LDAP for openedx

Hello,
We have a running openedx on Kubernetes, managed by tutor, and we would like to add authentication via LDAP.
We would like to add python-ldap and django_auth_ldap
Any tips to perform that ?

Thanks !

I know this solution worked on the Eucalyptus release. You’ll have to try it out and implement it with a custom Python plugin for Tutor.

Hello,
Starting from @ak00001 answer, we managed to get LDAP authentication working, the proposed solution is for Eucalyptus and the code have changed a bit on juniper.
Following solution is tested on open-release/juniper.3

  • First, add following pip packages : libsasl2-dev python-dev libldap2-dev libssl-dev python-ldap django-auth-ldap, using a Tutor plugin or directly on the Makefile

  • Then, you need to add following configuration to you settings.py, on Kubernetes it’s the configmap lms-settings
    from django_auth_ldap.config import ldap
    from django_auth_ldap.config import LDAPSearch
    AUTH_LDAP_SERVER_URI = ‘ldap://server-domain’

    AUTH_LDAP_BIND_DN = ‘cn=yourbindcn,dc=xxxx,dc=yyy’

    AUTH_LDAP_BIND_PASSWORD = ‘mypassword’

    AUTH_LDAP_USER_SEARCH = LDAPSearch(
    ‘dc=xxxxx,dc=yyy’,
    ldap.SCOPE_SUBTREE,
    ‘(&(objectClass=yourUserClass)(mail=%(user)s))’,
    )

    AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_DEBUG_LEVEL: 1,
    ldap.OPT_REFERRALS: 0
    }

    Populate the Django user from the LDAP directory.

    AUTH_LDAP_USER_ATTR_MAP = {
    ‘username’: ‘mail’,
    ‘first_name’: ‘givenName’,
    ‘last_name’: ‘sn’,
    ‘email’: ‘mail’,
    }
    AUTHENTICATION_BACKENDS.append(‘django_auth_ldap.backend.LDAPBackend’)
    AUTHENTICATION_BACKENDS.append(‘django.contrib.auth.backends.ModelBackend’)
    AUTH_LDAP_ALWAYS_UPDATE_USER = True
    AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True

  • Finally, edit edx-platform/openedx/core/djangoapps/user_authn/login.py
    After :
    if not is_user_third_party_authenticated:
    possibly_authenticated_user = _authenticate_first_party(request, user, third_party_auth_requested)

add code :
if possibly_authenticated_user is None:
possibly_authenticated_user = authenticate(username=request.POST.get(‘email’), password=request.POST.get(‘password’), request=request)

we use request.POST.get(‘email’) since edx is trying to authenticate with username after getting the user by email.

and it’s all !

1 Like

Good day. I am using open edx (tutor) docker container. I want to add LDAP. Please tell me how to do this. Can it be done with a plugin or custom application. So that when updating, I don’t have to change the code.

Hello,
Yes you can do it via a tutor plugin, following steps on the post marked as solution, you gonna need to install the required pip packages and insert the LDAP configuration via the plugin.
For the final step, you gonna need to fork edx-platform from github, make the necessary changes to edx-platform/openedx/core/djangoapps/user_authn/login.py and change the repo link on makefile and rebuild the image.

PS: make sure you stay on the same release you used for first installation with Tutor.

Tell me more please, did I create the plugin correctly?

name: ldap
version: 0.1.0
patches:
openedx-lms-common-settings: |
  from django_auth_ldap.config import ldap
  from django_auth_ldap.config import LDAPSearch
  AUTH_LDAP_SERVER_URI = ''
  AUTH_LDAP_BIND_DN = 'CN=edx,OU=ServiceAccounts,DC=,DC='
  AUTH_LDAP_BIND_PASSWORD = ''
  AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'dc=,dc=',
     ldap.SCOPE_SUBTREE,
    '(&(objectClass=User)(mail=%(user)s))',
  )

   AUTH_LDAP_CONNECTION_OPTIONS = {
     ldap.OPT_DEBUG_LEVEL: 1,
     ldap.OPT_REFERRALS: 0
  }
openedx-lms-production-settings: |
  AUTH_LDAP_USER_ATTR_MAP = {
    'username': 'samaccountname',
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
  }
  AUTHENTICATION_BACKENDS.append('django_auth_ldap.backend.LDAPBackend')
  AUTHENTICATION_BACKENDS.append('django.contrib.auth.backends.ModelBackend')
  AUTH_LDAP_ALWAYS_UPDATE_USER = True
  AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True

Hello again,
I’m no expert on Tutor plugins, we made the changes directly on Kubernetes config maps.
Try to check existing plugins to see it fits. And how did you manage to install Python packages (python-ldap, django-auth-ldap,… )
Are you getting any specific error ? Did you change the login.py ?

Yes, I changed. There may be a problem with LDAP. Thanks.