LDAP Integration ( https://github.com/retspen/webvirtcloud/issues/243 ) (#443)

* Added ldap support * Update * Added logging * Update * Working * Working * Working * Working * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Check for ldap3 existence * Add eol Co-authored-by: Kendar <unknown@kendar.org>
2024-11-01 03:54:15 +00:00 · 2021-06-02 08:46:12 +02:00 · 2021-06-02 08:46:12 +02:00 · e9b57bfcf7
commit e9b57bfcf7
parent a20fa8e8d7
5 changed files with 183 additions and 2 deletions
--- a/3
+++ b/3
@ -21,6 +21,9 @@ RUN apt-get update -qqy \
 	nginx \
 	pkg-config \
 	gcc \
+	libldap2-dev \
+	libssl-dev \
+	libsasl2-dev \
 	libsasl2-modules \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

--- a/README.md
+++ b/README.md
@ -57,7 +57,7 @@ print(''.join([random.SystemRandom().choice(haystack) for _ in range(50)]))
 ### Install WebVirtCloud panel (Ubuntu 18.04+ LTS)

 ```bash
-sudo apt-get -y install git virtualenv python3-virtualenv python3-dev python3-lxml libvirt-dev zlib1g-dev libxslt1-dev nginx supervisor libsasl2-modules gcc pkg-config python3-guestfs
+sudo apt-get -y install git virtualenv python3-virtualenv python3-dev python3-lxml libvirt-dev zlib1g-dev libxslt1-dev nginx supervisor libsasl2-modules gcc pkg-config python3-guestfs libsasl2-dev libldap2-dev libssl-dev
 git clone https://github.com/retspen/webvirtcloud
 cd webvirtcloud
 cp webvirtcloud/settings.py.template webvirtcloud/settings.py
@ -97,7 +97,7 @@ Go to http://serverip and you should see the login screen.

 ```bash
 sudo yum -y install epel-release
-sudo yum -y install python3-virtualenv python3-devel libvirt-devel glibc gcc nginx supervisor python3-lxml git python3-libguestfs iproute-tc cyrus-sasl-md5 python3-libguestfs
+sudo yum -y install python3-virtualenv python3-devel libvirt-devel glibc gcc nginx supervisor python3-lxml git python3-libguestfs iproute-tc cyrus-sasl-md5 python3-libguestfs libsasl2-dev libldap2-dev libssl-dev
 ```

 #### Creating directories and cloning repo
@ -380,6 +380,48 @@ Run tests
 python manage.py test
 ```

+## LDAP Configuration
+
+The example settings are based on an OpenLDAP server with groups defined as "cn" of class "groupOfUniqueNames"
+
+Enable LDAP
+
+```bash
+sudo sed -i "s/LDAP_ENABLED = False/LDAP_ENABLED = True/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+```
+
+Set the LDAP server name and root DN
+
+```bash
+sudo sed -i "s/LDAP_URL = ''/LDAP_URL = 'myldap.server.com'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+sudo sed -i "s/LDAP_ROOT_DN = ''/LDAP_ROOT_DN = 'dc=server,dc=com'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+```
+
+Set the user that has browse access to LDAP and its password
+
+```bash
+sudo sed -i "s/LDAP_MASTER_DN = ''/LDAP_MASTER_DN = 'cn=admin,ou=users,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+sudo sed -i "s/LDAP_MASTER_PW = ''/LDAP_MASTER_PW = 'password'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+```
+
+Set the attribute that will be used to find the username, i usually use the cn
+
+```bash
+sudo sed -i "s/LDAP_USER_UID_PREFIX = ''/LDAP_USER_UID_PREFIX = 'cn'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+```
+
+You can now create the filters to retrieve the users for the various group. This will be used during the user creation only
+
+```bash
+sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_ADMINS = ''/LDAP_SEARCH_GROUP_FILTER_ADMINS = 'memberOf=cn=admins,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_STAFF = ''/LDAP_SEARCH_GROUP_FILTER_STAFF = 'memberOf=cn=staff,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_USERS = ''/LDAP_SEARCH_GROUP_FILTER_USERS = 'memberOf=cn=users,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
+```
+
+Now when you login with an LDAP user it will be assigned the rights defined. The user will be authenticated then with ldap and authorized through the WebVirtCloud permissions.
+
+If you'd like to move a user from ldap to WebVirtCloud, just change its password from the UI and (eventually) remove from the group in ldap
+
 ## Screenshots

