LDAP Cached Auth provider

Description

Same as LDAP Auth provider, but if LDAP request for checking user credentials was successful, credentials are stored in local cache (table in internal database, in form login + hash(password) + update timestamp).

Next auth requests for the same login are performed against this cache first. LDAP requests are send only if cache have been expired.

This allows to:

  • Bypass errors with LDAP availability, e.g. network errors

  • Reduce number of requests made to LDAP.

Downsides:

  • If user changed password, and cache is not expired yet, user may still log in with old credentials.

  • Same if user was blocked in LDAP.

Interaction schema

Interaction schema
https://www.plantuml.com/plantuml/svg/xLTDJnin4BtpAqRqGaKYGAKNf21e-BXK8IhGIrkXYJt9Md7ibUqDKF7ZE_PcimaVOcbJbLPTvPArvtdytlECzy07TA6Ow3NW9wYW2ReeCf8VZmxxXqN8-ivEbIIN9kGyMGcLemcmtjMAJ5X_EF01nPYCV6GaWgwlfVUT3lJFpYzWkhE5lCnMi1p3RyjH545DCT3oAgW3d2Zd0sSw8OXnS0V7appSWeXPyx-KFT1DhXp951MV2WRQ-tL-iBa9Uw3jI1dOv4IzlxPk8MO-hxqKjGVdX4vaCBGE1A_2m0grdwKmk2qX6-3qBAX04yz8XP70SF5lbNmB2g_C229f3S2EUj21WJBoIfehXiaryxUHKddxMFZ-J8wIXIvgdQ8tZdgjEHSBWUNSTllBcv4ZCj_sbrA9f1H2aFV3GZT8jfkH6FF-YBTi-1V86UG4oXaWCU00FRM-cZZ78AlTUPhMUzYEedDAy24O6vXHvSFpaUSufIL5Wor5VInqWOYvkI8FfsJ8nGIGD-8e5CwmdICrLydZfS59UuBBf6zQePLa1XNN3Ap5BQYHiQ_VmYV9kGiGBH19suYSZ8n1sMQ78TJEdw9MCf9ORIaoCy4WiiXOXZvhWDYlObDWApb1CBSlE5GDVRfQKwx0MVNMbK-xXsl5nVA_rNwtrQHDsfQSQyjsUxA2tB3GdC43cNUtT-3InEPcdVhEijIozcRrABOAiTZeQaqBWrDK6WUQNhcUVxJxpQY_gHfRWmxuh73ljzynEMwg12t9CDTlZiKM8N1gb0Mmmnfb3yv2Hb5QJnxG4VZO-T0dik_VoBWvQZKcvjkEYxm50xRRcEIM94s1PAerlbpRoFcbw_GutRbYI_KvSl6exrnykwgRU4gYYOEMAj3pGdskZblJW9MLu5CAQVPBIkwdiigciFeONgIxAX-s5rmpLqtJJrIFoyIXhupoTulx2_kV7P1_TV-xgR-behfy-YKz_Amwu57-_Fi1

Configuration

Other settings are just the same as for LDAPAuthProvider

pydantic model horizon.backend.settings.auth.cached_ldap.CachedLDAPAuthProviderSettings

Settings for CachedLDAPAuthProvider.

Examples

HORIZON__AUTH__PROVIDER=horizon.backend.providers.auth.cached_ldap.CachedLDAPAuthProvider
HORIZON__AUTH__ACCESS_KEY__SECRET_KEY=secret
HORIZON__AUTH__LDAP__URL=ldap://ldap.domain.com:389
HORIZON__AUTH__LDAP__LOOKUP__ENABLED=True
HORIZON__AUTH__LDAP__LOOKUP__POOL__ENABLED=True
HORIZON__AUTH__LDAP__LOOKUP__CREDENTIALS__USER=uid=techuser,ou=users,dc=example,dc=com
HORIZON__AUTH__LDAP__LOOKUP__CREDENTIALS__PASSWORD=somepassword
HORIZON__AUTH__CACHE__EXPIRE_SECONDS=3600  # 1 hour
Fields:
field cache: LDAPCacheSettings [Optional]

Cache related settings

field access_token: JWTSettings [Required]

Access-token related settings

field ldap: LDAPSettings [Required]

LDAP related settings

pydantic model horizon.backend.settings.auth.cached_ldap.LDAPCacheSettings

Settings related to LDAP credentials cache.

Examples

HORIZON__AUTH__CACHE__EXPIRE_SECONDS=3600  # 1 hour
Fields:
field expire_seconds: int = 3600

Credentials cache expiration time, in seconds.

Warning

Please do not set too large value here, as it may lead to security issues.

field password_hash: LDAPCachePasswordHashSettings [Optional]

Password hashing options

pydantic model horizon.backend.settings.auth.cached_ldap.LDAPCachePasswordHashSettings

Settings related to LDAP credentials cache password hashing.

Examples

HORIZON__AUTH__CACHE__PASSWORD_HASH__ALGORITHM=argon2
HORIZON__AUTH__CACHE__PASSWORD_HASH__OPTIONS={"time_cost": 2, "memory_cost": 1024, "parallelism": 1}
Fields:
field algorithm: str = 'argon2'

Hashing algorithm used to hash user credentials.

See passlib documentation for more details.

field options: Dict[str, Any] = {}

Options passed to hashing algorithm