LDAP support

[brian7704]

Is there a way to use flask-LDAP3-login or something similar with flask-security? Ideally the LDAP server would be used for authentication and authorization.

[brian7704]

In theory could I extend Datastore and UserDatastore to make LDAPUserDatastore using ldap3?

[jwag956]

lets think about this. Flask-Security really is based around having its own ORM and having a record of registered users. So for example the existing oauth/social integration enables authenticating EXISTING app users with oauth.
If we start from that premise - that the user exists in Flask-Security ORM and is just needing to authenticate - you could start with the flask-LDAP3-login project login form and use the save_user callback to look up the user in flask-security and call login_user() to set up the session cookie etc.

Doing auto-registration should also be doable with the above concept.

Ok - authorization - I can think of 2 ideas - first of course - take the result of the LDAP lookup and populate the appropriate roles/permissions in Flask-Security ORM.
The second would be to grab the identity_loaded signal from flask_principle and set the authz info based on the LDAP response.

[brian7704]

Thanks for your reply. After thinking about it for a while, I'm going to try creating a process to sync LDAP users and groups with Flask-Security users and roles. I think that will solve most of the issues except validating the user's password against the LDAP server when they log in. But maybe I can override verify_password and make it check the LDAP server.

Does this sound like a viable solution?

[brian7704]

After trying a few different approaches, this is what I came up with for authn (I still need to test authz). It seems to work so far but still needs to be fully tested.

It's basically what you recommended, I used flask-ldap3-login's login form and in the save_user callback I check if the user exists in the Flask-Security ORM. If not, it calls create_user, then gets the groups from the LDAP server and updates the user's roles.

The only thing I'm unsure of is the password in Flask-Security's ORM. When I call create_user I set the password to None since the it's not passed to the save_user callback. I tried logging in using a valid username and blank password on Flask-Security's SECURITY_LOGIN_URL and it didn't work which is a good sign. Do you think there would be any negative side effects from setting the password to None in this case?