LDAP Auth

AJJA · July 19, 2023, 7:57am

Problem:
LDAP Auth Availability

Expected outcome:
Connect LDAP Server to Pulp

Pulpcore version:
3.29.1

Operating system - distribution and version:
Pulp3 through Pulp Operator 1.0.0-alpha.8 ( latest version in the GitHub repo ) in Kubernetes v1.25.6

Other relevant data:
Currently there is no official documentation in the newest version for LDAP Auth through the pulp.yaml file. Is this feature available in the latest version as I have tried it multiple times already with no success.

I have used these configs in the past times.

AUTHENTICATION_BACKEND_PRESET: xxxx
AUTH_LDAP_SERVER_URI: "xxxx"
AUTH_LDAP_BIND_DN: "xxxx"
AUTH_LDAP_BIND_PASSWORD: "xxxx"
AUTH_LDAP_USER_SEARCH_BASE_DN: "xxxx"
AUTH_LDAP_USER_SEARCH_SCOPE: "SUBTREE"
AUTH_LDAP_USER_SEARCH_FILTER: "(uid=%(user)s)"
AUTH_LDAP_GROUP_SEARCH_BASE_DN: "xxxx"
AUTH_LDAP_GROUP_SEARCH_SCOPE: "SUBTREE"
AUTH_LDAP_GROUP_SEARCH_FILTER :  "xxxx"
AUTH_LDAP_GROUP_TYPE_CLASS: "xxxx"

ggainey · July 19, 2023, 7:33pm

Hey there @AJJA !

I am not anything like an LDAP authority. I know we’ve done experiments with it; @ipanova pointed me at the following resources:

django-auth-ldap integration notes
patch to pulpcore/app/settings.py that sets up the above
and of course, the pulpcore webserver-auth docs

First thing I’d check is to make sure you have "django_auth_ldap.backend.LDAPBackend" added to your AUTHENTICATION_BACKENDS.

Hopefully we can get some more-knowledgeable eyes on this for you!

AJJA · August 3, 2023, 1:51pm

Hello

I delayed the answer as now I am at this step. I already have the info for the external ldap server. How to connect to is the issue now. Since there is no native solution I have a few questions.

Would this be worth the time as it’s 3 years back ?

So about this here, where do I patch this one ? I see settings.py in /etc/pulp/settings.py in my pulp-api pod but not sure if it’s the right one.

Should pulp and the web server be running on the same server/pod ?

dkliban · August 10, 2023, 6:47pm

Right now the images that the pulp-operator deploys don’t include django-auth-ldap package. You would need to provide your own image. You could then specify all the settings as part of the Pulp CR spec.pulp_settings[0]. You would need to also build a custom pulp-web image with the right nginx config.

Please file an issue here[1] asking to add LDAP support in pulp-operator.

[0] Pulp - Pulp Operator
[1] https://github.com/pulp/pulp-operator/issues/new?assignees=&labels=Feature%2C+Triage-Needed&projects=&template=feature_request.md&title=

AJJA · August 11, 2023, 4:03pm

Can you explain this part a little bit more ?

dkliban · August 11, 2023, 4:30pm

The documentation for configuring a reverse proxy that performs authentication is here[0]. You just need to add one line to the nginx config that tells it to set the REMOTE_USER header.

[0] Webserver — Pulp Project 3.30.0 documentation