Giter Club home page Giter Club logo

taiga-contrib-ldap-auth-ext's Introduction

PyPI - License PyPI - Status PyPI PyPI - Downloads Managed with Taiga.io

Taiga contrib ldap auth ext

Extended Taiga.io plugin for LDAP authentication.

This is a fork of ensky/taiga-contrib-ldap-auth, which also retrieves the various contributions and other forks into one.

🐳 Installation with Docker

If you installed a dockerized Taiga using the 30 Minute Setup approach, you should be able to install this plugin using this guide.

The following will assume that you have a clone of the kaleidos-ventures/taiga-docker repository on the computer you want to host Taiga on.

taiga-back

  1. Edit the taiga-back section in the docker-compose.yml: Replace image: taigaio/taiga-back:latest with build: ./custom-back
  2. Create a folder custom-back next to the docker-compose.yml file
  3. In this folder, create a file config.append.py. Copy the contents of the taiga-back configuration section from this document into it.
  4. In this folder, also create a Dockerfile. The contents of the file are collapsed below.

If you were to start Taiga now, it would not pull the taiga-back directly from Docker Hub but instead build the image from the specified Dockerfile. This is exactly what we want, however, do not start Taiga yet – there is still work to be done in taiga-front.

custom-back/Dockerfile

Click here to expand 
FROM taigaio/taiga-back:latest

# Insert custom configuration into the taiga configuration file
COPY config.append.py /taiga-back/settings
RUN cat /taiga-back/settings/config.append.py >> /taiga-back/settings/config.py && rm /taiga-back/settings/config.append.py

RUN pip install taiga-contrib-ldap-auth-ext

The statements in the Dockerfile have the following effect:

  1. FROM ... bases the image we build on the official taigaio/taiga-back image.
  2. COPY ... and RUN ... copy the config.append.py file into the container, append it to /taiga-back/settings/config.py and then delete it again.
  3. RUN pip install ... installs this plugin.

taiga-front

  1. Edit the taiga-front section in the docker-compose.yml. Insert the following below networks:

    volumes:
- ./custom-front/conf.override.json:/usr/share/nginx/html/conf.json

    There should already be a commented block hinting that you can do this (just with a different path). You can delete this block, or, alternatively, place the file at the path given there and just remove the # .

  2. Create a folder custom-front next to the docker-compose.yml file

  3. In this folder, create a file conf.override.json. The contents of the file are below.

custom-front/conf.override.json

This file will replace the conf.json file. As the conf.json is normally automatically generated at runtime from the configuration in your docker-compose.yml, this is a bit trickier. Basically, the process boils down to this:

  1. Somehow get a valid conf.json
  2. Create a modified version by adding the following entry somewhere in the JSON: 
    "loginFormType": "ldap",

The question is: How do you get a valid conf.json?

  • The relevant section of the Taiga 30 min setup guide recommends to use an example config.json which you then have to adjust.
  • Alternatively, you could also start the container first without any adjustments, and then copy the file out like this: 
    docker cp taiga_taiga-front_1:/usr/share/nginx/html/conf.json conf.json
    You then have a valid, production-ready conf.json you can just extend by the entry mentioned above. I'd recommend this method.

📦 Installation without Docker

Installation

Install the PIP package taiga-contrib-ldap-auth-ext in your taiga-back python virtualenv:

pip install taiga-contrib-ldap-auth-ext

If needed, change pip to pip3 to use the Python 3 version.

For an even simpler installation, you can use our own Docker image: https://github.com/Monogramm/docker-taiga

taiga-back

Append the contents of the taiga-back configuration section from this document to the file settings/common.py (for Taiga >5.0) or settings/local.py (for Taiga ≤5.0).

taiga-front

Change the loginFormType setting to "ldap" in dist/conf.json:

"loginFormType": "ldap",

🔧 Configuration

taiga-back configuration

If you use the installation with Docker, put the following contents in the file custom-back/config.append.py.

If you use the installation without Docker, append the following contents to the file settings/common.py (for Taiga >5.0) or settings/local.py (for Taiga ≤5.0).

Click here to expand 
INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]

# Multiple LDAP servers are currently not supported, see
# https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/issues/16
LDAP_SERVER = "ldaps://ldap.example.com"
LDAP_PORT = 636

LDAP_BIND_DN = "CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com"
LDAP_BIND_PASSWORD = "verysecurepassword"

LDAP_SEARCH_BASE = 'OU=DevTeam,DC=example,DC=net'

LDAP_USERNAME_ATTRIBUTE = "uid"
LDAP_EMAIL_ATTRIBUTE = "mail"
LDAP_FULL_NAME_ATTRIBUTE = "givenName"

LDAP_SAVE_LOGIN_PASSWORD = False

LDAP_MAP_USERNAME_TO_UID = None

Change the following fields matching your setup:

LDAP_SERVER and LDAP_PORT: You will definitely have to change the server URL. If possible, try to keep the ldaps:// to use a secure connection. The port can likely stay as is, unless...

  • ... you run the LDAP server on a different (non-standard) port.
  • ... you want to use unencrypted, insecure LDAP: In this case, change ldaps:// to ldap:// and the port to 389.
  • ... you want to use STARTTLS. In this case, you have to make the same changes as for unencrypted, insecure LDAP and set LDAP_START_TLS = True, making the section look like this: 
    LDAP_SERVER = "ldap://ldap.example.com"
LDAP_PORT = 389
LDAP_START_TLS = True
    What happens is that an unencrypted connection is established first, but then upgraded to a secure connection. To the best of my knowledge, this should also be safe – however, I like the ldaps:// variant more.

LDAP_BIND_DN, LDAP_BIND_PASSWORD: You will need to change them.

The bind user is a dedicated service account. The plugin will connect to the LDAP server using this service account and search for an LDAP entry that has a LDAP_USERNAME_ATTRIBUTE or LDAP_EMAIL_ATTRIBUTE matching the user-provided login.

If the search is successful, the found LDAP entry and the user-provided password are used to attempt a bind to LDAP. If the bind is successful, then we can say that the user is authorised to log in to Taiga.

If LDAP_BIND_DN is not specified or blank, an anonymous bind is attempted.

It is recommended to limit the service account and only allow it to read and search the LDAP structure (no write or other LDAP access). The credentials should also not be used for any other account on the network. This minimizes the damage in cases of a successful LDAP injection or if you ever accidentially give someone access to the configuration file (e.g. by committing it into version control or having misconfigured permissions). Use a suitably strong, ideally randomly generated password.

