1. Software Freedom Conservancy
  2. Kallithea
  3. kallithea
  4. Issues

Issues

Issue #78 resolved

"Manual activation of external account" not working for LDAP

Denis Blanchette
created an issue

We are currently considering a switch from Rhodecode 1.6.0 to Kallithea 0.1.

I set up LDAP plugin. I went in Admin -> Permissions and set "External auth account activation" to "Manual activation of external account"

I log in with an Active Directory user that does not exist in the database yet and it goes to the main page. In Rhodecode 1.6.0 it would have stayed in the login page until an Administrator had activated the newly created account.

This could allow access to repositories to users in our company that have Active Directory accounts but are not allowed to see the code.

I set up default permissions to None, but it would be better to have users deactivated by default.

I tried the same scenario with an installation of kallithea using the latest changeset in default branch at the time of writing (bfc304687f1cb11b243f2bd157f7e782f50d196f).

Thank you very much for any help

Comments (8)

  1. Mads Kiilerich

    A possible workaround / somewhat unrelated comment in that area:

    You could/should configure the LDAP Search Filter to an ldap group of users that are allowed access, such as:

    (&(ObjectCategory=Person)(sAMAccountName=*)(|(memberof=CN-employees)(memberof=CN=kallitheausers,CN=users))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    
  2. Denis Blanchette reporter

    Thank you for this idea. Unfortunately, I was not able to have it working with the following error :

    2015-01-23 10:01:15.467 ERROR [kallithea.lib.auth_modules.auth_ldap] Traceback (
    most recent call last):
      File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
    py", line 330, in auth
        (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
      File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
    py", line 162, in authenticate_ldap
        raise LdapPasswordError()
    LdapPasswordError
    

    I checked the password several times. It works with all the same settings, but without a search filter. My filter is (&(objectCategory=Person)(sAMAccountName=*)(memberOf=OU=R&D,OU=TEST Users,OU=TEST,OU=ORG))

    For the time being, I will make sure that the default user has no rights.

  3. Log in to comment