Kallithea issues archive

Issue #78: "Manual activation of external account" not working for LDAP

Reported by: Denis Blanchette
State: resolved
Created on: 2015-01-22 22:56
Updated on: 2015-02-02 22:39

Description

We are currently considering a switch from Rhodecode 1.6.0 to Kallithea 0.1.

I set up LDAP plugin. I went in Admin -> Permissions and set "External auth account activation" to "Manual activation of external account"

I log in with an Active Directory user that does not exist in the database yet and it goes to the main page. In Rhodecode 1.6.0 it would have stayed in the login page until an Administrator had activated the newly created account.

This could allow access to repositories to users in our company that have Active Directory accounts but are not allowed to see the code.

I set up default permissions to None, but it would be better to have users deactivated by default.

I tried the same scenario with an installation of kallithea using the latest changeset in default branch at the time of writing (bfc304687f1cb11b243f2bd157f7e782f50d196f).

Thank you very much for any help

Attachments

Comments

Comment by Mads Kiilerich, on 2015-01-22 23:04

A possible workaround / somewhat unrelated comment in that area:

You could/should configure the LDAP Search Filter to an ldap group of users that are allowed access, such as:

(&(ObjectCategory=Person)(sAMAccountName=*)(|(memberof=CN-employees)(memberof=CN=kallitheausers,CN=users))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Comment by Denis Blanchette, on 2015-01-23 15:26

Thank you for this idea. Unfortunately, I was not able to have it working with the following error :

2015-01-23 10:01:15.467 ERROR [kallithea.lib.auth_modules.auth_ldap] Traceback (
most recent call last):
  File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
py", line 330, in auth
    (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
  File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
py", line 162, in authenticate_ldap
    raise LdapPasswordError()
LdapPasswordError

I checked the password several times. It works with all the same settings, but without a search filter. My filter is (&(objectCategory=Person)(sAMAccountName=*)(memberOf=OU=R&D,OU=TEST Users,OU=TEST,OU=ORG))

For the time being, I will make sure that the default user has no rights.

Comment by Denis Blanchette, on 2015-01-23 16:10

Comment by Mads Kiilerich, on 2015-01-23 18:26

I don't know why the filter doesn't work for you. It is as if it finds the wrong user. You can perhaps experiment using ldapsearch.

Comment by Mads Kiilerich, on 2015-01-23 18:28

By the way: I can see you have been successful in getting it up and running on Windows. Please consider updating the documentation for windows installation!

Comment by Denis Blanchette, on 2015-01-26 20:44

I will try to find some time to update the documentation.

Comment by Denis Blanchette, on 2015-02-02 22:39

@kiilerix I took the time to update the documentation for Windows over the weekend.

See my pull request https://bitbucket.org/conservancy/kallithea/pull-request/86/pull-request-update-windows-installation/diff

Comment by Denis Blanchette, on 2015-02-02 22:39

Resolved with pull request