LDAP_SEARCH_BASE: The subtree where the users are located.

LDAP_USERNAME_ATTRIBUTE, LDAP_EMAIL_ATTRIBUTE, LDAP_FULL_NAME_ATTRIBUTE: These are the LDAP attributes used to get the username, email and full name shown in the Taiga application. They need to have a value in LDAP. Depending on your LDAP setup, you might need to change them.

LDAP_SAVE_LOGIN_PASSWORD: Set this to True or remove the line if you want to store the passwords in the local database as well.

LDAP_MAP_USERNAME_TO_UID: This line fixes a bug. If omitted, the plugin will likely crash and no authentication is possible.

Additional configuration options

Click here to expand

By default, Taiga will fall back to normal authentication if LDAP authentication fails. Add the following line to disable this and only allow LDAP login:

LDAP_FALLBACK = ""

You can specify additional search criteria that will be ANDed using the following line:

LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

If you want to change how the LDAP username, e-mail or name are mapped to the local database, you can use the following lines to do so:

def _ldap_slugify(uid: str) -> str:
    """Map an LDAP username to a local DB user unique identifier.

    Upon successful LDAP bind, will override returned username attribute
    value. May result in unexpected failures if changed after the database
    has been populated. 
    """

    # example: force lower-case
    return uid.lower()
    
LDAP_MAP_USERNAME_TO_UID = _ldap_slugify


def _ldap_map_email(email: str) -> str:
    ...

def _ldap_map_name(name: str) -> str:
    ...

LDAP_MAP_EMAIL = _ldap_map_email
LDAP_MAP_NAME = _ldap_map_name

To support alternative TLS ciphersuites, protocol versions or disable certificate validation (note that all of these options have the power to harm your security, so apply them with caution), use the following lines:

from ldap3 import Tls
import ssl

# Add or remove options or change values as necessary.
LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')

To not store the passwords in the local database, use the following line:

LDAP_SAVE_LOGIN_PASSWORD = False

Group management via LDAP does not yet exist, see issues #15 and #17. However, the configuration would look a bit like this:

# Group search filter where $1 is the project slug and $2 is the role slug
#LDAP_GROUP_SEARCH_FILTER = 'CN=$2,OU=$1,OU=Groups,DC=example,DC=net'
# Use an attribute in the user entry for membership
#LDAP_USER_MEMBER_ATTRIBUTE = 'memberof,primaryGroupID'
# Starting point within LDAP structure to search for login group
#LDAP_GROUP_SEARCH_BASE = 'OU=Groups,DC=example,DC=net'
# Group classes filter
#LDAP_GROUP_FILTER = '(|(objectclass=group)(objectclass=groupofnames)(objectclass=groupofuniquenames))'
# Group member attribute
#LDAP_GROUP_MEMBER_ATTRIBUTE = 'memberof,primaryGroupID'

# Taiga super users group id
#LDAP_GROUP_ADMIN = 'OU=TaigaAdmin,DC=example,DC=net'

💡 Further notes

  • Security recommendation: The service account to perform the LDAP search should be configured to only allow reading/searching the LDAP structure. No other LDAP (or wider network) permissions should be granted for this user because you need to specify the service account password in the configuration file. A suitably strong password should be chosen, eg. VmLYBbvJaf2kAqcrt5HjHdG6.
  • If you are using the Taiga's built-in USER_EMAIL_ALLOWED_DOMAINS config option, all LDAP email addresses will still be filtered through this list. Ensure that if USER_EMAIL_ALLOWED_DOMAINS != None, that your corporate LDAP email domain is also listed there. This is due to the fact that LDAP users are automatically "registered" behind the scenes on their first login.
  • If you plan to only allow your LDAP users to access Taiga, set the PUBLIC_REGISTER_ENABLED config option to False. This will prevent any external user to register while still automatically register LDAP users on their first login.
  • Instead of appending to the common.py file in taiga-back, you can also insert the configuration into config.py. In our tests, both ways worked.

taiga-contrib-ldap-auth-ext's People

Contributors

artlepool avatar benyanke avatar brzuchal avatar cwmp avatar ensky avatar ffwd-txnx avatar flyingcircle avatar geoffreyfrogeye avatar jespino avatar jkbeavers avatar maciejhpl avatar madmath03 avatar martijnbastiaan avatar martin-sa avatar mrichar1 avatar octomike avatar stemid avatar theriverman avatar turingtux avatar veox avatar vinctix avatar zakkg3 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mpib benyanke vinctix hackerspacebremen marinflorin zakkg3 wildcardcorp dschick prolicht-dev namjae dacoso-devops reinaldosaraiva alryaz maciejhpl turingtux

taiga-contrib-ldap-auth-ext's Issues

Multiple LDAP Server Array

Currently it seems only one LDAP server is allowed.

Would love to see an implementation which would allow multiples, for HA. Perhaps a CSV list would then be tried if one didn't respond.

Store Password and Set Admin

Currently, LDAP users can't use the Django admin panel (/admin). Is there an option, or could there be, to store user's passwords, and perhaps even ability to specify an ldap query for admin?

Add the possibility to disable ldap password stored in DB

Hello,
Since release 0.4 LDAP authentication store LDAP password in DB and this way is against our security policies.
I'm a newbie in python langage but I can try to add a new setting to disable this storing.
For this could you show me pieces of code about this issue #21 ?
Thxs.
Pascal B

Add logging

Currently, the plugin comes with very little logging, I believe.

It would be great if the plugin included logging (especially error logging), so that in case of problems debugging is easier.

The first step (for me, at least) would be to find out how logging is handled in Taiga, so that the plugin can output the logs to the same place where Taiga is storing them, so that they are all in one place.

encoding error

Login failed with error:

{
    "error_message": "LDAP bind failed: 'latin-1' codec can't encode characters in position 16-27: ordinal not in range(256)"
}

users in my domain has Cyrillic names

LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'name'

login with LDAP user doesn't work

Describe the bug
LDAP doesn't work I receive (in the browser) 401 when trying to login with ldap user

To Reproduce
Steps to reproduce the behavior:

  1. Install after tutorial
  2. Try to login
  3. Error comes

Provide commands or configuration file if possible.

