Redash: Support for LDAP authentification

Created on 2 Nov 2015  路  24Comments  路  Source: getredash/redash

Support for ldap auth would be usefull.

Backend Feature Request
Source
picture gissehel
👍18

Most helpful comment

Hi @agnoldo,

Did you install redash via docker-compose? I used httpd-rproxy-ldap because I use docker as setup method. If you used scripts to setup in Ubuntu, I guess just setting up your Apache the normal way is the simplest solution.

Some thing like here should be your guide.

There are couple of things that might help you get the right httpd.conf.

Reverse Proxy

I used docker, so the ProxyPass and ProxyPassReverse, the Redash server address, is "http://server:5000/" for me. You should specify address to suit your Ubuntu setup.

Header

Redash expects X-Forwarded-Remote-User in the HTTP Header by default, so you want to set this like
RequestHeader add X-Forwarded-Remote-User %{AUTHENTICATE_MAIL}e with mod_rewrite.

Exclude some paths

Require expr %{REQUEST_URI} =~ m#^/(api/.*|js/.*|styles/.*|images/.*|assets/.*|fonts/.*|public/.*|login|$)#

(example)

Following is my httpd.conf (actually a part of conf/proxy_ldap.conf) that my patched httpd-rproxy-ldap generates.

LoadModule ssl_module         modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module        modules/mod_ldap.so
LoadModule proxy_module       modules/mod_proxy.so
LoadModule proxy_http_module  modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

LDAPVerifyServerCert Off
LDAPTrustedGlobalCert CA_BASE64 /ldap_cacert.pem
LogLevel warn
<VirtualHost *:80>
    ServerName localhost
    <Location />
      AuthName "LDAP authentication"
      # enable InitialBindAsUser and set InitialBindPattern if pattern given
      AuthLDAPInitialBindAsUser on
      AuthLDAPCompareAsUser on
      AuthLDAPSearchAsUser on
      AuthLDAPInitialBindPattern (.+) XXXXXXXX

      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPURL "ldaps://XXXXXX:636/dc=XXXXX,dc=XXXXX,dc=XX?cn,displayName,mail?sub?(objectClass=*)"

      <RequireAny>
        Require expr %{REQUEST_URI} =~ m#^/(api/.*|js/.*|styles/.*|images/.*|assets/.*|fonts/.*|public/.*|login|$)#
        Require valid-user
      </RequireAny>

      ProxyPreserveHost On
      ProxyPass "http://server:5000/"
      ProxyPassReverse "http://server:5000/"
      RequestHeader add X-Forwarded-Remote-User %{AUTHENTICATE_MAIL}e
    </Location>
</VirtualHost>
picture deecay on 10 Apr 2017
👍3

All 24 comments

:+1:
LDAP, but specifically Active Directory would be nice for us.

adamb0mb picture adamb0mb on 16 Dec 2015

+1

pjrtb picture pjrtb on 4 Jan 2016
👎2

+1 for jira

TonyStarkBy picture TonyStarkBy on 5 Jan 2016
👎1

@TonyStarkBy what do you mean by JIRA? Use Jira's users?

arikfr picture arikfr on 6 Jan 2016

+1

rakeshsingh picture rakeshsingh on 2 Feb 2016
👎1

+1

Slach picture Slach on 14 Feb 2016
👎1

+1

test-account-0 picture test-account-0 on 2 Mar 2016
👎1

+1

ersiny picture ersiny on 29 Jul 2016
👎1

+1

slakr picture slakr on 29 Jul 2016
👎2

+1

JeremieCharest picture JeremieCharest on 12 Aug 2016

+1

eduspano picture eduspano on 18 Nov 2016

@arikfr I haven't been keep track... is there any plans for this?

adamb0mb picture adamb0mb on 1 Dec 2016

+1

Huangsir picture Huangsir on 5 Dec 2016

Hello everyone! Maybe we could help to get this issue solved by supporting it with donations. Do you think it helps @arikfr ? If it does, we can try using BountySource. https://www.bountysource.com/issues/27885192-support-for-ldap-authentification

eduspano picture eduspano on 5 Dec 2016

+1

swainr picture swainr on 23 Jan 2017

+1

ConnorChristie picture ConnorChristie on 3 Feb 2017

+1

gregwjacobs picture gregwjacobs on 10 Feb 2017

+1

cumthqb picture cumthqb on 21 Mar 2017

I would like to point out that Redash can handle LDAP since remote user auth by @tsibley #883 had been merged.

