Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap authentication #1791

Closed
totaam opened this issue Mar 24, 2018 · 2 comments
Closed

ldap authentication #1791

totaam opened this issue Mar 24, 2018 · 2 comments

Comments

@totaam
Copy link
Collaborator

totaam commented Mar 24, 2018
edited
Loading

See also #1691, #1789, #1728
@totaam
Copy link
Collaborator Author

totaam commented Mar 24, 2018

2018-03-24 15:50:54: antoine commented

Done:

  • ldap authentication module added in r18827 using python-ldap
  • macos modules added in r18828 + r18829
  • win32 packaging in r18830
  • Active Directory compatibility improvements in r18831
  • environment variables for tuning and debugging: r18832, r18833
  • support TLS connections to the LDAP server: r18834
  • option to specify the CACERT file (for using self signed certs) and change the password encoding (which defaults to "utf-8" - spec says "utf-8" but MS AD servers may require "utf-16-le" to support special characters): r18835

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    "--tcp-auth=ldap,host=ldaphostname,port=389,username_format=cn=%username, o=%domain"

Details on the settings, which are all optional:

  • "host" defaults to "localhost"
  • "port" defaults to 389
  • "tls" defaults to 0 (false)
  • "cacert" defaults to no value
  • "encoding" defaults to "utf-8"
  • "username_format": the special strings "%username" and "%domain" will be substituted at runtime. The username is specified by the client. The domain value is taken obtained using socket.getfqdn and removing the hostname part (keeping everything after the first dot).

According to this very helpful blog post: Python LDAP authentication with Microsoft Active Directory, the username_format for AD is just "%username@%domain". That's assuming that the server's domain name is set correctly too, otherwise replace %domain with the desired value.
See also: Configuring and securing PYTHON LDAP Applications

@totaam
Copy link
Collaborator Author

totaam commented Mar 25, 2018

2018-03-25 14:56:42: antoine commented

Another ldap backend, this time using the ldap3 python library. This one may be easier to use against AD servers, the username takes the form: "DOMAIN\username".

  • r18843: add "ldap3" authentication module, man page update, etc
  • r18844: macos moduleset changes
  • r18845 + r18846: debug logging tweaks
  • r19030: optional "recommends" rpm dependency

It uses the same options as the "ldap" authentication module: "host", "port", "tls", "cacert", but not "encoding". And also some new options:

  • "authentication" defaults to "NTLM", the other options are: "SIMPLE" and "SASL" (should not be used)
  • "ssl-version" defaults to "TLSv1" (see python ssl: socket creation for more details.
  • "ssl-validate" defaults to "REQUIRED", other options: "OPTIONAL" and "NONE".

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    --tcp-auth=ldap3,host=localhost,port=389

@maxmylyn: please test both backends against ldap and AD servers.

@totaam totaam closed this as completed Jun 1, 2018
@totaam totaam added the v2.2.x label Jan 22, 2021
@totaam totaam mentioned this issue Mar 3, 2023
Closed
@totaam totaam mentioned this issue Mar 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@totaam