Expected behavior
Login with the user

config.append.py

INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]

# Multiple LDAP servers are currently not supported, see
# https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/issues/16
LDAP_SERVER = "ldap://SIMONZ.local"
LDAP_PORT = 389

LDAP_BIND_DN = "CN=None,OU=Benutzern,OU=IT,DC=SIMONZ,dc=local"
LDAP_BIND_PASSWORD = "Passwort123!"

LDAP_SEARCH_BASE = 'OU=Benutzern,OU=IT,DC=SIMONZ,dc=local'

LDAP_USERNAME_ATTRIBUTE = "sAMAccountName"
LDAP_EMAIL_ATTRIBUTE = "mail"
LDAP_FULL_NAME_ATTRIBUTE = "givenName"

LDAP_SAVE_LOGIN_PASSWORD = False

LDAP_MAP_USERNAME_TO_UID = None

conf.json

{
    "api": "http://192.168.1.3:8000/api/v1/",
    "eventsUrl": null,
    "baseHref": "/",
    "eventsMaxMissedHeartbeats": 5,
    "eventsHeartbeatIntervalTime": 60000,
    "eventsReconnectTryInterval": 10000,
    "debug": false,
    "debugInfo": false,
    "defaultLanguage": "en",
    "themes": [
        "taiga"
    ],
    "defaultTheme": "taiga",
    "defaultLoginEnabled": true,
    "publicRegisterEnabled": true,
    "feedbackEnabled": true,
    "supportUrl": "https://community.taiga.io/",
    "privacyPolicyUrl": null,
    "termsOfServiceUrl": null,
    "maxUploadFileSize": null,
    "contribPlugins": [],
    "tagManager": {
        "accountId": null
    },
    "tribeHost": null,
    "enableAsanaImporter": false,
    "enableGithubImporter": false,
    "enableJiraImporter": false,
    "enableTrelloImporter": false,
    "gravatar": false,
    "rtlLanguages": [
        "ar",
        "fa",
        "he"
    ]
}

conf.override.json
"loginFormType": "ldap",

docker-compose.yml

version: "3.5"

x-environment:
  &default-back-environment
  # These environment variables will be used by taiga-back and taiga-async.
  # Database settings
  POSTGRES_DB: "taiga"
  POSTGRES_USER: "${POSTGRES_USER}"
  POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
  POSTGRES_HOST: "taiga-db"
  # Taiga settings
  TAIGA_SECRET_KEY: "${SECRET_KEY}"
  TAIGA_SITES_SCHEME: "${TAIGA_SCHEME}"
  TAIGA_SITES_DOMAIN: "${TAIGA_DOMAIN}"
  TAIGA_SUBPATH: "${SUBPATH}"
  # Email settings.
  EMAIL_BACKEND: "django.core.mail.backends.${EMAIL_BACKEND}.EmailBackend"
  DEFAULT_FROM_EMAIL: "${EMAIL_DEFAULT_FROM}"
  EMAIL_USE_TLS: "${EMAIL_USE_TLS}"
  EMAIL_USE_SSL: "${EMAIL_USE_SSL}"
  EMAIL_HOST: "${EMAIL_HOST}"
  EMAIL_PORT: "${EMAIL_PORT}"
  EMAIL_HOST_USER: "${EMAIL_HOST_USER}"
  EMAIL_HOST_PASSWORD: "${EMAIL_HOST_PASSWORD}"
  # Rabbitmq settings
  RABBITMQ_USER: "${RABBITMQ_USER}"
  RABBITMQ_PASS: "${RABBITMQ_PASS}"
  # Telemetry settings
  ENABLE_TELEMETRY: "${ENABLE_TELEMETRY}"
  # ...your customizations go here

x-volumes:
  &default-back-volumes
  # These volumens will be used by taiga-back and taiga-async.
  - taiga-static-data:/taiga-back/static
  - taiga-media-data:/taiga-back/media
  # - ./config.py:/taiga-back/settings/config.py

services:
  taiga-db:
    image: postgres:12.3
    environment:
      POSTGRES_DB: "taiga"
      POSTGRES_USER: "${POSTGRES_USER}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
      interval: 2s
      timeout: 15s
      retries: 5
      start_period: 3s
    volumes:
      - taiga-db-data:/var/lib/postgresql/data
    networks:
      - taiga

  taiga-back:
    #image: taigaio/taiga-back:latest
    build: ./custom-back
    environment: *default-back-environment
    volumes: *default-back-volumes
    networks:
      - taiga
    depends_on:
      taiga-db:
        condition: service_healthy
      taiga-events-rabbitmq:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
    ports:
      - "8000:8000"

  taiga-async:
    image: taigaio/taiga-back:latest
    entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
    environment: *default-back-environment
    volumes: *default-back-volumes
    networks:
      - taiga
    depends_on:
      taiga-db:
        condition: service_healthy
      taiga-events-rabbitmq:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started

  taiga-async-rabbitmq:
    image: rabbitmq:3.8-management-alpine
    environment:
      RABBITMQ_ERLANG_COOKIE: "${RABBITMQ_ERLANG_COOKIE}"
      RABBITMQ_DEFAULT_USER: "${RABBITMQ_USER}"
      RABBITMQ_DEFAULT_PASS: "${RABBITMQ_PASS}"
      RABBITMQ_DEFAULT_VHOST: "${RABBITMQ_VHOST}"
    hostname: "taiga-async-rabbitmq"
    volumes:
      - taiga-async-rabbitmq-data:/var/lib/rabbitmq
    networks:
      - taiga

  taiga-front:
    image: taigaio/taiga-front:latest
    environment:
      TAIGA_URL: "${TAIGA_SCHEME}://${TAIGA_DOMAIN}"
      TAIGA_WEBSOCKETS_URL: "${WEBSOCKETS_SCHEME}://${TAIGA_DOMAIN}"
      TAIGA_SUBPATH: "${SUBPATH}"
      # ...your customizations go here
    networks:
      - taiga
    volumes:
      - ./conf.json:/usr/share/nginx/html/conf.json

  taiga-events:
    image: taigaio/taiga-events:latest
    environment:
      RABBITMQ_USER: "${RABBITMQ_USER}"
      RABBITMQ_PASS: "${RABBITMQ_PASS}"
      TAIGA_SECRET_KEY: "${SECRET_KEY}"
    networks:
      - taiga
    depends_on:
      taiga-events-rabbitmq:
        condition: service_started

