LDAP Authentication. Create two envars REDASH_LDAP_USE_SSL and REDASH_LDAP_AUTH_BIND

redash/authentication/ldap_auth.py

@@ -7,7 +7,7 @@
 from flask_login import current_user, login_required, login_user, logout_user
 
 try:
-    from ldap3 import Server, Connection, SIMPLE
+    from ldap3 import Server, Connection, SIMPLE, ANONYMOUS, NTLM
 except ImportError:
     if settings.LDAP_LOGIN_ENABLED:
         logger.error("The ldap3 library was not found. This is required to use LDAP authentication (see requirements.txt).")
@@ -58,8 +58,8 @@ def login(org_slug=None):
 
 
 def auth_ldap_user(username, password):
-    server = Server(settings.LDAP_HOST_URL)
-    conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=SIMPLE, auto_bind=True)
+    server = Server(settings.LDAP_HOST_URL, use_ssl=settings.LDAP_SSL)
+    conn = Connection(server, settings.LDAP_BIND_DN, password=settings.LDAP_BIND_DN_PASSWORD, authentication=settings.LDAP_AUTH_METHOD, auto_bind=True)
 
     conn.search(settings.LDAP_SEARCH_DN, settings.LDAP_SEARCH_TEMPLATE % {"username": username}, attributes=[settings.LDAP_DISPLAY_NAME_KEY, settings.LDAP_EMAIL_KEY])
 

redash/settings/__init__.py

@@ -81,6 +81,10 @@ def all_settings():
 # If the organization setting auth_password_login_enabled is not false, then users will still be
 # able to login through Redash instead of the LDAP server
 LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false'))
+# Bind LDAP using SSL. Default is False
+LDAP_SSL = parse_boolean(os.environ.get('REDASH_LDAP_USE_SSL', 'false'))
+# Choose authentication method(SIMPLE, ANONYMOUS or NTLM). Default is SIMPLE
+LDAP_AUTH_METHOD = os.environ.get('REDASH_LDAP_AUTH_METHOD', 'SIMPLE')
 # The LDAP directory address (ex. ldap://10.0.10.1:389)
 LDAP_HOST_URL = os.environ.get('REDASH_LDAP_URL', None)
 # The DN & password used to connect to LDAP to determine the identity of the user being authenticated.