0

This is my first Flask project as I failed to find something usable for my usecase. So this will be a very simple self-service portal above an LDAP directory. Users should be able to see their LDAP data and change a few selected attributes (password, mobile numbers etc.).

I do not want to use a global LDAP role to access the user data but my ACLs are already working so that a user can modify the required ones while being authenticated to the directoy. As they need to auhenticate in any case for login I'm searching for a way to keep that LDAP connection open for that user. I'm not even sure this is possible though.

In case it's not are there any other hints how this could be implemented? Saving the password somewhere like in Flask sessions (sounds like a security risk) so I can access it from the Flask application?

woro
  • 1

1 Answers1

0

Your problem is, that LDAP is usually connection oriented, while Flask is based on WSGI which is request based and has no persistent objects between requests, unless you do something about it.

What you can do about it depends on the on the authentication and authorization options of your LDAP server. A typical way to do it would be some kind of proxy authentication where the service acts on behalf of the user, e.g. the SASL Proxy Authn scenario described in the openldap documentation fits your usecase:

https://openldap.org/doc/admin24/sasl.html#Uses%20of%20Proxy%20Authorization

schlenk
  • 7,002
  • 1
  • 25
  • 29
  • I was hoping to get around without saving any access credentials within the app. This proxy authorization is not a big difference to having a dedicated "edit" user for LDAP. Need to think about how to proceed but thanks for the pointer. My LDAP server is 389ds fwiw. – woro Jun 30 '19 at 21:19
  • The other option would be to have some non-WSGI service running that could keep the connection state between requests and handle its lifecycle as needed. For example when you use Twisted as a WSGI server it has a thread pool to run WSGI queries but it can also host other connection oriented protocols in the same server. With generic WSGI/flask you do not have such an option. Of course, if you know that you only have a specific WSGI stack in mind you can just have a global singleton class to take care of the connections. – schlenk Jun 30 '19 at 22:00