  taiga-events-rabbitmq:
    image: rabbitmq:3.8-management-alpine
    environment:
      RABBITMQ_ERLANG_COOKIE: "${RABBITMQ_ERLANG_COOKIE}"
      RABBITMQ_DEFAULT_USER: "${RABBITMQ_USER}"
      RABBITMQ_DEFAULT_PASS: "${RABBITMQ_PASS}"
      RABBITMQ_DEFAULT_VHOST: "${RABBITMQ_VHOST}"
    hostname: "taiga-events-rabbitmq"
    volumes:
      - taiga-events-rabbitmq-data:/var/lib/rabbitmq
    networks:
      - taiga

  taiga-protected:
    image: taigaio/taiga-protected:latest
    environment:
      MAX_AGE: "${ATTACHMENTS_MAX_AGE}"
      SECRET_KEY: "${SECRET_KEY}"
    networks:
      - taiga

  taiga-gateway:
    image: nginx:1.19-alpine
    ports:
      - "9000:80"
    volumes:
      - ./taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
      - taiga-static-data:/taiga/static
      - taiga-media-data:/taiga/media
    networks:
      - taiga
    depends_on:
      - taiga-front
      - taiga-back
      - taiga-events

volumes:
  taiga-static-data:
  taiga-media-data:
  taiga-db-data:
  taiga-async-rabbitmq-data:
  taiga-events-rabbitmq-data:

networks:
  taiga:

Project (please complete the following information):

  • 6.8.0

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser Brave
  • Version v1.67.134

Additional context

Thanks for the help in advance

Increase Discoverability of This Repo on GitHub

I just found this project as it was referenced in https://github.com/taigaio/taiga-back/issues/1068, but I wasn't able to find it by searching GitHub for "Taiga LDAP" because it is a fork of the old repo and not a standalone repository. It would be great if this repo were somehow made so that it wasn't a fork so that it would pop up in GitHub searches. It would be a shame to miss out on the more recently updated and fixed version of this plugin.

Can not add LDAP users to projects

I have this set up for testing, and I am able to add non-LDAP users to projects, but when it comes to LDAP users, it silently fails after calling /api/v1/memberships/bulk_create. It fails both for users who have logged into tiaga and exist in the users_user table, as well as those who could, but have not logged in from the AD domain

I'm new to tiaga - is there any logs I can dig into to further debug, or do you have any ideas?

EDIT - This is resolved. It is not an issue with the plugin, though the docs perhaps could be a bit clearer. Scroll down to the bottom to see the conclusion.

taiga-back_1: ModuleNotFoundError: No module named 'taiga_contrib_ldap_auth_ext'

Describe the bug
the extension should be taiga-contrib-ldap-auth-ext

Please note the difference: taiga-contrib-ldap-auth-ext and taiga_contrib_ldap_auth_ext

To Reproduce
Steps to reproduce the behavior:
Follow taiga-contrib-ldap-auth-ext-2/README.md
docker-compose -f docker-compose.yml up|grep taiga-back
See error
Starting taiga-docker-main_taiga-async-rabbitmq_1 ... done
Starting taiga-docker-main_taiga-events-rabbitmq_1 ... done
Starting taiga-docker-main_taiga-front_1 ... done
Starting taiga-docker-main_taiga-db_1 ... done
Starting taiga-docker-main_taiga-protected_1 ... done
Starting taiga-docker-main_taiga-events_1 ... done
Starting taiga-docker-main_taiga-back_1 ... done
Starting taiga-docker-main_taiga-async_1 ... done
Starting taiga-docker-main_taiga-gateway_1 ... done
Attaching to taiga-docker-main_taiga-events-rabbitmq_1, taiga-docker-main_taiga-front_1, taiga-docker-main_taiga-async-rabbitmq_1, taiga-docker-main_taiga-protected_1, taiga-docker-main_taiga-db_1, taiga-docker-main_taiga-events_1, taiga-docker-main_taiga-back_1, taiga-docker-main_taiga-async_1, taiga-docker-main_taiga-gateway_1
taiga-back_1 | Executing pending migrations
taiga-back_1 | Traceback (most recent call last):
taiga-back_1 | File "manage.py", line 17, in
taiga-back_1 | execute_from_command_line(sys.argv)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/core/management/init.py", line 381, in execute_from_command_line
taiga-back_1 | utility.execute()
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/core/management/init.py", line 357, in execute
taiga-back_1 | django.setup()
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/init.py", line 24, in setup
taiga-back_1 | apps.populate(settings.INSTALLED_APPS)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/apps/registry.py", line 91, in populate
taiga-back_1 | app_config = AppConfig.create(entry)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/apps/config.py", line 90, in create
taiga-back_1 | module = import_module(entry)
taiga-back_1 | File "/usr/local/lib/python3.7/importlib/init.py", line 127, in import_module
taiga-back_1 | return _bootstrap._gcd_import(name[level:], package, level)
taiga-back_1 | File "", line 1006, in _gcd_import
taiga-back_1 | File "", line 983, in _find_and_load
taiga-back_1 | File "", line 965, in _find_and_load_unlocked
taiga-back_1 | ModuleNotFoundError: No module named 'taiga_contrib_ldap_auth_ext'
taiga-docker-main_taiga-back_1 exited with code 1

Provide commands or configuration file if possible.

Expected behavior
Container taiga-back_1 should not show error and exit with failure

Project (please complete the following information):
taiga_contrib_ldap_auth_ext-0.4.4

Server (please complete the following information):
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"

Additional context
Tried on untouched VM with custom-back/config.append.py:
INSTALLED_APPS += ["taiga-contrib-ldap-auth-ext"]
...

