Initial support for LDAP group based security.

This commit is contained in:
Ivan Filippov 2016-04-11 06:11:02 -06:00
parent 64531999f6
commit d417cfb8dc
3 changed files with 46 additions and 4 deletions

View File

@ -53,6 +53,14 @@ Web application configuration is stored in `config.py` file. Let's clone it from
(flask)$ vim config.py (flask)$ vim config.py
``` ```
You can configure group based security by tweaking the below parameters in `config.py`. Groups membership comes from LDAP.
Setting `LDAP_GROUP_SECURITY` to True enables group-based security. With this enabled only members of the two groups listed below are allowed to login. Members of `LDAP_ADMIN_GROUP` will get the Administrator role and members of `LDAP_USER_GROUP` will get the User role. Sample config below:
```
LDAP_GROUP_SECURITY = True
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
```
Create database after having proper configs Create database after having proper configs
``` ```
(flask)% ./createdb.py (flask)% ./createdb.py

View File

@ -19,6 +19,9 @@ LDAP_USERNAME = app.config['LDAP_USERNAME']
LDAP_PASSWORD = app.config['LDAP_PASSWORD'] LDAP_PASSWORD = app.config['LDAP_PASSWORD']
LDAP_SEARCH_BASE = app.config['LDAP_SEARCH_BASE'] LDAP_SEARCH_BASE = app.config['LDAP_SEARCH_BASE']
LDAP_TYPE = app.config['LDAP_TYPE'] LDAP_TYPE = app.config['LDAP_TYPE']
LDAP_GROUP_SECURITY = app.config['LDAP_GROUP_SECURITY']
LDAP_ADMIN_GROUP = app.config['LDAP_ADMIN_GROUP']
LDAP_USER_GROUP = app.config['LDAP_USER_GROUP']
PDNS_STATS_URL = app.config['PDNS_STATS_URL'] PDNS_STATS_URL = app.config['PDNS_STATS_URL']
PDNS_API_KEY = app.config['PDNS_API_KEY'] PDNS_API_KEY = app.config['PDNS_API_KEY']
@ -172,6 +175,25 @@ class User(db.Model):
try: try:
ldap_username = result[0][0][0] ldap_username = result[0][0][0]
l.simple_bind_s(ldap_username, self.password) l.simple_bind_s(ldap_username, self.password)
if LDAP_GROUP_SECURITY:
try:
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap_username
groups = self.ldap_search(groupSearchFilter, LDAP_SEARCH_BASE)
allowedlogin = False
isadmin = False
for group in groups:
if (group[0][0] == LDAP_ADMIN_GROUP):
allowedlogin = True
isadmin = True
logging.info('User %s is part of the "%s" group that allows admin access to PowerDNS-Admin' % (self.username,LDAP_ADMIN_GROUP))
if (group[0][0] == LDAP_USER_GROUP):
allowedlogin = True
logging.info('User %s is part of the "%s" group that allows user access to PowerDNS-Admin' % (self.username,LDAP_USER_GROUP))
if allowedlogin == False:
logging.error('User %s is not part of the "%s" or "%s" groups that allow access to PowerDNS-Admin' % (self.username,LDAP_ADMIN_GROUP,LDAP_USER_GROUP))
return False
except:
logging.error('LDAP group lookup for user %s has failed' % self.username)
logging.info('User "%s" logged in successfully' % self.username) logging.info('User "%s" logged in successfully' % self.username)
# create user if not exist in the db # create user if not exist in the db
@ -185,17 +207,26 @@ class User(db.Model):
self.firstname = self.username self.firstname = self.username
self.lastname = '' self.lastname = ''
# first register user will be in Administrator role # first registered user will be in Administrator role or if part of LDAP Admin group
if User.query.count() == 0: if (User.query.count() == 0):
self.role_id = Role.query.filter_by(name='Administrator').first().id self.role_id = Role.query.filter_by(name='Administrator').first().id
else: else:
self.role_id = Role.query.filter_by(name='User').first().id self.role_id = Role.query.filter_by(name='User').first().id
#
if LDAP_GROUP_SECURITY:
if isadmin == True:
self.role_id = Role.query.filter_by(name='Administrator').first().id
self.create_user() self.create_user()
logging.info('Created user "%s" in the DB' % self.username) logging.info('Created user "%s" in the DB' % self.username)
else:
# user already exists in database, set their admin status based on group membership (if enabled)
if LDAP_GROUP_SECURITY:
self.set_admin(isadmin)
return True return True
except: except:
logging.error('User "%s" input a wrong password' % self.username) logging.error('User "%s" input a wrong password(stage2)' % self.username)
return False return False
else: else:
logging.error('Unsupported authentication method') logging.error('Unsupported authentication method')

View File

@ -27,6 +27,9 @@ LDAP_USERNAME = 'cn=dnsuser,ou=users,ou=services,dc=duykhanh,dc=me'
LDAP_PASSWORD = 'dnsuser' LDAP_PASSWORD = 'dnsuser'
LDAP_SEARCH_BASE = 'ou=System Admins,ou=People,dc=duykhanh,dc=me' LDAP_SEARCH_BASE = 'ou=System Admins,ou=People,dc=duykhanh,dc=me'
LDAP_TYPE = 'ldap' // or 'ad' LDAP_TYPE = 'ldap' // or 'ad'
LDAP_GROUP_SECURITY = False // or True
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'
# POWERDNS CONFIG # POWERDNS CONFIG
PDNS_STATS_URL = 'http://172.16.214.131:8081/' PDNS_STATS_URL = 'http://172.16.214.131:8081/'