graphite-dev team mailing list archive

Thread
Date

[Merge] lp:~casedeg/graphite/ldap-fix into lp:graphite

To: mp+168499@xxxxxxxxxxxxxxxxxx
From: Cees de Groot <casedeg@xxxxxxxxx>
Date: Mon, 10 Jun 2013 17:13:27 -0000
Reply-to: mp+168499@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Cees de Groot has proposed merging lp:~casedeg/graphite/ldap-fix into lp:graphite.

Requested reviews:
  graphite-dev (graphite-dev)

For more details, see:
https://code.launchpad.net/~casedeg/graphite/ldap-fix/+merge/168499

We had issues hooking up graphite to LDAP because our LDAP directory doesn't allow anonymous browsing and a R/O account with a hardcoded password is frowned up by the admins. 

Therefore, I created a change that allows you to configure the LDAP backend so that the user's own credentials are used for the initial bind() call. This is also how I remember (vaguely, it's been a while ago since I toyed with LDAP ;-)) how LDAP auth should be done. 


-- 
https://code.launchpad.net/~casedeg/graphite/ldap-fix/+merge/168499
Your team graphite-dev is requested to review the proposed merge of lp:~casedeg/graphite/ldap-fix into lp:graphite.

=== modified file 'webapp/graphite/account/ldapBackend.py'
--- webapp/graphite/account/ldapBackend.py	2011-09-16 08:10:42 +0000
+++ webapp/graphite/account/ldapBackend.py	2013-06-10 17:12:26 +0000
@@ -22,7 +22,10 @@
     try:
       conn = ldap.initialize(settings.LDAP_URI)
       conn.protocol_version = ldap.VERSION3
-      conn.simple_bind_s( settings.LDAP_BASE_USER, settings.LDAP_BASE_PASS )
+      conn.start_tls_s()
+      bind_user = settings.LDAP_BASE_USER % username if "%s" in settings.LDAP_BASE_USER else settings.LDAP_BASE_USER
+      bind_pass = settings.LDAP_BASE_PASS % password if "%s" in settings.LDAP_BASE_PASS else settings.LDAP_BASE_PASS
+      conn.simple_bind_s( bind_user, bind_pass )
     except ldap.LDAPError:
       traceback.print_exc()
       return None

=== modified file 'webapp/graphite/local_settings.py.example'
--- webapp/graphite/local_settings.py.example	2013-03-21 11:17:49 +0000
+++ webapp/graphite/local_settings.py.example	2013-06-10 17:12:26 +0000
@@ -98,8 +98,19 @@
 #	OR
 #LDAP_URI = "ldaps://ldap.mycompany.com:636"
 #LDAP_SEARCH_BASE = "OU=users,DC=mycompany,DC=com"
+# 
+# A hardcoded base user/pass looks like this:
+#
 #LDAP_BASE_USER = "CN=some_readonly_account,DC=mycompany,DC=com"
 #LDAP_BASE_PASS = "readonly_account_password"
+#
+# ...however, it's often not a good idea. If you include "%s" in the 
+# base user/pass, then they'll get expanded with what the user typed
+# in. This lets you effectively bind with the user's own account.
+#
+#LDAP_BASE_USER = "CN=%s,DC=mycompany,DC=com"
+#LDAP_BASE_PASS = "%s"
+#
 #LDAP_USER_QUERY = "(username=%s)"  #For Active Directory use "(sAMAccountName=%s)"
 #
 # If you want to further customize the ldap connection options you should