docker-compose -f docker-compose.yml up|grep taiga-back
Creating network "taiga-docker-main_taiga" with the default driver
Creating volume "taiga-docker-main_taiga-static-data" with default driver
Creating volume "taiga-docker-main_taiga-media-data" with default driver
Creating volume "taiga-docker-main_taiga-db-data" with default driver
Creating volume "taiga-docker-main_taiga-async-rabbitmq-data" with default driver
Creating volume "taiga-docker-main_taiga-events-rabbitmq-data" with default driver
Pulling taiga-db (postgres:12.3)...
Pulling taiga-async-rabbitmq (rabbitmq:3.8-management-alpine)...
Pulling taiga-front (taigaio/taiga-front:latest)...
Pulling taiga-events (taigaio/taiga-events:latest)...
Building taiga-back
Step 1/8 : FROM taigaio/taiga-back:latest
latest: Pulling from taigaio/taiga-back
Status: Downloaded newer image for taigaio/taiga-back:latest
Step 2/8 : COPY config.append.py /taiga-back/settings
Step 3/8 : RUN cat /taiga-back/settings/config.append.py >> /taiga-back/settings/config.py && rm /taiga-back/settings/config.append.py
Successfully tagged taiga-docker-main_taiga-back:latest
WARNING: Image for service taiga-back was built because it did not already exist. To rebuild this image you must use docker-compose build or docker-compose up --build.
Pulling taiga-protected (taigaio/taiga-protected:latest)...
Pulling taiga-gateway (nginx:1.19-alpine)...
Creating taiga-docker-main_taiga-protected_1 ... done
Creating taiga-docker-main_taiga-front_1 ... done
Creating taiga-docker-main_taiga-db_1 ... done
Creating taiga-docker-main_taiga-events-rabbitmq_1 ... done
Creating taiga-docker-main_taiga-async-rabbitmq_1 ... done
Creating taiga-docker-main_taiga-events_1 ... done
Creating taiga-docker-main_taiga-back_1 ... done
Creating taiga-docker-main_taiga-gateway_1 ... done
Creating taiga-docker-main_taiga-async_1 ... done
Attaching to taiga-docker-main_taiga-events-rabbitmq_1, taiga-docker-main_taiga-protected_1, taiga-docker-main_taiga-async-rabbitmq_1, taiga-docker-main_taiga-db_1, taiga-docker-main_taiga-front_1, taiga-docker-main_taiga-events_1, taiga-docker-main_taiga-back_1, taiga-docker-main_taiga-async_1, taiga-docker-main_taiga-gateway_1
taiga-back_1 | Executing pending migrations
taiga-back_1 | Traceback (most recent call last):
taiga-back_1 | File "manage.py", line 17, in
taiga-back_1 | execute_from_command_line(sys.argv)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/core/management/init.py", line 381, in execute_from_command_line
taiga-back_1 | utility.execute()
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/core/management/init.py", line 357, in execute
taiga-back_1 | django.setup()
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/init.py", line 24, in setup
taiga-back_1 | apps.populate(settings.INSTALLED_APPS)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/apps/registry.py", line 91, in populate
taiga-back_1 | app_config = AppConfig.create(entry)
taiga-back_1 | File "/opt/venv/lib/python3.7/site-packages/django/apps/config.py", line 90, in create
taiga-back_1 | module = import_module(entry)
taiga-back_1 | File "/usr/local/lib/python3.7/importlib/init.py", line 127, in import_module
taiga-back_1 | return _bootstrap._gcd_import(name[level:], package, level)
taiga-back_1 | File "", line 1006, in _gcd_import
taiga-back_1 | File "", line 983, in _find_and_load
taiga-back_1 | File "", line 965, in _find_and_load_unlocked
taiga-back_1 | ModuleNotFoundError: No module named 'taiga-contrib-ldap-auth-ext'

Auto Add to Group on Login By LDAP Query [Future Wishlist]

In my org, we have a lot of team members who we'd like to automatically be part of a group, not needing to be invited. Additionally, as people come and go, we'd like to federate auth/authorization to AD, but also group membership.

Starting this ticket to track progress on a feature which would enable membership in a project based on an ldap query for each role.

When I have time, I'll start to implement, if you're interested, otherwise I'll just keep it in a fork (though I'd hate to make another fork!)

Configuration for the new version of taiga

Configuration for the new version of taiga.
For the new version of taiga (>v5.0), LDAP configuration information should be written into the settings/common.py file, otherwise (eg:settings/config.py) taiga will return an invalid login type error message.

LDAP Authentication Problems (some user worked, most failed)

Describe the bug
LDAP Auth for some user worked fine, but for the most of user login failed.
Taiga config: LDAP only login, without fallback, save login password and public registration.
Users will be created on first login via LDAP and are in the same base-directory.
Reproduced on various browser and on local and client machines.

With following user login worked - Console output:

angular.js:11756 PUT http://taiga.keba.com/api/v1/user-storage/joyride 404 (Not Found)
(anonymous) @ angular.js:11756
g @ angular.js:11517
c @ angular.js:11227
a @ angular.js:15961
(anonymous) @ angular.js:15977
$eval @ angular.js:17229
$digest @ angular.js:17045
$apply @ angular.js:17337
(anonymous) @ angular.js:17633
o @ angular.js:5869
(anonymous) @ angular.js:6145
setTimeout (async)
c.defer @ angular.js:6143
k @ angular.js:17632
$applyAsync @ angular.js:17366
u @ angular.js:11569
_ @ angular.js:11778
k.onload @ angular.js:11711
load (async)
(anonymous) @ angular.js:11694
g @ angular.js:11517
c @ angular.js:11227
a @ angular.js:15961
(anonymous) @ angular.js:15977
$eval @ angular.js:17229
$digest @ angular.js:17045
(anonymous) @ angular.js:17268
o @ angular.js:5869
(anonymous) @ angular.js:6145
setTimeout (async)
c.defer @ angular.js:6143
$evalAsync @ angular.js:17266
(anonymous) @ angular.js:15869
s @ angular.js:15977
then @ angular.js:15925
d @ angular.js:11247
e.request @ app.js:23027
e.post @ app.js:23058
e.login @ app.js:1870
(anonymous) @ app.js:2046
r @ lodash.js:10333
i @ lodash.js:10343
f @ lodash.js:10410
dispatch @ jquery.js:4737
g.handle @ jquery.js:4549

With these user login failed - Console Output:

angular.js:11756 POST http://taiga.keba.com/api/v1/auth 400 (Bad Request)
(anonymous) @ angular.js:11756
g @ angular.js:11517
c @ angular.js:11227
a @ angular.js:15961
(anonymous) @ angular.js:15977
$eval @ angular.js:17229
$digest @ angular.js:17045
(anonymous) @ angular.js:17268
o @ angular.js:5869
(anonymous) @ angular.js:6145
setTimeout (async)
c.defer @ angular.js:6143
$evalAsync @ angular.js:17266
(anonymous) @ angular.js:15869
s @ angular.js:15977
then @ angular.js:15925
d @ angular.js:11247
e.request @ app.js:23027
e.post @ app.js:23058
e.login @ app.js:1870
(anonymous) @ app.js:2046
r @ lodash.js:10333
i @ lodash.js:10343
f @ lodash.js:10410
dispatch @ jquery.js:4737
g.handle @ jquery.js:4549
angular.js:11756
 
