From 4e46c950552cc285ccc891a1c6a95f466196ccec Mon Sep 17 00:00:00 2001 From: hanancha Date: Fri, 20 Nov 2020 09:29:14 -0800 Subject: [PATCH 01/22] Removing doc section that references LDAP auth backend as a future release. --- docs/source/authentication.rst | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 0535479f4..16d262548 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -134,16 +134,6 @@ The following is a list of auth backends for the community edition to help get t * `Flat File `_ * `OpenStack Keystone `_ -LDAP (Enterprise Edition) -------------------------- -.. note:: - - Prior to StackStorm 3.3, Extreme Networks provided a commercial version(Extreme Workflow Composer) of the StackStorm automation platform including an LDAP auth backend. - -Extreme Workflow Composer was donated to Linux Foundation, but those components are not yet integrated into the StackStorm release. Please visit https://stackstorm.com/2020/05/27/extreme-networks-donates-ewc-to-linux-foundation/ for more details. - - These components are NOT available in the StackStorm 3.3 release, but will be integrated into the community edition of StackStorm in future release(s). - LDAP ^^^^ The LDAP backend authenticates the user against an LDAP server. The following is a list of From adb9ab59640a67833111bc23d0dfdfc4aa3c256e Mon Sep 17 00:00:00 2001 From: hanancha Date: Fri, 20 Nov 2020 09:35:37 -0800 Subject: [PATCH 02/22] Adding libldap2-dev libsasl2-dev to fix failed tests --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3976775d5..0034ba5e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,8 @@ FROM ubuntu RUN apt-get -qq update && apt-get -q install -y \ git \ python-dev python-pip python-virtualenv \ - libffi-dev libssl-dev + libffi-dev libssl-dev \ + libldap2-dev libsasl2-dev ADD . /st2docs WORKDIR /st2docs From f97d3a5e97a3932c251fe7e99b3c76cd7864fb10 Mon Sep 17 00:00:00 2001 From: hanancha Date: Fri, 20 Nov 2020 09:49:25 -0800 Subject: [PATCH 03/22] iAttempting to fix CircleCI tests --- .circleci/config.yml | 2 ++ Dockerfile | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 52a9319c7..b29563f0e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -13,6 +13,8 @@ jobs: - restore_cache: key: v2-dependency-cache-{{ checksum "st2/requirements.txt" }} - run: sudo apt install python-dev + - run: sudo apt install libldap2-dev + - run: sudo apt install libsasl2-dev - run: make docs - run: name: Store HTML docs in workspace dir diff --git a/Dockerfile b/Dockerfile index 0034ba5e1..3976775d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,7 @@ FROM ubuntu RUN apt-get -qq update && apt-get -q install -y \ git \ python-dev python-pip python-virtualenv \ - libffi-dev libssl-dev \ - libldap2-dev libsasl2-dev + libffi-dev libssl-dev ADD . /st2docs WORKDIR /st2docs From 56dd4c448b684be1b612361ba61499cc9f31d9f9 Mon Sep 17 00:00:00 2001 From: hanancha Date: Fri, 20 Nov 2020 10:20:44 -0800 Subject: [PATCH 04/22] Adding ldap dependencies to README.md for manual builds. --- README.md | 4 ++-- docs/source/authentication.rst | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 88daa5f29..85cfa9719 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,9 @@ Follows these steps to build the docs locally: Install the dependencies: -For Debian/Ubuntu: ``sudo apt-get install libpython-dev libssl-dev`` +For Debian/Ubuntu: ``sudo apt-get install libpython-dev libssl-dev libldap2-dev libsasl2-dev`` -For RHEL/CentOS: `` sudo yum install python-devel openssl-devel gcc`` +For RHEL/CentOS: `` sudo yum install python-devel openssl-devel gcc libldap2-dev libsasl2-dev`` ```bash git clone https://github.com/StackStorm/st2docs.git diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 16d262548..5d16dd6b3 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -135,7 +135,8 @@ The following is a list of auth backends for the community edition to help get t * `OpenStack Keystone `_ LDAP -^^^^ +---- + The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: From bffc8c878bce1db82016b813f8d9599eeac6914e Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 11:17:25 -0800 Subject: [PATCH 05/22] Updating docs to reflect the actual https://github.com/stackstorm/st2-auth-ldap repository documentation and parameters. --- README.md | 4 +- docs/source/authentication.rst | 75 +++++++++++++++++++++++++--------- 2 files changed, 58 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 85cfa9719..dd477421f 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,9 @@ Follows these steps to build the docs locally: Install the dependencies: -For Debian/Ubuntu: ``sudo apt-get install libpython-dev libssl-dev libldap2-dev libsasl2-dev`` +For Debian/Ubuntu: ``sudo apt-get install python-dev libssl-dev libldap2-dev libsasl2-dev ldap-utils`` -For RHEL/CentOS: `` sudo yum install python-devel openssl-devel gcc libldap2-dev libsasl2-dev`` +For RHEL/CentOS: `` sudo dnf install python2-devel python3-devel openldap-devel`` ```bash git clone https://github.com/StackStorm/st2docs.git diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 5d16dd6b3..51acb9816 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -141,41 +141,61 @@ The LDAP backend authenticates the user against an LDAP server. The following is configuration options for the backend: +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | +| option | required | default | description | +=++==============+==========+=========+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | +| bind_dn | yes | | DN of the service account to bind with the LDAP server | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | +| bind_password | yes | | Password of the service account | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | +| base_ou | yes | | Base OU to search for user and group entries | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | +| group_dns | yes | | Which groups user must be member of to be granted access | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | +| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | +| host | yes | | Hostname of the LDAP server | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | +| port | yes | | Port of the LDAP server | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | false | Use LDAPS to connect | +| use_ssl | no | false | Use LDAPS to connect | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | false | Start TLS on LDAP to connect | +| use_tls | no | false | Start TLS on LDAP to connect | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | None | Path to the CA cert used to validate certificate | +| cacert | no | None | Path to the CA cert used to validate certificate | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | uid | Field name of the user