[ckan-dev] Announce: LDAP auth plugin
Sean Hammond
sean.hammond at okfn.org
Mon Jun 23 09:32:47 UTC 2014
> Hello,
>
> We've implemented an LDAP auth plugin. Features include:
>
> - Imports username, full name, email and description;
> - Can match against several LDAP fields (eg. username or full name);
> - Allows to have LDAP only authentication, or combine LDAP and basic
> CKAN authentication;
> - Can add LDAP users to a given organization automatically;
> - Works with Active Directory.
>
> https://github.com/NaturalHistoryMuseum/ckanext-ldap
>
> I'm yet to write some tests (at which point we'll do an actual release)
> but it's working well in our manual tests here :-)
This looks great!
I'm currently working on a very similar plugin:
https://github.com/ckan/ckanext-oauth2waad
It's also an auth plugin for WAAD, but for OAuth 2.0 not LDAP. I've
already written tests for it, so they might give you some ideas when you
come to writing your own tests (although a couple of my tests do some
heavy mocking and patching which is bad - the code could be refactored a
bit to avoid that).
I had a quick look over the ckanext-ldap code, looks good to me, I think
you've got the approach exactly right.
It's interesting that you use a database table to map LDAP users to CKAN
users. I've always just implemented this mapping in logic. For example
in ckanext-persona I use the email address to uniquely identify the user
both in Persona and in CKAN and to connect the two. In
ckanext-oauth2waad I use the WAAD OID's which uniquely identify users in
WAAD as the usernames in CKAN.
In both of my cases I felt the chances of a name conflict (where
there's a Persona or WAAD user with the same email address or OID as an
existing CKAN user who is not the same person) was small. Two different
people shouldn't have the same email address, and WAAD OIDs are these
long randomised strings so the chance of a conflict is small.
But I guess with LDAP this assumption doesn't hold?
Anyway I think that provides a good example of how to map users from
elsewhere to users in CKAN, in a situation where you can't simply match
up the usernames or email addresses and ignore the possibility of
conflicts.
More information about the ckan-dev
mailing list