Tag Archives: ldap

Better TurboGears LDAP authentication

TurboGears doesn’t have built-in LDAP authentication. This is annoying. I couldn’t get soldapprovider.py as provided from the TurboGears identity recipes page to work out of the box for my project (validate_password() was never getting called), and I wanted it to use my LDAP directory for more than just password validation, so I wrote my own soldapprovider.py, starting from the TurboGears soprovider.py. Unlike the original soldapprovider.py, mine only uses SQLObjects for storing user-visit associations. Everything else, including user object attributes, group memberships, and permissions, is pulled from the LDAP directory.

In the case of this project, the users and groups are set up as in RFC 2307. Users have a structural object class of inetOrgPerson and some extra attributes from a custom auxiliary class, which, if present, will be set as attributes on the user object. Attributes, group memberships, and permissions are read once, when the user object is instantiated inside load_identity() or validate_identity(). The key identity.soldapprovider.user_safe_attrs selects which attributes are used, and how they’re transformed. As is, the key’s default value is a mapping of names to functions, so this might not be ready for external configuration through TurboGears .conf files, which look sort of like Python code but aren’t.

Permissions are implemented as groupOfNames objects and named with cn attributes. My directory only uses two permissions, can_modify_account for users that are trusted to change their own passwords and edit their own contact into, and admin_powers, which is exactly what it sounds like. These two were set up so I could use them in ACLs in slapd.conf, which doesn’t support more complicated user-to-group mappings. I’m not entirely sure how permissions differ from groups in TurboGears other than in name, but this usage works for my app.

***

update:

This was written for TurboGears 1.0 and is no longer relevant, but I fixed a broken link to my soldapprovider.py anyway. All new development should be using TurboGears 2.0, which uses repoze for authentication and supports LDAP through repoze.

Advertisements
Tagged , , ,