XHR failed loading: POST "http://taiga.keba.com/api/v1/auth".
(anonymous) @ angular.js:11756
g @ angular.js:11517
c @ angular.js:11227
a @ angular.js:15961
(anonymous) @ angular.js:15977
$eval @ angular.js:17229
$digest @ angular.js:17045
(anonymous) @ angular.js:17268
o @ angular.js:5869
(anonymous) @ angular.js:6145
setTimeout (async)
c.defer @ angular.js:6143
$evalAsync @ angular.js:17266
(anonymous) @ angular.js:15869
s @ angular.js:15977
then @ angular.js:15925
d @ angular.js:11247
e.request @ app.js:23027
e.post @ app.js:23058
e.login @ app.js:1870
(anonymous) @ app.js:2046
r @ lodash.js:10333
i @ lodash.js:10343
f @ lodash.js:10410
dispatch @ jquery.js:4737
g.handle @ jquery.js:4549

Provide commands or configuration file if possible.
Docker config:

# LDAP Settings
      - TAIGA_ENABLE_LDAP=True
      - TAIGA_LDAP_USE_TLS=False
      - TAIGA_LDAP_SERVER=ldap://${TAIGA_LDAP_DOMAIN}
      - TAIGA_LDAP_PORT=389
      - TAIGA_LDAP_BIND_DN=${TAIGA_LDAP_BIND_DN}
      - TAIGA_LDAP_BIND_PASSWORD=${TAIGA_LDAP_BIND_PASSWORD}
      - TAIGA_LDAP_BASE_DN=${TAIGA_LDAP_BASE_DN}
      - TAIGA_LDAP_USERNAME_ATTRIBUTE=uid
      - TAIGA_LDAP_EMAIL_ATTRIBUTE=mail
      - TAIGA_LDAP_FULL_NAME_ATTRIBUTE=cn
      #- TAIGA_LDAP_FALLBACK=normal
      - LDAP_SAVE_LOGIN_PASSWORD=False

 - TAIGA_LOGIN_FORM_TYPE=ldap

Expected behavior
Why did various user on the same directory have different behaviours?
Is there a problem with special cars in passwords (utf-8)?

Project (please complete the following information):

  • lastest from docker

Desktop (please complete the following information):

  • OS: Windows
  • Browser: Chrome, FF, IE

error:"Server application error"

Dear all,

I am using the latest taiga stable, I am able to connect using the local admin user.

I installed taiga-contrib-ldap-auth-ext using pip install.

But when I try to login using an ldap account I get error "Server application error" or user not found.

My current configuration is:

the final section of taiga-back/setings/local.py is

### LDAP PLUGIN ###

INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]

LDAP_SERVER = 'ldaps://XXX.XX.XX.XX'
LDAP_PORT = 636

# Flag to enable LDAP with STARTTLS before bind
LDAP_START_TLS = False

# Support of alternative LDAP ciphersuites
#from ldap3 import Tls
#import ssl

#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'CN=xxxxxxx,CN=Users,DC=example,DC=int'
LDAP_BIND_PASSWORD = 'XXXXX'

# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'CN=Xxxx,DC=xxxxx,DC=xxx'

# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
# These fields need to have a value in LDAP 
LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'name'

# Fallback on normal authentication method if this LDAP auth fails. Uncomment to enable.
# LDAP_FALLBACK = "normal"

# Function to map LDAP username to local DB user unique identifier.
# Upon successful LDAP bind, will override returned username attribute
# value. May result in unexpected failures if changed after the database
# has been populated.
def _ldap_slugify(uid: str) -> str:
    # example: force lower-case
    #uid = uid.lower()
    return uid

#LDAP_MAP_USERNAME_TO_UID = _ldap_slugify

my taiga-front-dist/dist/conf.json

{
    "api": "https://taiga.flyingfishtechs.com:3002/api/v1/",
    "eventsUrl": "wss://taiga.flyingfishtechs.com:3002/events",
    "loginFormType": "ldap",
    "eventsMaxMissedHeartbeats": 5,
    "eventsHeartbeatIntervalTime": 60000,
    "eventsReconnectTryInterval": 10000,
    "debug": false,
    "debugInfo": false,
    "defaultLanguage": "en",
    "themes": ["taiga"],
    "defaultTheme": "taiga",
    "publicRegisterEnabled": true,
    "feedbackEnabled": true,
    "supportUrl": "https://tree.taiga.io/support",
    "privacyPolicyUrl": null,
    "termsOfServiceUrl": null,
    "maxUploadFileSize": null,
    "contribPlugins": [],
    "tribeHost": null,
    "importers": [],
    "gravatar": true
}

I am trying to debbug using curl, I get the same results on the browser:

curl -H "Content-Type: application/json" -d '{"type": "ldap", "username": "carles.cortes", "password": "xxxxxxxxx"}' http://127.0.0.1/api/v1/auth
{"error": "Server application error"}(taiga)

Any suggestion in how to debug this? I tried many things...

Thank you very much !

When adding users to project no existing users shown

When trying to add users to existing project, the list of users to add is empty. I can only invite by email.

Specifically (and I think that's the problem):

/api/v1/users/18/contacts?exclude_project=10 returns [].

The configured BIND_DN can ldapsearch the directory without problems.

Project (please complete the following information):
taiga-back-5.5.3, taiga-contrib-ldap-auth-ext 0.4.4

Release new version to PyPI

Currently, the version of this plugin on PyPI (0.4.4) is from 2019-05-03 and does not include the latest changes in this repository.

Could you push the changes to create e.g. a 0.4.5 release, please?

Thanks in advance!

LDAP authentication over SSL issue

Hello,

I try to use your nice LDAP crontrib on my taiga but my LDAP authentication failed on my LDAPs server...
I can not test authentication without TLS.
I already use some application to authenticate on our ldaps but I'm newbie on taiga and I didn't found a way to displayed logs.
(Launch tiga with "python manage.py runserver" doesn't displayed any logs about my LDAPs authentication.

Could you tell me how I can debug my ldap authentication ?

On my java application, to use ldaps authneticate I have a certicate file to import in my jvm keystore. Do I need to use a similar way (I don't know how)?