ID attribute | +| id_attr | no | uid | Field name of the user ID attribute | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | subtree | Search scope (base, onelevel, or subtree) | +| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | {{username}} | | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | +| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | +| | | (objectClass=*)| example). | +| | | (|(member= | | +| | | {user_dn}) | | +| | | (uniqueMember= | | +| | | {user_dn}) | | +| | | (memberUid= | | +| | | {username})))) | | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | +| scope | no | subtree | Search scope (base, onelevel, or subtree) | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | +| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | +| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | 120 | How long (in seconds) | +-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ .. note:: @@ -202,6 +222,23 @@ The following is a sample auth section for the LDAP backend in the st2 config fi api_url = http://myhost.example.com:9101/ debug = False +If your LDAP server uses a different name for the user ID attribute, you can simply specify the id_attr configuration option. + +.. sourcecode:: ini + + [auth] + mode = standalone + backend = ldap + backend_kwargs = {"bind_dn": "CN=st2admin,ou=users,dc=example,dc=com", "bind_password": "foobar123", "base_ou": "dc=example,dc=com", "id_attr": "username", "group_dns": ["CN=st2users,ou=groups,dc=example,dc=com", "CN=st2developers,ou=groups,dc=example,dc=com"], "host": "identity.example.com", "port": 636, "use_ssl": true, "cacert": "/path/to/cacert.pem"} + enable = True + use_ssl = True + cert = /path/to/mycert.crt + key = /path/to/mycert.key + logging = /etc/st2/logging.auth.conf + api_url = http://myhost.example.com:9101/ + debug = False + + This will need customization for your environment - e.g. the LDAP server to bind to, and the ``cert`` and ``key`` paths if you are using SSL. Running the Service From 5d7bcfe6d03d61220d3139164f2e9eee94bb93a4 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 11:27:59 -0800 Subject: [PATCH 06/22] Fixing malformed table --- docs/source/authentication.rst | 44 +++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 51acb9816..7834733f4 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,36 +140,36 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | option | required | default | description | -+=++==============+==========+=========+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================+ ++=++==============+==========+=========+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++==========================================================================+ | bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | bind_password | yes | | Password of the service account | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | base_ou | yes | | Base OU to search for user and group entries | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | | | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | | | | | of the specified groups. | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | host | yes | | Hostname of the LDAP server | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | port | yes | | Port of the LDAP server | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | use_ssl | no | false | Use LDAPS to connect | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | use_tls | no | false | Start TLS on LDAP to connect | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | cacert | no | None | Path to the CA cert used to validate certificate | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | id_attr | no | uid | Field name of the user ID attribute | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | | | | {{username}} | | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | | | | (objectClass=*)| example). | | | | (|(member= | | @@ -178,25 +178,25 @@ configuration options for the backend: | | | {user_dn}) | | | | | (memberUid= | | | | | {username})))) | | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | scope | no | subtree | Search scope (base, onelevel, or subtree) | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | network_timeout | no | 10.0 | Timeout for network operations (in seconds) | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | | | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | | | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | | | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | | | | | user groups are cached. | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | cache_user_groups_ttl | no | 120 | How long (in seconds) | -+-----------------+----------+---------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From 03e3664620141abb909e12346c95117c533d410d Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 11:43:40 -0800 Subject: [PATCH 07/22] Fixing malformed table --- docs/source/authentication.rst | 114 ++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 7834733f4..9e9be77b4 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | -+=++==============+==========+=========+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++==========================================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | false | Use LDAPS to connect | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | false | Start TLS on LDAP to connect | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | None | Path to the CA cert used to validate certificate | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | uid | Field name of the user ID attribute | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | {{username}} | | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | -| | | (objectClass=*)| example). | -| | | (|(member= | | -| | | {user_dn}) | | -| | | (uniqueMember= | | -| | | {user_dn}) | | -| | | (memberUid= | | -| | | {username})))) | | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | subtree | Search scope (base, onelevel, or subtree) | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | 120 | How long (in seconds) | -+-----------------+----------+---------+---------------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | ++=++==========================+==========+=================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | false | Use LDAPS to connect | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | false | Start TLS on LDAP to connect | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | None | Path to the CA cert used to validate certificate | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | uid | Field name of the user ID attribute | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | {{username}} | | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | +| | | (objectClass=\*)| example). | +| | | (|(member= | | +| | | {user_dn}) | | +| | | (uniqueMember= | | +| | | {user_dn}) | | +| | | (memberUid= | | +| | | {username})))) | | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | subtree | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | 120 | How long (in seconds) | ++-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ .. note:: From f789d8ace4fdc4fc42a93b42235eab8c148b8f0a Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 11:48:06 -0800 Subject: [PATCH 08/22] Fixing malformed table --- docs/source/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 9e9be77b4..7285109fd 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -171,7 +171,7 @@ configuration options for the backend: | | | {{username}} | | +-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ | group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | -| | | (objectClass=\*)| example). | +| | | (objectClass=*) | example). | | | | (|(member= | | | | | {user_dn}) | | | | | (uniqueMember= | | From 830e13b98a3f5ade7ff0e53ac78c28e28a034c1b Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 12:01:14 -0800 Subject: [PATCH 09/22] Fixing malformed table --- docs/source/authentication.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 7285109fd..b1efaf8f0 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -170,8 +170,8 @@ configuration options for the backend: | account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | | | | {{username}} | | +-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | -| | | (objectClass=*) | example). | +| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | +| | | | example). | | | | (|(member= | | | | | {user_dn}) | | | | | (uniqueMember= | | From 93999bfd33c02ce97eb2319414fc61a4ddab1222 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 12:08:09 -0800 Subject: [PATCH 10/22] Fixing malformed table --- docs/source/authentication.rst | 114 ++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index b1efaf8f0..e55276f2e 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | -+=++==========================+==========+=================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | false | Use LDAPS to connect | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | false | Start TLS on LDAP to connect | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | None | Path to the CA cert used to validate certificate | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | uid | Field name of the user ID attribute | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | {{username}} | | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see | -| | | | example). | -| | | (|(member= | | -| | | {user_dn}) | | -| | | (uniqueMember= | | -| | | {user_dn}) | | -| | | (memberUid= | | -| | | {username})))) | | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | subtree | Search scope (base, onelevel, or subtree) | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | 120 | How long (in seconds) | -+-----------------------------+----------+-----------------+--------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | ++=++==========================+==========+=================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | false | Use LDAPS to connect | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | false | Start TLS on LDAP to connect | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | None | Path to the CA cert used to validate certificate | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | uid | Field name of the user ID attribute | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | {{username}} | | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | (objectClass=*) | | +| | | (|(member= | | +| | | {user_dn}) | | +| | | (uniqueMember= | | +| | | {user_dn}) | | +| | | (memberUid= | | +| | | {username})))) | | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | subtree | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | 120 | How long (in seconds) | ++-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From 9aa15a2a6c20b96561aeae5c473c1454534953e5 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:02:12 -0800 Subject: [PATCH 11/22] Fixing /home/circleci/project/docs/source/authentication.rst:174:Inline substitution_reference start-string without end-string. --- docs/source/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index e55276f2e..4a2075a56 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -171,7 +171,7 @@ configuration options for the backend: | | | {{username}} | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | (objectClass=*) | | +| | | (objectClass=\*) | | | | | (|(member= | | | | | {user_dn}) | | | | | (uniqueMember= | | From e596a6e82c4aadce1906a38d2c267ef9867440ec Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:09:29 -0800 Subject: [PATCH 12/22] Fixing malformed table --- docs/source/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 4a2075a56..63b26d14f 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -171,7 +171,7 @@ configuration options for the backend: | | | {{username}} | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | (objectClass=\*) | | +| | | (objectClass=\*)| | | | | (|(member= | | | | | {user_dn}) | | | | | (uniqueMember= | | From a83fa954e19df21673f4394e6b90491f40c31ca4 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:19:51 -0800 Subject: [PATCH 13/22] Fixing malformed table --- docs/source/authentication.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 63b26d14f..8133d3b75 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -170,14 +170,14 @@ configuration options for the backend: | account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | | | | {{username}} | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | (|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | (objectClass=\*)| | -| | | (|(member= | | -| | | {user_dn}) | | -| | | (uniqueMember= | | -| | | {user_dn}) | | -| | | (memberUid= | | -| | | {username})))) | | +| group_pattern | no | | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | scope | no | subtree | Search scope (base, onelevel, or subtree) | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ From acc542ba5aa3c7fa001ca63a3116eff1105b8488 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:29:22 -0800 Subject: [PATCH 14/22] Fixing malformed table --- docs/source/authentication.rst | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 8133d3b75..1e1cbb892 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -151,7 +151,7 @@ configuration options for the backend: +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | group_dns | yes | | Which groups user must be member of to be granted access | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | | | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | | | | | of the specified groups. | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ @@ -159,16 +159,16 @@ configuration options for the backend: +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | port | yes | | Port of the LDAP server | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | false | Use LDAPS to connect | +| use_ssl | no | `false` | Use LDAPS to connect | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | false | Start TLS on LDAP to connect | +| use_tls | no | `false` | Start TLS on LDAP to connect | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | None | Path to the CA cert used to validate certificate | +| cacert | no | `None` | Path to the CA cert used to validate certificate | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | uid | Field name of the user ID attribute | +| id_attr | no | `uid` | Field name of the user ID attribute | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | {id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | {{username}} | | +| account_pattern | no | `{id_attr}=' | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | '{{username}}` | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | group_pattern | no | | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | | | | | | @@ -179,23 +179,23 @@ configuration options for the backend: | | | | | | | | | | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | subtree | Search scope (base, onelevel, or subtree) | +| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | +| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | +| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | +| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ | client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | | | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | | | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | | | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | | | | | user groups are cached. | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | 120 | How long (in seconds) | +| cache_user_groups_ttl | no | `120` | How long (in seconds) | +-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From c0ff64965f7ada658b98d44e5568aae5a0e09c03 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:36:29 -0800 Subject: [PATCH 15/22] Fixing malformed table --- docs/source/authentication.rst | 114 ++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 1e1cbb892..01d354d76 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | -+=++==========================+==========+=================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | `false` | Use LDAPS to connect | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | `false` | Start TLS on LDAP to connect | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | `None` | Path to the CA cert used to validate certificate | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | `uid` | Field name of the user ID attribute | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | `{id_attr}=' | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | '{{username}}` | | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | `120` | How long (in seconds) | -+-----------------------------+----------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | ++=++==========================+==========+===================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | `false` | Use LDAPS to connect | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | `false` | Start TLS on LDAP to connect | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | `None` | Path to the CA cert used to validate certificate | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | `uid` | Field name of the user ID attribute | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | `{id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | {{username}}` | | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | `(|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | (objectClass=*)` | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | `120` | How long (in seconds) | ++-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From 53941e3062547c9287e70d850bba8020206678de Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:45:12 -0800 Subject: [PATCH 16/22] Fixing malformed table --- docs/source/authentication.rst | 114 ++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 01d354d76..deb2eb52f 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | -+=++==========================+==========+===================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | `false` | Use LDAPS to connect | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | `false` | Start TLS on LDAP to connect | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | `None` | Path to the CA cert used to validate certificate | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | `uid` | Field name of the user ID attribute | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | `{id_attr}= | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | {{username}}` | | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | `(|(& | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | (objectClass=*)` | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | `120` | How long (in seconds) | -+-----------------------------+----------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | ++=++==========================+==========+============================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | `false` | Use LDAPS to connect | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | `false` | Start TLS on LDAP to connect | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | `None` | Path to the CA cert used to validate certificate | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | `uid` | Field name of the user ID attribute | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | `{id_attr}={{username}}` | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | | | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | `(|(& (objectClass=*)` | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | `120` | How long (in seconds) | ++-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From 1607b1cf2392b235d72cec3a40776a763ab8462a Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:53:10 -0800 Subject: [PATCH 17/22] Fixing malformed table --- docs/source/authentication.rst | 112 ++++++++++++++++----------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index deb2eb52f..089c48f12 