set_trace # timfreund's blog on dev, ops, and other work stuff

LDAP Authentication for Pyramid Web Applications

Tags: python

This is a brain dump of the state of LDAP authentication for Pyramid web applications as best I can discern. Send corrections and additions my way.

There are two ways of authenticating against an LDAP source referenced directly and indirectly in the Pyramid docs.

repoze.who.plugins.ldap via repoze.who and pyramid_who

There’s no explicit mention of LDAP support in the pyramid_who documentation, but a search for “repoze.who ldap” comes up with the repoze.who.plugins.ldap module.

The last public commit on the repoze.who.plugins.ldap module was over three years ago on July 22, 2010, and the requirements listed for the development branch explicitly request versions of repoze.who greater than or equal to 1.0.6 and less than 2.0dev. The repoze.who library’s latest release is 2.2, so there’s probably a bit of work to bring the LDAP plugin into the present.

The other end of the requirements chain is pyramid_who itself. This is the glue layer that wires repoze.who into Pyramid web applications, and it was last updated on April 2, 2012. Not quite abandonware in the same way as the LDAP plugin, but the last two commit messages are “hail mary” and “endless-piss-me-the-!@#$-off”. It may still work, but I suspect it won’t be updated as Pyramid continues to evolve.

pyramid_ldap

Initial investigation looks promising for pyramid_ldap. It’s working for user authentication against our Unix LDAP directory and our MS Active Directory instances in the office.

A coworker had some trouble with group retrieval against our Active Directory, but that wasn’t the library’s fault. Our distinguished names look something like CN=Freund, Timothy,OU=Employees,DC=example,DC=com. That comma in our names is the tricky bit. I don’t see many references to escaping inline commas, so I suspect we’re in the minority for using CN in our distinguished names.

If you’re struggling with the same issue, here are two takes on it:

ldapsearch -D my_service_account@example.com \
   -w 'my_awesome_password' \
   -h adhost01.example.com -p 3268 \
   -s sub -b 'DC=nicusa,DC=com' \
   '(&(objectCategory=group)(member=CN=Freund\\, Timothy,OU=Employees,DC=example,DC=com))'

Bash
# The double backslash gives us one backslash
# once python's internal escaping mechanism runs,
# and that single backslash in front of 5C, the 
# hex code for a backslash, ensures that the 
# following comma is escaped in the LDAP query.
filter = '(&(objectCategory=group)(member=CN=Freund\\5C, Timothy,OU=Employees,DC=example,DC=com))'

Python

Django Authentication Using LDAP

LDAP authentication in Pyramid is the topic at hand. How does django-auth-ldap enter into the mix at all? Because the Django folks look like they have a really nice library for LDAP authentication.

The commit log is active.

The docs look comprehensive.

They are aware of the multitude of LDAP group schemas.

A cursory look at the project shows that the LDAP code is fairly well abstracted from the Django code. If pyramid_ldap lets you down, django-auth-ldap may be a great place to find a solution to your problem.