiga_contrib_ldap_auth"]

LDAP_SERVER = 'ldap://ldap.example.com'
LDAP_PORT = 389

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com'
LDAP_BIND_PASSWORD = '<REPLACE_ME>'

# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'OU=DevTeam,DC=example,DC=net'

# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
LDAP_USERNAME_ATTRIBUTE = 'uid'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'displayName'

A dedicated domain service account user (specified by LDAP_BIND_DN) performs a search on LDAP for an account that has a LDAP_USERNAME_ATTRIBUTE or LDAP_EMAIL_ATTRIBUTE matching the user-provided login.

If the search is successful, then the returned entry and the user-provided password are used to attempt a bind to LDAP. If the bind is successful, then we can say that the user is authorised to log in to Taiga.

If the LDAP_BIND_DN configuration setting is not specified or is blank, then an anonymous bind is attempted to search for the login user's LDAP account entry.

RECOMMENDATION: for security reasons, if you are using a service account for performing the LDAP search, it should be configured to only allow reading/searching the LDAP structure. No other LDAP (or wider network) permissions should be granted for this user because you need to specify the service account password in the configuration file. A suitably strong password should be chosen, eg. VmLYBbvJaf2kAqcrt5HjHdG6

taiga-front

Change the loginFormType setting to "ldap" in dist/js/conf.json:

    ...
    "loginFormType": "ldap",
    ...

About

Taiga plugin for LDAP authentication

taiga.io

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

2 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Python 100.0%