Thxs for any help, tell me if I didn't use the good way to ask some help about your ldap extension.

Here my taiga-back/settings/local.py file:

INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]

# TODO https://github.com/Monogramm/taiga-contrib-ldap-auth-ext/issues/16
LDAP_SERVER = 'ldap://ldap.xxxx.fr'
LDAP_PORT = yyy

# Flag to enable LDAP with STARTTLS before bind
LDAP_START_TLS = True

# Support of alternative LDAP ciphersuites
from ldap3 import Tls
import ssl

LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
# LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com'
# LDAP_BIND_PASSWORD = '<REPLACE_ME>'
LDAP_BIND_DN = ''
LDAP_BIND_PASSWORD = ''
# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
# These fields need to have a value in LDAP 
LDAP_USERNAME_ATTRIBUTE = 'zzz'
LDAP_EMAIL_ATTRIBUTE = 'zzzzz'
LDAP_FULL_NAME_ATTRIBUTE = 'zzzzz'

Pascal B

No search after succesful bind.

Hello,

I'm just trying to get the plugin to work on the last taiga version.
I had followed the guide to install it without docker.

The problem is that the server keeps saying that my password is incorrect with a valid ldap account.
But on the ldap server side i see that the authentification is succesful but there is no search operation afterward.

Any clues?

I had a taiga 5 server with an old version of this plugin that is working with the same ldap server...

Thanks for your help.

Taiga Authentication failing on META LDAP

Describe the bug
Hi, in my company we have a META LDAP DB which astracts two LDAP Directories, an AD and a LDAP directory. Using the LDAP_BIND_DN of the META DB, all the active directory users can login (and have the user created at first login). The USERS created into the LDAP won't. Other services in the network can use both type of users.

What can it be? Why the AD users can login?

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'Login Page' on Taiga
  2. Put username and password of a user present in the meta LDAP
  3. The error is: According to the Taiga, your username/email or password are incorrect.

Moreover I made some shell debugging and the user which cannot login on Taiga, can BIND from the shell, here the tryouts:

$ldapwhoami -vvv -h -REDACTED- -p 389 -D uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta -x -w '-REDACTED-'
ldap_initialize( ldap://-REDACTED-:389 )
dn:uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta
Result: Success (0)

While the log of the LDAP server is:

601819a4 conn=1584 fd=12 ACCEPT from IP=-REDACTED-:54576 (IP=0.0.0.0:389)
601819a4 conn=1584 op=0 BIND dn="cn=binder,dc=bancolini,dc=meta" method=128
601819a4 conn=1584 op=0 BIND dn="cn=binder,dc=bancolini,dc=meta" mech=SIMPLE ssf=0
601819a4 conn=1584 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1584 op=1 SRCH base="dc=bancolini,dc=meta" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1584 op=1 SRCH attr=uid mail displayName
601819a4 conn=1044 op=252 SRCH base="ou=people,dc=bancolini,dc=com" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1044 op=252 SRCH attr=uid mail displayName
601819a4 conn=1044 op=252 SEARCH RESULT tag=101 err=0 nentries=1 text=
601819a4 conn=1045 op=249 SRCH base="ou=groups,dc=bancolini,dc=com" scope=2 deref=3 filter="(|(uid=-REDACTED-)(mail=-REDACTED-))"
601819a4 conn=1045 op=249 SRCH attr=uid mail displayName
601819a4 conn=1584 op=1 meta_back_retry[3]: retrying URI="ldap://-REDACTED-:389" DN="cn=administrator,cn=users,dc=bancolini,dc=com".
601819a4 conn=1045 op=249 SEARCH RESULT tag=101 err=0 nentries=0 text=
601819a4 conn=1584 op=1 meta_back_retry[3]: meta_back_single_dobind=0
601819a4 conn=1584 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
601819a4 conn=1585 fd=25 ACCEPT from IP=-REDACTED-:54580 (IP=0.0.0.0:389)
601819a4 conn=1585 op=0 BIND dn="uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta" method=128
601819a4 conn=1586 fd=27 ACCEPT from IP=-REDACTED-:54584 (IP=0.0.0.0:389)
601819a4 conn=1586 op=0 BIND dn="uid=-REDACTED-,ou=people,dc=bancolini,dc=com" method=128
601819a4 conn=1586 op=0 BIND dn="uid=-REDACTED-,ou=people,dc=bancolini,dc=com" mech=SIMPLE ssf=0
601819a4 conn=1585 op=0 BIND dn="uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta" mech=SIMPLE ssf=0
601819a4 conn=1585 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1586 op=0 RESULT tag=97 err=0 text=
601819a4 conn=1584 fd=12 closed (connection lost)
601819a4 conn=1585 fd=25 closed (connection lost)
601819a4 conn=1586 op=1 UNBIND
601819a4 conn=1586 fd=27 closed

If I understand right, it tries to use uid=-REDACTED-,cn=local,ou=people,dc=bancolini,dc=meta to BIND and check for the password, which in ldapsearch works.

Obvously also the uid=-REDACTED-,ou=people,dc=bancolini,dc=com I see in the log is accepted as BIND DN:

$ ldapwhoami -vvv -h -REDACTED- -p 389 -D uid=-REDACTED- -x -w '-REDACTED-'
ldap_initialize( ldap://-REDACTED-:389 )
dn:uid=-REDACTED-,dc=bancolini,dc=com
Result: Success (0)

The config of Taiga's settings.py is:

LDAP_SERVER = 'ldap://-REDACTED-'
LDAP_PORT = 389

# Flag to enable LDAP with STARTTLS before bind
LDAP_START_TLS = False

# Support of alternative LDAP ciphersuites
#from ldap3 import Tls
#import ssl

#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')

# Full DN of the service account use to connect to LDAP server and search for login user's account entry
# If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
LDAP_BIND_DN = 'cn=-REDACTED-,dc=bancolini,dc=meta'
LDAP_BIND_PASSWORD = '-REDACTED-'

# Starting point within LDAP structure to search for login user
LDAP_SEARCH_BASE = 'dc=bancolini,dc=meta'

# Additional search criteria to the filter (will be ANDed)
#LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'

# Names of attributes to get username, e-mail and full name values from
# These fields need to have a value in LDAP 
LDAP_USERNAME_ATTRIBUTE = 'uid'
LDAP_EMAIL_ATTRIBUTE = 'mail'
LDAP_FULL_NAME_ATTRIBUTE = 'displayName'

Expected behavior
I expect to login with the LDAP users and not just with the AD, since the ldapwhoami works.

