Passing unicode parameters to LDAP library

[stephane-martin]

Hello,

the LDAP parameters come from a JSON file, so in python 2 they are parsed as "unicode" strings. The LDAP library that realms use for LDAP auth does not accept unicode for parameter names :(

Please see: ContinuumIO/flask-ldap-login#26

[theodotos]

Hi, same here.

I applied the patch suggested above. Now I get "Invalid LDAP Credentials" and "Form Invalid":

[stephane-martin]

Probably means that your LDAP configuration is not working.

Which version of realms-wiki are you using?
Can you post your realms-wiki config file ? (masking passwords of course)

[theodotos]

I have verified my LDAP setup using ldapsearch:

ldapsearch -ZZ -x -D cn=realms,ou=dsa,dc=example,dc=com -W -b "ou=people,dc=example,dc=com" -H ldap://ldap.example.com

It works and returns all the objects in "ou=people,dc=example,dc=com"

Using the same credential in realms-wiki.json:

root@wiki-test:~# cat /etc/realms-wiki/realms-wiki.json 
{
    "ALLOW_ANON": false,
    "BASE_URL": "http://wiki-test.example.com
    "DB_URI": "sqlite:////var/lib/realms/db/wiki.db",
    "PORT": 5000,
    "REGISTRATION_ENABLED": true,
    "SEARCH_TYPE": "simple",
    "SECRET_KEY": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "SITE_TITLE": "Example Wiki",
    "WIKI_PATH": "/var/lib/realms/data",

    "LDAP": {
        "URI": "ldap://ldap.example.com:389",
        "BIND_DN": "cn=realms,ou=dsa,dc=example,dc=com",
        "BIND_AUTH": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "START_TLS": true,
        "KEY_MAP": {
            "username": "uid",
            "email": "mail"},
        "OPTIONS": {
            "OPT_PROTOCOL_VERSION": 3}
    }
}

I have verified my credentials on other ldap services and they are correct. I have tried both the username and the complete email address as the login but no luck.

[stephane-martin]

• it looks like you're trying to do "bind search" method

see https://github.com/ContinuumIO/flask-ldap-login/blob/master/examples/bind_search.py

but there is no 'USER_SEARCH' option to tell the ldap client where to find the users.

maybe 'USER_SEARCH': {'base': 'ou=people,dc=example,dc=com', 'filter': 'uid=%(username)s'}

• START_TLS is always tricky, as different python versions have different behaviour for the certificate validation.

[theodotos]

A million thanks @stephane-martin! LDAP is working fine now. STARTTLS too.

But now the editor broke :(

I will use the relevant issue (#169) for that.

[stephane-martin]

yes it's better to expose realms at the root of the domain, some things break when you try to install in /somesubdir

[stephane-martin]

by the way i have a current pull request to get rid of flask-ldap-login, so that LDAP authentication becomes python3 compatible. expect LDAP configuration to change a bit in future versions.

[theodotos]

That would be great! I spent endless hours trying to figure out what's going on and this will ease the pain in future deployments :).