Extension LDAP authentication for CKAN


Extension Basics

Title
LDAP authentication for CKAN
Name
ckanext-ldap
Type
Public extension
Description
Provide LDAP and Active Directory authentication for CKAN users
CKAN versions

~2.8, ~2.9

Show details
Download-Url (zip)
https://github.com/DataShades/ckanext-ldap.git#egg=ckanext-ldap
Download-Url commit date
2014-01-01
Url to repo
https://github.com/DataShades/ckanext-ldap
Category
Authentication & Security


Background Infos

Description (long)
Show details

This plugin provides comprehensive LDAP authentication for CKAN with support for Active Directory. Features include: imports username, full name, email, and description from LDAP directory, flexible matching against multiple LDAP fields (username, full name, email), supports LDAP-only authentication or combined LDAP and basic CKAN authentication via ckan_fallback option, automatic addition of LDAP users to specified organization with configurable roles (admin/editor/member), full Active Directory compatibility with TLS support, prevents profile editing for LDAP users if desired (centralized management), dual search filter support (primary and alternative search strings for flexible matching), customizable LDAP attribute mapping for all user fields, organization assignment with role control, CLI command for setting up organization (paster ldap setup-org), alternative search with custom error messages for multi-field matching (e.g., match username OR full name OR email). Requires python-ldap module and ldap2/sasl2/ssl development packages for building.

Version
0.1
Version release date
2014-01-01
Contact name
Natural History Museum
Contakt email
(not set)
Contact Url
(not set)


Installation Guide

Configuration hints

Install python-ldap module:

pip install python-ldap

For building from source (Debian/Ubuntu):

apt-get install libldap2-dev libsasl2-dev libssl-dev

Required configuration:

LDAP server URI (ldap:// or ldaps:// for TLS, optionally with :port)

ckanext.ldap.uri = ldap://example.com

Base DN for search

ckanext.ldap.base_dn = ou=USERS,dc=example,dc=com

Search filter with {login} placeholder (must return 0 or 1 entry)

ckanext.ldap.search.filter = sAMAccountName={login}

LDAP attribute for CKAN username (must be unique)

ckanext.ldap.username = sAMAccountName

LDAP attribute for email (must be unique)

ckanext.ldap.email = mail

Optional configuration:

Enable fallback to CKAN authentication when no LDAP user

ckanext.ldap.ckan_fallback = true

Prevent LDAP users from editing their profile

ckanext.ldap.prevent_edits = true

Authentication DN if LDAP server requires auth (e.g., Active Directory)

ckanext.ldap.auth.dn = cn=admin,dc=example,dc=com

Password for authentication DN

ckanext.ldap.auth.password = password

Full name attribute mapping

ckanext.ldap.fullname = cn

Description/About attribute mapping

ckanext.ldap.about = description

Auto-add users to organization (Warning: only affects new users)

ckanext.ldap.organization.id = my-organization-id

Role for auto-added users: admin, editor, or member (Warning: only affects new users)

ckanext.ldap.organization.role = member

Alternative search filter for multi-field matching

ckanext.ldap.search.alt = name={login}

Or match multiple: (|(name={login})(mail={login}))

Custom message when alt search returns >1 result

ckanext.ldap.search.alt_msg = Please use your short account name instead

Setup organization via CLI:

paster –plugin=ckanext-ldap ldap setup-org -c /etc/ckan/default/development.ini

Note: Configuration options without ckanext. prefix are deprecated.

Plugins to configure (ckan.ini)
ldap
CKAN Settings (ckan.ini)
# ckanext.ldap.base_dn = dc=example,dc=com # ckanext.ldap.search.filter = cn=*{login}* # ckanext.ldap.username = cn # ckanext.ldap.auth.dn = cn=read-only-admin,dc=example,dc=com # ckanext.ldap.email = mail # ckanext.ldap.auth.password = password # ckanext.ldap.auth.method = SIMPLE
DB migration to be executed
ldap
<< back to Extensions