Patch for Deis use LDAP Authentication

README.md

PoC: Deis with LDAP/AD Authentication

Requirements

• Patch to deis-controller
• Working LDAP/AD
• Working deis-controller
• Working deis client
• Working etcd and confd

Step 1: Get the following info from your LDAP

• Endpoint (Ex.: ldap://ldap.company.com or ldaps://ldap.secure.company.com)
• Bind DN: Full user for bind. (Ex.: user@company.org. Allow blank for anonymous bind)
• BIND Password: Password for bind. (Allow blank for anonymous bind)
• Users Base DN: The base Distinguished Name where your LDAP users are placed. (Ex.: OU=TeamX,DC=Company,DC=org)
• User Filter: The field that we will match with username of Deis. (In most cases is uuid, Windows AD users is sAMAccountName)
• Group Base DN: Where the groups are located in your LDAP/AD. (Ex.: OU=Groups,OU=TeamX,DC=Company,DC=org)
• Group Filter: The filter field to locate your groups with LDAPSearch. (In most cases is objectClass)
• Group Type: The type of groups in LDAP. (Use groupOfNames if you don't know.)

Step 2: Clone and Patch your Deis

git clone git@github.com:deis/deis.git
patch deis_ldap_phspagiari_latest.patch

Step 3: Starting your environment with Vagrant

Installing Deis - Vagrant Setup

Step 4: Installing Deis

• Follow the step-by-step here but set your ldap keys using deisctl when you set your domain.

deisctl config controller set auth/ldap/host=ldap.host.com
deisctl config controller set auth/ldap/bind/dn=user@dc1.dc2
deisctl config controller set auth/ldap/bind/password=bindpassword
deisctl config controller set auth/ldap/user/basedn=OU=TEAMX,DC=dc1,DC=dc2
deisctl config controller set auth/ldap/user/filter=sAMAccountName
deisctl config controller set auth/ldap/group/basedn=OU=Groups,OU=TEAMX,DC=dc1,DC=dc2
deisctl config controller set auth/ldap/group/filter=objectClass
deisctl config controller set auth/ldap/group/type=groupOfNames

• Proceed with normal installation

Step 5: After all installation, you will be able to login with deis client using your LDAP credentials:

deis login http://yourdeis.controller.com/
username: <your-LDAP-user>
password: <your-LDAP-password>
Logged in as <your-LDAP-user>

deis_ldap_auth.patch

diff --git a/controller/deis/settings.py b/controller/deis/settings.py
index d9d3aae..f6a0f0d 100644
--- a/controller/deis/settings.py
+++ b/controller/deis/settings.py
@@ -6,6 +6,9 @@ from __future__ import unicode_literals
 import os.path
 import sys
 import tempfile
+import os
+import ldap
+
 
 PROJECT_ROOT = os.path.normpath(os.path.join(os.path.dirname(__file__), '..'))
 
@@ -136,6 +139,7 @@ INSTALLED_APPS = (
     'django.contrib.sites',
     'django.contrib.staticfiles',
     # Third-party apps
+    'django_auth_ldap',
     'django_fsm',
     'guardian',
     'json_field',
@@ -150,6 +154,7 @@ INSTALLED_APPS = (
 )
 
 AUTHENTICATION_BACKENDS = (
+    "django_auth_ldap.backend.LDAPBackend",
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
 )
@@ -335,3 +340,41 @@ except ImportError:
 if os.path.exists('/templates/confd_settings.py'):
     sys.path.append('/templates')
     from confd_settings import *  # noqa
+
+# LDAP Authentication
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
+AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: False, ldap.OPT_REFERRALS: False }
+
+LDAP_USER_SEARCH = LDAPSearch(
+    base_dn=USER_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(" + USER_FILTER + "=%(user)s)" # Placeholder problem, I didnt find a better way.
+)
+
+LDAP_GROUP_SEARCH = LDAPSearch(
+    base_dn=GROUP_BASEDN,
+    scope=ldap.SCOPE_SUBTREE,
+    filterstr="(%s=groupOfNames)" % GROUP_FILTER
+)
+
+AUTH_LDAP_SERVER_URI = "ldap://%s" % LDAP_HOST
+AUTH_LDAP_BIND_DN = BIND_DN
+AUTH_LDAP_BIND_PASSWORD = BIND_PASSWORD
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+
+AUTH_LDAP_USER_SEARCH = LDAP_USER_SEARCH
+AUTH_LDAP_GROUP_SEARCH = LDAP_GROUP_SEARCH
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+    "username": USER_FILTER,
+}
+
+AUTH_LDAP_MIRROR_GROUPS = True
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = False
diff --git a/controller/requirements.txt b/controller/requirements.txt
index d5893d7..5195986 100644
--- a/controller/requirements.txt
+++ b/controller/requirements.txt
@@ -9,6 +9,7 @@ git+https://github.com/deis/django-fsm@propagate-false
 django-cors-headers==1.0.0
 django-guardian==1.2.5
 django-json-field==0.5.7
+django-auth-ldap==1.2.5
 djangorestframework==3.0.5
 docker-py==0.7.2
 gunicorn==19.2.1
@@ -19,3 +20,4 @@ PyYAML==3.11
 setproctitle==1.1.8
 static==1.1.1
 South==1.0.2
+python-ldap==2.4.19
diff --git a/controller/templates/confd_settings.py b/controller/templates/confd_settings.py
index 501c0c4..bdf78cd 100644
--- a/controller/templates/confd_settings.py
+++ b/controller/templates/confd_settings.py
@@ -46,3 +46,15 @@ WEB_ENABLED = bool({{ .deis_controller_webEnabled }})
 {{ end }}
 
 UNIT_HOSTNAME = '{{ or (.deis_controller_unitHostname) "default" }}'
+
+# AUTH
+# LDAP
+LDAP_HOST = '{{getv "/deis/controller/auth/ldap/host" }}'
+BIND_DN = '{{getv "/deis/controller/auth/ldap/bind/dn" }}'
+BIND_PASSWORD = '{{getv "/deis/controller/auth/ldap/bind/password" }}'
+USER_BASEDN = '{{getv "/deis/controller/auth/ldap/user/basedn" }}'
+USER_FILTER = '{{getv "/deis/controller/auth/ldap/user/filter" }}'
+GROUP_BASEDN = '{{getv "/deis/controller/auth/ldap/group/basedn" }}'
+GROUP_FILTER = '{{getv "/deis/controller/auth/ldap/group/filter" }}'
+GROUP_TYPE = '{{getv "/deis/controller/auth/ldap/group/type" }}'
+