Welcome to lowball-ad’s documentation!

lowball-ad-auth-provider is an AuthProvider implementation for a Lowball microservice, that works with Active Directory.

Installation

lowball-ad has been tested to work with only Python 3.6+

Pip

pip install lowball-ad-auth-provider

From Source

git clone https://github.com/EmersonElectricCo/lowball-ad-auth-provider
cd ./lowball-ad-auth-provider
python setup.py install

Implemented Interface

lowball ad implements the following methods of a Lowball Authentication Provider

  • authenticate - this is required for basic authentication with AD

  • get_client - service account/password must be configured to work. Enables basic user lookup routes

The following authentication provider dependent builtin routes will be usable with this implementation. Routes related to the authentication database will be available as expected and implemented by the chosen authentication database.

  • POST /builtins/auth (login)

  • DELETE /builtins/auth (logout)

  • GET /builtins/auth (whoami)

  • POST /builtins/auth/tokens (create token) - for non admin users only if service account is configured

  • GET /builtins/client (get authenticated client) - only if service account is configured

  • GET /builtins/client/<client_id> ( get client information ) - only if service account is configured

Auth Package

The Authentication Package which should be sent to POST /builtins/auth for authentication

{
   "username": "ad_user",
   "password": "ad_password"
}

Configuration

The configuration for the ad auth provider goes under the auth_provider section of a lowball configuration

Mandatory Config Fields

base_dn

base dn of the of the search path for users

hostname

hostname or ip of the server to use

domain

domain to prepend in front of user authentications

Optional Config Fields

roll_mappings

a dictionary of role -> list of groups that would give a user that role

ignore_ssl_cert_errors

true/false, whether or not to validate ssl. Unused if use_ssl is set to false

use_ssl

true/false, whether or not to use ssl for the connection

service_account

username of the service account used to lookup users. can be left empty, but users will not be able to look themselves up or create their own tokens

service_account_password

password of the service account

Example Config

auth_provider:
  service_account: admin
  service_account_password: myComplexPassword
  base_dn: "dc=example, dc=org"
  domain: corp
  ignore_ssl_cert_errors: false
  use_ssl: true
  role_mappings:
    user:
      - CN=regular_user,OU=groups,DC=example,DC=org
      - CN=owners,OU=groups,DC=example,DC=org
    finance:
      - CN=accounting,OU=groups,DC=example,DC=org
      - CN=owners,OU=groups,DC=example,DC=org

Example Usage

from lowball_ad_auth_provider import ADAuthProvider
from lowball import Lowball, config_from_file

app = Lowball(config_from_file("/path/to/config"), auth_provider=ADAuthProvider)