You need to setup a web server with LDAP and reverse proxy capability. I chose apache/httpd, but I believe nginx can handle most of the cases too.

I use https://github.com/dariko/httpd-rproxy-ldap with a little modification for RequireAll/RequireAny. Works with my company AD setup.

deecay picture deecay on 22 Mar 2017
👍1

Hi @deecay, thanks for this tip. Sorry for my lack of knowledge about LDAP but I'd like to ask you if the following setup may work:

  • I've installed re:dash in a VM running Ubuntu
  • I've two different LDAP servers running in my organization. I can choose any of them (one is a little better)

Should I install mod_authnz_ldap Apache Module and then execute httpd-rproxy-ldap's run.sh on re:dash's apache server in order to make it connect with one of my LDAP servers?

Thanks in advance

Arnaldo

agnoldo picture agnoldo on 7 Apr 2017

Hi @agnoldo,

Did you install redash via docker-compose? I used httpd-rproxy-ldap because I use docker as setup method. If you used scripts to setup in Ubuntu, I guess just setting up your Apache the normal way is the simplest solution.

Some thing like here should be your guide.

There are couple of things that might help you get the right httpd.conf.

Reverse Proxy

I used docker, so the ProxyPass and ProxyPassReverse, the Redash server address, is "http://server:5000/" for me. You should specify address to suit your Ubuntu setup.

Header

Redash expects X-Forwarded-Remote-User in the HTTP Header by default, so you want to set this like
RequestHeader add X-Forwarded-Remote-User %{AUTHENTICATE_MAIL}e with mod_rewrite.

Exclude some paths

Require expr %{REQUEST_URI} =~ m#^/(api/.*|js/.*|styles/.*|images/.*|assets/.*|fonts/.*|public/.*|login|$)#

(example)

Following is my httpd.conf (actually a part of conf/proxy_ldap.conf) that my patched httpd-rproxy-ldap generates.

LoadModule ssl_module         modules/mod_ssl.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module        modules/mod_ldap.so
LoadModule proxy_module       modules/mod_proxy.so
LoadModule proxy_http_module  modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

LDAPVerifyServerCert Off
LDAPTrustedGlobalCert CA_BASE64 /ldap_cacert.pem
LogLevel warn
<VirtualHost *:80>
    ServerName localhost
    <Location />
      AuthName "LDAP authentication"
      # enable InitialBindAsUser and set InitialBindPattern if pattern given
      AuthLDAPInitialBindAsUser on
      AuthLDAPCompareAsUser on
      AuthLDAPSearchAsUser on
      AuthLDAPInitialBindPattern (.+) XXXXXXXX

      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPURL "ldaps://XXXXXX:636/dc=XXXXX,dc=XXXXX,dc=XX?cn,displayName,mail?sub?(objectClass=*)"

      <RequireAny>
        Require expr %{REQUEST_URI} =~ m#^/(api/.*|js/.*|styles/.*|images/.*|assets/.*|fonts/.*|public/.*|login|$)#
        Require valid-user
      </RequireAny>

      ProxyPreserveHost On
      ProxyPass "http://server:5000/"
      ProxyPassReverse "http://server:5000/"
      RequestHeader add X-Forwarded-Remote-User %{AUTHENTICATE_MAIL}e
    </Location>
</VirtualHost>
deecay picture deecay on 10 Apr 2017
👍3

Hi @deecay ,

Thank you so much for your attention. I'll try to follow your valuable tips and make LDAP-re:dash integration work here in my organization.

Greetings from Brazil!

Arnaldo (aka agnoldo)

agnoldo picture agnoldo on 10 Apr 2017

@arikfr If I submitted a PR implementing LDAP as an authentication method in Redash would you be able to merge it in? The httpd/nginx proxy solution works but is not intuitive.

amarjayr picture amarjayr on 16 Jun 2017

@amarjayr's #1836 was just merged 馃檶

arikfr picture arikfr on 9 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

WesleyBatista picture WesleyBatista  路  4Comments
alison985 picture alison985  路  3Comments
koooge picture koooge  路  3Comments
idoDavid picture idoDavid  路  3Comments
stephane-klein picture stephane-klein  路  3Comments