Add instruction to enable LDAP auth

Hi @nmanovic, i’ll try this week

Is it nesessary to provide groups in ldap? I prefer manage permissions by cvat itself and use LDAP only for AUTH

It is necessary because it is how CVAT will determine if the user has admin, user, annotator or observer roles. In case of basic authorization you do it manually in admin panel. In case of LDAP, admin panel can not be used anymore for specifying roles (you can but such settings will be reseted after LDAP cache is reinitialized) as far as I remember.

Ok this information is pretty far out of date. Configuration settings, environment variables and flow have all changed from 2.x. Here is what I did to get it to work.

We need override several settings in the ./cvat/settings/base.py that isn’t listed here.

Make a docker-compose.override.yml in your ./cvat/ folder (where your docker-compose.yml file is).

version: '3.3'

services:
  cvat:
    environment:
      DJANGO_SETTINGS_MODULE: settings
    volumes:
      - ./settings.py:/home/django/settings.py:ro

Create a settings.py file in your ./cvat folder (same directory as above)

Key things we need to override in settings.py are

IAM_TYPE = 'LDAP' and DJANGO_AUTH_LDAP_GROUPS

Here is my full working settings.py file (with my LDAP services redacted)

from cvat.settings.production import *

# add custom apps here
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedActiveDirectoryGroupType

IAM_TYPE = 'LDAP'
AUTH_LOGIN_NOTE = '''<p>
    For successful login please make sure you are member of cvat_users group
</p>'''

# Baseline configuration.
AUTH_LDAP_SERVER_URI = "<redacted>"

# Credentials for LDAP server
AUTH_LDAP_BIND_DN = "<redacted>"
AUTH_LDAP_BIND_PASSWORD = "<redacted>"

# Set up basic user search
AUTH_LDAP_USER_SEARCH = LDAPSearch("<redacted>",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("<redacted>",
    ldap.SCOPE_SUBTREE, "(objectClass=groupofnames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Cache group memberships for an hour to minimize LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_AUTHORIZE_ALL_USERS = False

# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS += ['django_auth_ldap.backend.LDAPBackend']

# example 'cn=cvat_admin,cn=groups,cn=accounts,dc=example,dc=com'
# change your cn to match whatever groups you have in your LDAP
AUTH_LDAP_ADMIN_GROUPS = [
    'cn=<redacted>,
]

AUTH_LDAP_WORKER_GROUPS = [
    'cn=<redacted>,
]

AUTH_LDAP_USER_GROUPS = [
    'cn=<redacted>,
]

AUTH_LDAP_BUSINESS_GROUPS = [
    'cn=<redacted>,
]
DJANGO_AUTH_LDAP_GROUPS = {"admin": AUTH_LDAP_ADMIN_GROUPS, "business": AUTH_LDAP_WORKER_GROUPS, "user": AUTH_LDAP_USER_GROUPS, "worker":AUTH_LDAP_BUSINESS_GROUPS}

Three notable changes IAM_TYPE = 'LDAP', AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() (I’m using FreeIPA so we have to use GroupOfNames), and DJANGO_AUTH_LDAP_GROUPS = {"admin": AUTH_LDAP_ADMIN_GROUPS, "business": AUTH_LDAP_WORKER_GROUPS, "user": AUTH_LDAP_USER_GROUPS, "worker":AUTH_LDAP_BUSINESS_GROUPS}.

DJANGO_AUTH_LDAP_GROUPS admin, business, user, worker is coming from IAM_ROLES = [IAM_ADMIN_ROLE, 'business', 'user', 'worker'] in ./cvat/settings/base.py in the code it “matches” based on the keywords in IAM_ROLES. The AUTH_LDAP_ADMIN_GROUPS, AUTH_LDAP_WORKER_GROUPS, AUTH_LDAP_USER_GROUPS , AUTH_LDAP_BUSINESS_GROUPS need to be added to DJANGO_AUTH_LDAP_GROUPS list depending on your groups. If you want to add more groups, just add more in your settings.py file. Hopefully this helps someone else for v2.x+. This works for me for CVAT v2.1.