xpra icon
Bug tracker and wiki

Opened 9 months ago

Closed 7 months ago

#1791 closed enhancement (worksforme)

ldap authentication

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: major Milestone: 2.3
Component: core Version: 2.2.x
Keywords: Cc:

Description

See also #1691, #1789, #1728

Change History (3)

comment:1 Changed 9 months ago by Antoine Martin

Status: newassigned

Done:

  • ldap authentication module added in r18827 using python-ldap
  • macos modules added in r18828 + r18829
  • win32 packaging in r18830
  • Active Directory compatibility improvements in r18831
  • environment variables for tuning and debugging: r18832, r18833
  • support TLS connections to the LDAP server: r18834
  • option to specify the CACERT file (for using self signed certs) and change the password encoding (which defaults to "utf-8" - spec says "utf-8" but MS AD servers may require "utf-16-le" to support special characters): r18835

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    "--tcp-auth=ldap,host=ldaphostname,port=389,username_format=cn=%username, o=%domain"

Details on the settings, which are all optional:

  • "host" defaults to "localhost"
  • "port" defaults to 389
  • "tls" defaults to 0 (false)
  • "cacert" defaults to no value
  • "encoding" defaults to "utf-8"
  • "username_format": the special strings "%username" and "%domain" will be substituted at runtime. The username is specified by the client. The domain value is taken obtained using socket.getfqdn and removing the hostname part (keeping everything after the first dot).

According to this very helpful blog post: Python LDAP authentication with Microsoft Active Directory, the username_format for AD is just "%username@%domain". That's assuming that the server's domain name is set correctly too, otherwise replace %domain with the desired value.
See also: Configuring and securing PYTHON LDAP Applications

Last edited 9 months ago by Antoine Martin (previous) (diff)

comment:2 Changed 9 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena
Status: assignednew

Another ldap backend, this time using the ldap3 python library. This one may be easier to use against AD servers, the username takes the form: "DOMAIN\username".

  • r18843: add "ldap3" authentication module, man page update, etc
  • r18844: macos moduleset changes
  • r18845 + r18846: debug logging tweaks
  • r19030: optional "recommends" rpm dependency

It uses the same options as the "ldap" authentication module: "host", "port", "tls", "cacert", but not "encoding". And also some new options:

  • "authentication" defaults to "NTLM", the other options are: "SIMPLE" and "SASL" (should not be used)
  • "ssl-version" defaults to "TLSv1" (see python ssl: socket creation for more details.
  • "ssl-validate" defaults to "REQUIRED", other options: "OPTIONAL" and "NONE".

Usage example:

xpra start --bind-tcp=0.0.0.0:10000 -d auth \
    --tcp-auth=ldap3,host=localhost,port=389

@maxmylyn: please test both backends against ldap and AD servers.

Last edited 8 months ago by Antoine Martin (previous) (diff)

comment:3 Changed 7 months ago by Antoine Martin

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.