Skip to content
/ taiga-contrib-ldap-auth Public

Taiga.io plugin for LDAP-based authentication (fork of ensky/taiga-contrib-ldap-auth)

License

AGPL-3.0 license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Technariumas/taiga-contrib-ldap-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits

taiga_contrib_ldap_auth

taiga_contrib_ldap_auth

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

AUTHORS.md

AUTHORS.md

 
 

LICENSE

LICENSE

 
 

MANIFEST.in

MANIFEST.in

 
 

README.md

README.md

 
 

setup.py

setup.py

 
 

Repository files navigation

Taiga contrib ldap auth

Taiga.io plugin for LDAP authentication.

Installation

Install the PIP package taiga-contrib-ldap-auth in your taiga-back python virtualenv:

  pip install taiga-contrib-ldap-auth

If needed, change pip to pip3 to use the Python 3 version.

Configuration

taiga-back

Add the following to settings/local.py:

INSTALLED_APPS += ["taiga_contrib_ldap_auth"]

LDAP_SERVER = 'ldap://ldap.example.com'
LDAP_PORT = 389

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com'
LDAP_BIND_PASSWORD = '<REPLACE_ME>'

# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'OU=DevTeam,DC=example,DC=net'

# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
LDAP_USERNAME_ATTRIBUTE = 'uid'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'displayName'

# Function to map LDAP username to local DB user unique identifier.
# Upon successful LDAP bind, will override returned username attribute
# value. May result in unexpected failures if changed after the database
# has been populated.
def _ldap_slugify(uid: str) -> str:
    # example: force lower-case
    #uid = uid.lower()
    return uid
#LDAP_MAP_USERNAME_TO_UID = _ldap_slugify

A dedicated domain service account user (specified by LDAP_BIND_DN) performs a search on LDAP for an account that has a LDAP_USERNAME_ATTRIBUTE or LDAP_EMAIL_ATTRIBUTE matching the user-provided login.

If the search is successful, then the returned entry and the user-provided password are used to attempt a bind to LDAP. If the bind is successful, then we can say that the user is authorised to log in to Taiga.

If the LDAP_BIND_DN configuration setting is not specified or is blank, then an anonymous bind is attempted to search for the login user's LDAP account entry.

RECOMMENDATION: for security reasons, if you are using a service account for performing the LDAP search, it should be configured to only allow reading/searching the LDAP structure. No other LDAP (or wider network) permissions should be granted for this user because you need to specify the service account password in the configuration file. A suitably strong password should be chosen, eg. VmLYBbvJaf2kAqcrt5HjHdG6

taiga-front

Change the loginFormType setting to "ldap" in dist/js/conf.json:

    ...
    "loginFormType": "ldap",
    ...

About

Taiga.io plugin for LDAP-based authentication (fork of ensky/taiga-contrib-ldap-auth)

Topics

ldap taiga ldap-authentication

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

2 forks
Report repository

Releases

4 tags

Packages

No packages published

Contributors 10

Languages