Hi!
I'm currently writing a devpi-ldap plugin for devpi-server.
At this time devpi-server hasn't been extended for external authentication plugins, so the plugin doesn't work with devpi-server yet.
So far I've worked on the configuration for the LDAP connection. Since that is quite open and the specifics up to the LDAP administrator, I could use some real world testing and feedback.
You can find the current state at https://github.com/devpi/devpi-ldap
If you install that in a virtualenv, you will get a devpi-ldap script. With that script you can test your configuration and see if a user can be authenticated and it's groups be returned correctly.
Details on the configuration are in the readme.
Please add any bugs or feature requests to the issue tracker at https://github.com/devpi/devpi-ldap/issues
Any problem with the documentation, like missing or unclear descriptions are considered bugs :)
If you want to report issues, but don't want to publicly post your configuration or the output of the devpi-ldap script, then please feel free to contact me directly.
Regards, Florian Schulze
Hi!
There is now a devpi branch which contains the plugin hook which allows authentication via plugins. Get it at https://bitbucket.org/fschulze/devpi/branch/external-auth
The devpi-ldap code now implements those new hooks. Get it at https://github.com/devpi/devpi-ldap
During development I noticed that the LDAP setup with Active Directory on Windows Server 2008 which I created allows login without a password, even if the user has a password set. It only fails if you supply a wrong password. I would be very interested if this happens for any of you! Maybe someone has a pointer on that issue?
The devpi-ldap configuration test script has better output now to let you see whether authentication worked or not.
Regards, Florian Schulze
Hi Florian,
We are very interested by this plugin. We had a couple of questions which I hope you or someone on this mailing list can answer.
1-Does the plugin allow mix mode, meaning some users are authenticated through AD while others are "local users"?
2-We current have a devpi installation with a fair number of users registered. How does the migration take place? Does authentication first goes to AD and then if it fails, it default to local? I guess if the answer to this is yes, the answer to 1 is also yes :). Basically with many pre-existing indices, we don't want to have to build them (if this makes any sense at all to you).
Thanks in advance.
/Laurent
On 9/2/14, 5:57 AM, Florian Schulze wrote:
Hi!
There is now a devpi branch which contains the plugin hook which allows authentication via plugins. Get it at https://bitbucket.org/fschulze/devpi/branch/external-auth
The devpi-ldap code now implements those new hooks. Get it at https://github.com/devpi/devpi-ldap
During development I noticed that the LDAP setup with Active Directory on Windows Server 2008 which I created allows login without a password, even if the user has a password set. It only fails if you supply a wrong password. I would be very interested if this happens for any of you! Maybe someone has a pointer on that issue?
The devpi-ldap configuration test script has better output now to let you see whether authentication worked or not.
Regards, Florian Schulze
I thought I had forgotten a question :).
3-In a configuration with replicas, does the plugin need to be installed on the master only, or on all replicas as well?
On 9/23/14, 12:41 PM, Laurent Brack wrote:
Hi Florian,
We are very interested by this plugin. We had a couple of questions which I hope you or someone on this mailing list can answer.
1-Does the plugin allow mix mode, meaning some users are authenticated through AD while others are "local users"?
2-We current have a devpi installation with a fair number of users registered. How does the migration take place? Does authentication first goes to AD and then if it fails, it default to local? I guess if the answer to this is yes, the answer to 1 is also yes :). Basically with many pre-existing indices, we don't want to have to build them (if this makes any sense at all to you).
Thanks in advance.
/Laurent
On 9/2/14, 5:57 AM, Florian Schulze wrote:
Hi!
There is now a devpi branch which contains the plugin hook which allows authentication via plugins. Get it at https://bitbucket.org/fschulze/devpi/branch/external-auth
The devpi-ldap code now implements those new hooks. Get it at https://github.com/devpi/devpi-ldap
During development I noticed that the LDAP setup with Active Directory on Windows Server 2008 which I created allows login without a password, even if the user has a password set. It only fails if you supply a wrong password. I would be very interested if this happens for any of you! Maybe someone has a pointer on that issue?
The devpi-ldap configuration test script has better output now to let you see whether authentication worked or not.
Regards, Florian Schulze
1-Does the plugin allow mix mode, meaning some users are authenticated through AD while others are "local users"?
2-We current have a devpi installation with a fair number of users registered. How does the migration take place? Does authentication first goes to AD and then if it fails, it default to local? I guess if the answer to this is yes, the answer to 1 is also yes :). Basically with many pre-existing indices, we don't want to have to build them (if this makes any sense at all to you).
If you configure user search and a user is not found, then devpi-server users will be tried. If a user is found and authentication fails, then no further authentication takes place, the login fails. So for a successful migration you need user search and all users that exist in both LDAP and devpi-server need to use the password stored in LDAP.
3-In a configuration with replicas, does the plugin need to be installed on the master only, or on all replicas as well?
Authentication takes place only on master, the replica is forwarding the request. So only the master needs the plugin.
Hope this helps, Florian Schulze
-
Florian Schulze -
Laurent Brack