MoinMoinQuestions - MoinMoin
15 November 2006MoinMoinQuestions - MoinMoin
How do I integrate LDAP authentication with moin moin?
Looking at MoinMoin/auth.py in MoinMoin were do I place the following parameters: ldap_coding, ldap_uri, ldap_binddn, ldap_bindpw, ldap_base, ldap_scope, ldap_timeout, ldap_name_attribute, ldap_email_attribute.
You say Into your wikiconfig.py
Can you give me an example of what I need to put in wikiconfig.py for one of the variables lets say ldap_binddn Unfortunately the sample config in wiki/config/more_samples/ is not great at all.
Well, we cant know your ldap setup, but the config you see in ldap_smb_farmconfig.py is a real world example for Active Directory with the real company name replaced by example.org. You dont need the smb_ stuff btw. If you can read python its easy, maybe look at MoinMoin/auth.py -> def ldap_login… - as you see there, the following happens:
o it initializes an ldap connection to ldap_uri
o it expands ldap_binddn and ldap_bindpw with some variable content like username and password etc. this is optional, you also can use some fixed value
o it binds to the directory using this as that stuff is a encoded string, it uses ldap_coding to encode name and password - this is interesting for non-ASCII characters
o now it makes up a ldap filter string “%s=%s” with ldap_name_attribute where is the username stored? and the current username and uses this filter to search for that username in that attribute, using ldap_base as base DN and ldap_scope for the scope.
o depending on how much hits this search returns, the following will happen:
none: we didnt find the user, auth will fail as far as ldap_login is concerned
more than 1: we have multiple users of that name, this is no good auth will fail …
one: great, we found that unique username in the directory and can continue
o now it will bind again to the directory, using the DN we found in the search and the password given at login
o if this fails, itll break out with an exception like ldap.INVALID_CREDENTIALS auth will fail …
o if it succeeds, the password was obviously correct for this username, so we construct a user object now:
we fetch the email address for the user profile from ldap from ldap_email_attribute and decode it using ldap_coding
we fetch surname and givenname from sn and givenName attributes and make up the aliasname for the profile using them this is nice if the login username is cryptic
the wiki username will be the one given for login
we make sure the cookie_lifetime is honoured, thus the cookie will expire, forcing the user to re-login after expiry
o the end, auth succeeded
Comments are closed.