The LDAP backend reads credentials and authenticates user against an LDAP server. This backend was originally contributed to st2 repo by Ruslan Tumarkin under PR #1790.
Note:
Currently there are two types of LDAP backends available - community contributed one and one developed and maintained by the StackStorm team. This repository contains a community contributed one.
Community contributed backend can be installed by anyone and the StackStorm developed one is only available in the enterprise edition (for more information on the enterprise edition, please see https://stackstorm.com/product/#enterprise).
The difference between them is that the one included in the enterprise edition is developed, supported, tested, maintained and certified by the StackStorm team and the community contributed one is developed and maintained by the community.
| option | required | default | description |
|---|---|---|---|
| ldap_uri | yes | URI of the LDAP server. Format: <protocol>://<hostname>[:port] (Protocol: ldap or ldaps) |
|
| use_tls | yes | Boolean parameter to set if tls is required. Should be set to false using ldaps in the uri. | |
| bind_dn | no | DN user to bind to LDAP. If an empty string, an anonymous bind is performed. To use the user supplied username in the bind_dn, use the {username} placeholder in string. |
|
| bind_pw | no | DN password. Use the {password} placeholder in the string to use the user supplied password. |
|
| user | no | Search parameters for user authentication. see user table below | |
| group | no | Search parameters for user's group membership. see group table below |
| option | required | default | description |
|---|---|---|---|
| base_dn | yes | Base DN on the LDAP server to be used when lookuping up the user account. | |
| search_filter | yes | Should contain the placeholder {username} for the username. |
|
| scope | yes | The scope of the search to be performed. Available choices: base, onelevel, subtree |
| option | required | default | description |
|---|---|---|---|
| base_dn | yes | Base DN on the LDAP server to be used when lookuping up the group. | |
| search_filter | yes | Should contain the placeholder {username} for the username. |
|
| scope | yes | The scope of the search to be performed. Available choices: base, onelevel, subtree |
Please refer to the authentication section in the StackStorm documentation for basic setup concept. The following is an example of the auth section in the StackStorm configuration file for the ldap backend.
[auth] mode = standalone backend = ldap backend_kwargs = { "ldap_uri": "ldap://ldap.example.com", "use_tls": true, "bind_dn": "cn=user,dc=example,dc=com", "bind_pw": "bind_password", "user": {"base_dn": "ou=users,dc=example,dc=com", "search_filter": "(uid={username})", "scope": "onelevel"}, "group": {"base_dn": "ou=groups,dc=example,dc=com", "search_filter": "(&(cn=st2access)(memberUid={username}))", "scope": "subtree"} } enable = True use_ssl = True cert = /path/to/ssl/cert/file key = /path/to/ssl/key/file logging = /path/to/st2auth.logging.conf api_url = https://myhost.example.com:9101 debug = False
There is no one standard way to store user credentials in LDAP. There are various ways to organise the directory tree and various ways to secure it. In some cases, the users DN can't be determined with a static configuration and requires a bind DN to locate the user in the database before user authentication can occur.
This authentication backend attempts to be flexible with the way LDAP binding and authentication can be performed, but may not meet all uses cases.
Using sAMAccountName should be unique in combination with a domain name.
"user_dn": "sAMAccountName={{username}}@example.com"
Using userPrincipalName should be unique within a forest.
"user_dn": "userPrincipalName={{username}}"
Match unique users in a posix group
"uniqueMember=uid=
The procedure mentioned here is suitable for development environments and not recommended for production.
- Activate the stackstorm virtual environment.
source /<path to stackstorm>/st2/bin/activate - Install the LDAP plugin and it's dependencies.
pip install git+https://github.com/StackStorm/st2-auth-backend-ldap.git@master#egg=st2_auth_backend_ldap - Deactivate virtual environment.
deactivate - Configure the authentication backend in
/etc/st2/st2.conf(see example above). - Restart Stackstorm
st2ctl restart
There is no one standard way to store user credentials in LDAP. There are various ways to organise the directory tree and various ways to secure it. In some cases, the users DN can't be determined with a static configuration and requires a bind DN to locate the user in the database before user authentication can occur.
This authentication backend attempts to be flexible with the way LDAP binding and authentication can be performed, but may not meet all use cases.
Using sAMAccountName should be unique in combination with a domain name.
"bind_dn": "sAMAccountName={username}@example.com", "bind_pw": "{password}"
Using userPrincipalName should be unique within a forest.
"bind_dn": "userPrincipalName={username}", "bind_pw": "{password}"
Using anonymous binding
"bind_dn": "", "bind_pw": ""
Using bind DN
"bind_dn": "cn=bind_user,dc=example,dc=com", "bind_pw": "bind_user_password"
The procedure mentioned here is suitable for development environments and may not be ideal under production conditions.
- Activate the stackstorm virtual environment.
source /<path to stackstorm>/st2/bin/activate - Upgrade pip to the latest version.
pip install --update pip - Optionally, install dev packages for ldap
apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev - Install the LDAP plugin and its dependencies.
pip install git+https://github.com/<github_account>/st2-auth-backend-ldap.git@master#egg=st2_auth_backend_ldap - Deactivate virtual environment.
deactivate - Configure the authentication backend in
/etc/st2/st2.conf(see example above). - Restart Stackstorm
st2ctl restart
Watch out for configuration errors in st2.conf, the auth daemon will silently fail to start if it encounters any errors.
Confirm you can get access with the required information:
apt-get install ldap-utils ldapsearch ....
Copyright 2015 StackStorm, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this work except in compliance with the License. You may obtain a copy of the License in the LICENSE file, or at: http://www.apache.org/licenses/LICENSE-2.0
By contributing you agree that these contributions are your own (or approved by your employer) and you grant a full, complete, irrevocable copyright license to all users and developers of the project, present and future, pursuant to the license of the project.