Thank you for the answer, bye,
Gabriele

Password with special characters

Hi,

I am using the ldap-auth-ext plugin but I am facing an issue with some password.
Some of the users is using special characters as @ in their passwords.
This cause the auth 400 error :

{"error_message": {"ldap": "LDAP bind failed: automatic bind not successful - invalidCredentials", "normal": "Aucun utilisateur avec ce nom ou ce mot de passe."}}

When the users use normalized password it works. Is it possible to add escape characters for these kinds of password ?

Best regards,

Can't access http://127.0.0.1:8001/api/v1 after turn on plugins

Describe the bug
After config local.py to turn on taiga-contrib-ldap-auth-ext plugin, I can't access http://127.0.0.1:8001/api/v1
=> It means I can't login to taiga-frontend

To Reproduce
Steps to reproduce the behavior:

  1. Install plugin:
    pip3 install --upgrade taiga-contrib-ldap-auth-ext

  2. Access http://127.0.0.1:8001/api/v1 on Local Machine: OK
    curl http://127.0.0.1:8001/api/v1
    -- Result --
    < h1 >Not Found</ h1 >< p >The requested resource was not found on this server.</ p >

  3. Edit local.py
    sudo nano /home/taiga/taiga-back/settings/local.py
    INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]
    ...

  4. Edit conf.json
    sudo nano /home/taiga/taiga-front-dist/dist/conf.json

"loginFormType": "ldap",

  1. Restart taiga and reload nginx
    sudo systemctl restart 'taiga*'
    sudo systemctl reload nginx

  2. Try access http://127.0.0.1:8001/api/v1
    curl http://127.0.0.1:8001/api/v1
    curl: (56) Recv failure: Connection reset by peer

  3. Try login in Taiga: (using F12 of Chrome): Not OK
    General:

  • Request URL: http://<example.com>/api/v1/auth
  • Request Method: POST
  • Status Code: 502 Bad Gateway

Project (please complete the following information):

  • Project Version: Version 0.4.4

**Server:

  • OS: Ubuntu 18 LTS
  • Taiga version: latest stable from git (17Nov2019)

Desktop (please complete the following information):

  • OS: windows 10
  • Browser: Chrome, Firefox

Add a step-by-step installation guide for Taiga6 recommended docker installation

I am pretty sure most of us on premise folks have tons of experience with virtualization solutions like VMWare but are total docker noobs.

I am struggling to install this plugin to Taiga6 recommended docker deployment. I know that I am struggling through a lot of problems that are basically solved with basic docker knowledge and installing the community plugin in your docker installation is probably easy for a dev with a lot of Docker experience but for us old and gnarly sysadmins it's just super confusing and we have to make sure every deployment checks certain boxes like “can we test backups, updates, restores” and “can we plug it into our LDAP to manage our 300 users that constantly forget passwords”.

Thanks for the great work overall!

If this plugin works with taiga6 please indicate

Have been working to get this to work with a taiga6 docker style installation.

Thought I saw that this was confirmed to work with taiga6 but at last check I did not see such an indication.

If this does work with taiga6 please have the version updated at the Taiga Resources page & on the github page somewhere.

[ERROR] Exception in worker process

Log ERROR:
error_gunicorn.stderr.log

Taiga 3.4.0
pip list:
Package Version

acme 0.26.0
asn1crypto 0.22.0
certbot 0.26.1
certbot-nginx 0.25.0
certifi 2017.4.17
chardet 3.0.4
command-not-found 0.3
ConfigArgParse 0.11.0
configobj 5.0.6
cryptography 1.9
Django 2.1.2
funcsigs 0.4
future 0.15.2
idna 2.5
josepy 1.0.1
language-selector 0.1
ldap3 2.5.1
mock 1.3.0
ndg-httpsclient 0.4.2
parsedatetime 2.4
pbr 1.8.0
pip 18.1
pyasn1 0.1.9
pycurl 7.43.0
pygobject 3.20.0
PyICU 1.9.2
pyOpenSSL 17.3.0
pyparsing 2.0.3
pyRFC3339 1.0
python-apt 1.1.0b1+ubuntu0.16.4.2
python-debian 0.1.27
python-systemd 231
pytz 2014.10
requests 2.18.1
requests-toolbelt 0.8.0
setuptools 33.1.1
six 1.11.0
ssh-import-id 5.5
taiga-contrib-ldap-auth-ext 0.3.4
ufw 0.35
unattended-upgrades 0.1
urllib3 1.21.1
virtualenv 15.0.1
wheel 0.29.0
zope.component 4.3.0
zope.event 4.2.0
zope.hookable 4.0.4
zope.interface 4.3.2

Default Picture Broken for New LDAP Users

Don't have a ton of time to debug personally, since I need to push forward launching it, but just wanted to mention it so it's tracked somewhere!

If I have time, I'll come back get this fixed at some point!

ldap search reponse assumptions are false

I'm on an AD and our c.search() results in the following:

[{'attributes': {'sAMAccountName': ['krause'], 'givenName': ['Michael'], 'mail': ['[email protected]']},
  'dn': 'CN=Michael Krause,OU=FB-LIP,DC=mpib-berlin,DC=mpg,DC=de',
  'raw_attributes': {'sAMAccountName': [b'krause'], 'givenName': [b'Michael'], 'mail': [b'[email protected]']},
  'raw_dn': b'CN=Michael Krause,OU=FB-LIP,DC=mpib-berlin,DC=mpg,DC=de',
  'type': 'searchResEntry'},
 {'type': 'searchResRef',
  'uri': ['ldaps://ForestDnsZones.mpib-berlin.mpg.de/DC=ForestDnsZones,DC=mpib-berlin,DC=mpg,DC=de']},
 {'type': 'searchResRef',
  'uri': ['ldaps://DomainDnsZones.mpib-berlin.mpg.de/DC=DomainDnsZones,DC=mpib-berlin,DC=mpg,DC=de']},
 {'type': 'searchResRef',
  'uri': ['ldaps://mpib-berlin.mpg.de/CN=Configuration,DC=mpib-berlin,DC=mpg,DC=de']}]

It then fails to auth because len(c.response) is not ==1. I can make a PR with the dirty hack I used, but there might be a more compatible solution to checking if search actually found something. Not sure how to proceed :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.