LDAP based user authentication
1. How it works
The LDAP auth module of MoinMoin enables single-sign-on (SSO) - assuming you already have a LDAP directory with your users, passwords, email adresses. On Linux this could be some OpenLDAP server, on a Windows server (usually the domain controller) this is called "Active Directory" (short: AD).
It works like this:
- User enters his name and password via moin's login action and clicks on the login button.
- On login, ldap_login auth module checks username/password against LDAP.
If username/password is ok for LDAP, it creates or updates a user profile with values from ldap (name, alias, email) and creates a user object in the MoinMoin process, then it hands over to the next auth module...
- If username/password is not ok for LDAP, it vetoes the login and aborts the chain of login modules.
- Usually, you want to use moin_session as the final auth module to establish the session with the user. It uses a cookie to keep the session and create the user object on all subsequent non-login requests.
You need to install python-ldap module (and everything it depends on, see its documentation).
You need an LDAP or AD server.
3. Configuring LDAP authentication
Put this into your wiki config (indented in the same way as the other settings there):
from MoinMoin.auth.ldap_login import ldap_login from MoinMoin.auth import moin_session auth = [ldap_login, moin_session] import ldap ldap_uri = 'ldap://ad.example.org' # ldap / active directory server URI # We can either use some fixed user and password for binding to LDAP. # Be careful if you need a % char in those strings - as they are used as # a format string, you have to write %% to get a single % in the end. #ldap_binddn = 'firstname.lastname@example.org' #ldap_bindpw = 'secret' # Also, if your OpenLDAP is for samba 3 or another model of domain controller # auth backend, you need add as binddn and bindpw your rootdn chain (Manager # or any other) and respective password. #ldap_binddn = 'cn=Manager,dc=example,dc=org' #ldap_bindpw = 'secret' # or we can use the username and password we got from the user: ldap_binddn = '%(username)email@example.com' # DN we use for first bind (AD) #ldap_binddn = 'cn=admin,dc=example,dc=org' # DN we use for first bind (OpenLDAP) ldap_bindpw = '%(password)s' # password we use for first bind ldap_base = 'ou=SOMEUNIT,dc=example,dc=org' # base DN we use for searching ldap_scope = ldap.SCOPE_SUBTREE # scope of the search we do ldap_filter = '(sAMAccountName=%(username)s)' # ldap filter used for searching # for openLDAP in domain controller, the ldap_filter need a change: #ldap_filter = '(uid=%(username)s)' # ldap filter used for ldap in samba domain controller # you can also do more complex filtering like: # "(&(cn=%(username)s)(memberOf=CN=WikiUsers,OU=Groups,DC=example,DC=org))" ldap_givenname_attribute = 'givenName' # ldap attribute we get the first name from ldap_surname_attribute = 'sn' # ldap attribute we get the family name from ldap_aliasname_attribute = 'displayName' # ldap attribute we get the aliasname from ldap_email_attribute = 'mail' # ldap attribute we get the email address from ldap_email_callback = None # the function that is called with a dict as the first argument that provides LDAP data. the function has to return the e-mail address that was generated from the dict input ldap_coding = 'utf-8' # coding used for ldap queries and result values ldap_timeout = 10 # how long we wait for the ldap server [s] ldap_verbose = True # if True, put lots of LDAP debug info into the log cookie_lifetime = 1 # 1 hour after last access ldap login is required again user_autocreate = True # we don't allow the user to change those values on UserPreferences page user_form_disable = ['name', 'aliasname', 'email', ] # we remove those fields as they are not used for ldap based logins user_form_remove = ['password', 'password2', ]
MoinMoin support does not know your LDAP server setup, so please follow these steps before asking for help:
Use ldap_verbose and look into your log file1.
- Verify your settings and your user/password by e.g. using ldapsearch to query your LDAP server.
As long as you don't manage talking to your LDAP server with such a tool, you don't need to try with MoinMoin.
- Ask the administrator of your LDAP/AD server for help / for correct settings.
Maybe look into MoinMoin/auth/ldap_login.py, if you can debug or fix your problem there.
Only ask MoinMoin support if you successfully used ldapsearch (or some similar tool) and you double checked your wiki config and it does still not work with moin.
this file is into your wiki data dir (1)