 Instance Detail:
--- a/conf/requirements.txt
+++ b/conf/requirements.txt
@ -12,3 +12,4 @@ qrcode==6.1
 rwlock==0.0.7
 websockify==0.9.0
 zipp==3.4.0
+ldap3==2.9.0
--- a/webvirtcloud/ldapbackend.py
+++ b/webvirtcloud/ldapbackend.py
@ -0,0 +1,113 @@
+from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth.models import User
+from django.conf import settings
+from accounts.models import UserAttributes, UserInstance, UserSSHKey
+from django.contrib.auth.models import Permission
+from logs.models import Logs
+import uuid
+
+try:
+    from ldap3 import Server, Connection, ALL
+    #/srv/webvirtcloud/ldap/ldapbackend.py
+    class LdapAuthenticationBackend(ModelBackend):
+         
+         def get_LDAP_user(self, username, password, filterString):
+             print('get_LDAP_user')
+             try:
+                 server = Server(settings.LDAP_URL, port=settings.LDAP_PORT,
+                     use_ssl=settings.USE_SSL,get_info=ALL)
+                 connection = Connection(server,
+                                         settings.LDAP_MASTER_DN,
+                                         settings.LDAP_MASTER_PW, auto_bind=True)
+    
+                 connection.search(settings.LDAP_ROOT_DN, 
+                     '(&({attr}={login})({filter}))'.format(
+                         attr=settings.LDAP_USER_UID_PREFIX, 
+                         login=username,
+                         filter=filterString), attributes=['*'])
+    
+                 if len(connection.response) == 0:
+                     print('get_LDAP_user-no response')
+                     return None
+                 specificUser = connection.response[0]
+                 userDn = str(specificUser.get('raw_dn'),'utf-8')
+                 with Connection(server,
+                                         userDn,
+                                         password) as con:
+                     return username
+                 return None
+    
+         def authenticate(self, request, username=None, password=None, **kwargs):
+            if not settings.LDAP_ENABLED:
+                 return None
+            print("authenticate_ldap")
+            # Get the user information from the LDAP if he can be authenticated
+            isAdmin = False
+            isStaff = False
+            
+            if self.get_LDAP_user(username, password, settings.LDAP_SEARCH_GROUP_FILTER_ADMINS) is None:
+                 if self.get_LDAP_user(username, password, settings.LDAP_SEARCH_GROUP_FILTER_STAFF) is None:
+                      if self.get_LDAP_user(username, password, settings.LDAP_SEARCH_GROUP_FILTER_USERS) is None:
+                          return None
+                 else:
+                      isStaff = True
+            else:
+                 isAdmin = True
+                 isStaff = True
+    
+            try:
+                user = User.objects.get(username=username)
+                attributes = UserAttributes.objects.get(user=user)
+                # TODO VERIFY
+            except User.DoesNotExist:
+                print("authenticate-create new user")
+                user = User(username=username)
+                user.is_active = True
+                user.is_staff = isStaff
+                user.is_superuser = isAdmin
+                user.set_password(uuid.uuid4().hex)
+                user.save()
+                maxInstances = 1
+                maxCpus = 1
+                maxMemory = 128
+                maxDiskSize = 1
+                if isStaff:
+                    maxMemory = 2048
+                    maxDiskSize = 20
+                    permission = Permission.objects.get(codename='clone_instances')
+                    user.user_permissions.add(permission)
+                if isAdmin:
+                    maxInstances = -1
+                    maxCpus = -1
+                    maxMemory = -1
+                    maxDiskSize = -1
+                    permission = Permission.objects.get(codename='clone_instances')
+                    user.user_permissions.add(permission)
+                user.save()
+                UserAttributes.objects.create(
+                     user=user,
+                     max_instances=maxInstances,
+                     max_cpus=maxCpus,
+                     max_memory=maxMemory,
+                     max_disk_size=maxDiskSize,
+                )            
+                user.save()
+                
+                print("authenticate-user created")
+            return user
+    
+         def get_user(self, user_id):
+            if not settings.LDAP_ENABLED:
+                 return None
+            print("get_user_ldap")
+            try:
+                return User.objects.get(pk=user_id)
+            except User.DoesNotExist:
+                print("get_user-user not found")
+                return None
+except:
+    class LdapAuthenticationBackend(ModelBackend):
+        def authenticate(self, request, username=None, password=None, **kwargs):
+            return None
+        def get_user(self, user_id):
+            return None
--- a/webvirtcloud/settings.py.template
+++ b/webvirtcloud/settings.py.template
@ -95,6 +95,7 @@ DATABASES = {

 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
+    "webvirtcloud.ldapbackend.LdapAuthenticationBackend",
 ]

 LOGIN_URL = "/accounts/login/"
@ -212,3 +213,24 @@ SHOW_PROFILE_EDIT_PASSWORD = True
 OTP_ENABLED = False

 LOGIN_REQUIRED_IGNORE_VIEW_NAMES = ["accounts:email_otp"]
+
+LDAP_ENABLED = False
+LDAP_URL = ''
+LDAP_PORT = 389
+USE_SSL = False
+## The user with search rights on ldap. (e.g cn=admin,dc=kendar,dc=org)
+LDAP_MASTER_DN = ''
+LDAP_MASTER_PW = ''
+## The root dn (e.g. dc=kendar,dc=org)
+LDAP_ROOT_DN = ''
+## Queries to identify the users, i use groupOfUniqueNames on openldap
+
+## e.g. memberOf=cn=admins,cn=staff,cn=webvirtcloud,ou=groups,dc=kendar,dc=org
+LDAP_SEARCH_GROUP_FILTER_ADMINS = ''
+## e.g. memberOf=cn=staff,cn=webvirtcloud,ou=groups,dc=kendar,dc=org
+LDAP_SEARCH_GROUP_FILTER_STAFF = ''
+## e.g. memberOf=cn=webvirtcloud,ou=groups,dc=kendar,dc=org
+LDAP_SEARCH_GROUP_FILTER_USERS = ''
+
+## The user name prefix to identify the user name (e.g. cn)
+LDAP_USER_UID_PREFIX = ''