Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store Password and Set Admin #17

Open
benyanke opened this issue Aug 15, 2018 · 8 comments
Open

Store Password and Set Admin #17

benyanke opened this issue Aug 15, 2018 · 8 comments
Labels
enhancement New feature or request help wanted Extra attention is needed pinned

Comments

@benyanke
Copy link
Contributor

Currently, LDAP users can't use the Django admin panel (/admin). Is there an option, or could there be, to store user's passwords, and perhaps even ability to specify an ldap query for admin?

@madmath03
Copy link
Member

madmath03 commented Aug 25, 2018

Actually, it is possible for LDAP users to access the Django admin panel, but the LDAP user must be a "super user" :

  • go to Django admin panel with any admin (super user) account
  • go to Users, and edit the user's "super user" check box

It is currently not possible to set a super user directly from LDAP but that is one of the items discussed in #15.
We can keep this issue opened to address how the super users could be managed from LDAP.

As a reminder, the proposal was to set an LDAP Taiga administration group:

# Taiga super users group id
LDAP_GROUP_ADMIN = 'OU=TaigaAdmin,DC=example,DC=net'

Everytime a user connects with the specified group, it is automatically set a super user.

Would that seem like a proper solution for you ?

@GryphonWorx
Copy link

GryphonWorx commented Aug 25, 2018

I think that would be a good solution, at least for us. Would save a lot of headaches.

@benyanke
Copy link
Contributor Author

That would also be a great solution - I agree that would make our life much easier.

I'd consider allowing a raw ldap query instead of / in addition to a group. Some places it's easier than others to adjust LDAP structure and groups, and a query (with an example for how to query group membership) would offer the most flexibility.

@madmath03
Copy link
Member

madmath03 commented Mar 14, 2019

For information, following this issue and #21, I finally had the time to implement the save of LDAP password to DB, thus allowing LDAP users to log to the admin console (if they were previously set as super user).

Though I'm still not comfortable enough to develop a full "Admin Group" functionality by myself (I'm not really a Python developer 😅), it's a little step toward that goal.

A new release with that functionality is available in pypi.

@madmath03 madmath03 added enhancement New feature or request help wanted Extra attention is needed labels Mar 14, 2019
@stale
Copy link

stale bot commented Jun 17, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jun 17, 2019
@madmath03 madmath03 added pinned and removed wontfix This will not be worked on labels Jun 17, 2019
@madmath03 madmath03 pinned this issue Jun 17, 2019
@a-ts
Copy link
Contributor

a-ts commented May 17, 2021

I implemented something that solves this issue for the combination posixGroup and memberUid. Some refactoring was also required to avoid replicating code.
Please let me know if it makes sense to create a pull request for this rather limited solution. If some input is provided (and it does not take too much time) I could try to make it more generally applicable.

@madmath03
Copy link
Member

Hi @a-ts

Thank you very much for offering a Pull Request. I do think it's a good idea to send a PR. We can work together to make it more generic after that.

@dsalgueiror
Copy link

From what I have been able to test and the same thing happens to me in our installation migrated from Taiga 5 to 6 latest version, the authentication works well for Taiga but in the login process it updates or modifies the password value of the users table and this prevents the access to the Django admin because the encryption is different, expecting to have data of type pbkdf2_sha256$xxxxxxxxx. In the case of using the option to recover password and indicating it manually, the data saved in the DB is correct but once I log in again in Taiga it is modified.

I'm using the taiga-contrib-ldap-auth-ext plugin and it supposedly has an option to disable this behavior via LDAP_SAVE_LOGIN_PASSWORD = False, but it doesn't work. In addition to this being the case, I understand that the Django admin would not be using LDAP validation if not the one stored at that moment in the DB.

Greetings!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed pinned
Projects
None yet
Development

No branches or pull requests

5 participants