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | +=++==========================+==========+============================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | `false` | Use LDAPS to connect | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | `false` | Start TLS on LDAP to connect | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | `None` | Path to the CA cert used to validate certificate | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | `uid` | Field name of the user ID attribute | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | `{id_attr}={{username}}` | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | | | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | `(|(& (objectClass=*)` | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | `120` | How long (in seconds) | -+-----------------------------+----------+----------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | false | Use LDAPS to connect | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | false | Start TLS on LDAP to connect | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | None | Path to the CA cert used to validate certificate | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | uid | Field name of the user ID attribute | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | {id_attr}={{username}} | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | | | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | (|(& (objectClass=*)(|(member={user_dn})(uniqueMember={user_dn})(memberUid={username})))) | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | subtree | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | 120 | How long (in seconds) | ++-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From db9e63da6097e27d93d315e29d1d9b67160931d2 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 13:57:52 -0800 Subject: [PATCH 18/22] Fixing malformed table --- docs/source/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 089c48f12..24d68ed2c 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -142,7 +142,7 @@ configuration options for the backend: +-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ | option | required | default | description | -+=++==========================+==========+============================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ ++=++==========================+==========+============================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================================================================================================+ | bind_dn | yes | | DN of the service account to bind with the LDAP server | +-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ | bind_password | yes | | Password of the service account | From a8a254c68325d457895901c2dd4f587b918564e5 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 14:04:02 -0800 Subject: [PATCH 19/22] Fixing malformed table --- docs/source/authentication.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 24d68ed2c..5e017e59c 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -142,7 +142,7 @@ configuration options for the backend: +-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ | option | required | default | description | -+=++==========================+==========+============================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======================================================================================================================================+ ++=++==========================+==========+==================================================================================================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ | bind_dn | yes | | DN of the service account to bind with the LDAP server | +-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ | bind_password | yes | | Password of the service account | From 44fe32a5f10d1d7d2ed8b4dcb634492a5ee1e023 Mon Sep 17 00:00:00 2001 From: hanancha Date: Mon, 30 Nov 2020 14:11:46 -0800 Subject: [PATCH 20/22] Fixing malformed table --- docs/source/authentication.rst | 114 ++++++++++++++++----------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 5e017e59c..60c3ee5e5 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -140,63 +140,63 @@ LDAP The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| option | required | default | description | -+=++==========================+==========+==================================================================================================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ -| bind_dn | yes | | DN of the service account to bind with the LDAP server | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_password | yes | | Password of the service account | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| base_ou | yes | | Base OU to search for user and group entries | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns | yes | | Which groups user must be member of to be granted access | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_dns_check | no | and | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | -| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | -| | | | of the specified groups. | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| host | yes | | Hostname of the LDAP server | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| port | yes | | Port of the LDAP server | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_ssl | no | false | Use LDAPS to connect | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| use_tls | no | false | Start TLS on LDAP to connect | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cacert | no | None | Path to the CA cert used to validate certificate | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| id_attr | no | uid | Field name of the user ID attribute | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| account_pattern | no | {id_attr}={{username}} | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | -| | | | | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| group_pattern | no | (|(& (objectClass=*)(|(member={user_dn})(uniqueMember={user_dn})(memberUid={username})))) | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -| | | | | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| scope | no | subtree | Search scope (base, onelevel, or subtree) | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| network_timeout | no | 10.0 | Timeout for network operations (in seconds) | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| chase_referrals | no | false | True if the referrals should be automatically chased within the underlying LDAP C lib | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| debug | no | false | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_response | no | true | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | -| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | -| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | -| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | -| | | | user groups are cached. | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ -| cache_user_groups_ttl | no | 120 | How long (in seconds) | -+-----------------------------+----------+--------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| option | required | default | description | ++=++==========================+==========+====================================================================================================+=====++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=================================================================+ +| bind_dn | yes | | DN of the service account to bind with the LDAP server | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_password | yes | | Password of the service account | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| base_ou | yes | | Base OU to search for user and group entries | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns | yes | | Which groups user must be member of to be granted access | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_dns_check | no | `and` | What kind of check to perform when validating user group membership (``and`` / ``or``). When ``and`` behavior is used, user | +| | | | needs to be part of all the specified groups and when ``or`` behavior is used, user needs to be part of at least one or more | +| | | | of the specified groups. | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| host | yes | | Hostname of the LDAP server | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| port | yes | | Port of the LDAP server | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_ssl | no | `false` | Use LDAPS to connect | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| use_tls | no | `false` | Start TLS on LDAP to connect | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cacert | no | `None` | Path to the CA cert used to validate certificate | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| id_attr | no | `uid` | Field name of the user ID attribute | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| account_pattern | no | `{id_attr}={{username}}` | LDAP subtree pattern to match user. The user's username is escaped and interpolated into this string (see example). | +| | | | | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| group_pattern | no | `(|(& (objectClass=*)(|(member={user_dn})(uniqueMember={user_dn})(memberUid={username}))))` | LDAP subtree pattern for user groups. Both user_dn and username are escaped and then interpolated into this string (see example.) | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | +| | | | | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| scope | no | `subtree` | Search scope (base, onelevel, or subtree) | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| network_timeout | no | `10.0` | Timeout for network operations (in seconds) | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| chase_referrals | no | `false` | True if the referrals should be automatically chased within the underlying LDAP C lib | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| debug | no | `false` | Enable debug mode. When debug mode is enabled all the calls (including the results) to LDAP server are logged | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| client_options | no | | A dictionary with additional Python LDAP client options which can be passed to ``set_connection()`` method | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_response | no | `true` | When true, LDAP user groups response is cached for 120 seconds (by default) in memory. This decreases load on LDAP server | +| | | | and increases performance when remote LDAP group to RBAC role sync is enabled and / or when the same user authenticates | +| | | | concurrency in a short time frame. Keep in mind that even when this feature is enabled, single (authenticate) request to | +| | | | LDAP server will still be performed when user authenticates to st2auth - authentication information is not cached - only | +| | | | user groups are cached. | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +| cache_user_groups_ttl | no | `120` | How long (in seconds) | ++-----------------------------+----------+----------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: From 4ad57cf684f8f3b2f24eb655bcfa00b37516c2a5 Mon Sep 17 00:00:00 2001 From: hanancha Date: Wed, 2 Dec 2020 12:01:17 -0800 Subject: [PATCH 21/22] Updating authentication docs to include PR reviews. --- docs/source/authentication.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index 60c3ee5e5..e538bee55 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -137,6 +137,15 @@ The following is a list of auth backends for the community edition to help get t LDAP ---- +.. note:: + + Prior to StackStorm 3.3, Extreme Networks provided a commercial version of the StackStorm automation platform which included + LDAP auth backend. As these enterprise features were donated to the Linux Foundation, LDAP auth backend is now available in + StackStorm Open Source since 3.4. + +LDAP integration is enabled through st2-auth-ldap package. The source code for the package can be accessed here: +https://github.com/stackstorm/st2-auth-ldap + The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: From b494a27a11b6d94637d1e6d77a4f3bae91c7d18d Mon Sep 17 00:00:00 2001 From: Eugen Cusmaunsa Date: Thu, 3 Dec 2020 14:24:05 +0000 Subject: [PATCH 22/22] Clarify LDAP auth doc that integration is shipped by default in st2 core now --- docs/source/authentication.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/source/authentication.rst b/docs/source/authentication.rst index e538bee55..036fea2cd 100644 --- a/docs/source/authentication.rst +++ b/docs/source/authentication.rst @@ -143,8 +143,7 @@ LDAP LDAP auth backend. As these enterprise features were donated to the Linux Foundation, LDAP auth backend is now available in StackStorm Open Source since 3.4. -LDAP integration is enabled through st2-auth-ldap package. The source code for the package can be accessed here: -https://github.com/stackstorm/st2-auth-ldap +LDAP is now included by default with StackStorm core and needs to be enabled and configured via ``st2.conf``. The source code for the LDAP auth backend can be accessed here: https://github.com/stackstorm/st2-auth-ldap The LDAP backend authenticates the user against an LDAP server. The following is a list of configuration options for the backend: