New Component: Streamlit-Ldap-Authenticator

Hi @Kaizen63,

I can’t remove Connection from callback as it is required when additional check like whether user is in the organization and so on which require the alive connection to get additional information like user’s manager information. I need that for my application.

As a quick workaround, I clear the password from Connection Object after the connection bind like below and I have uploaded ver 0.2.3 in pypi.

conn = Connection(server, username, password, auto_bind=False, auto_referrals=False, raise_exceptions=False)
conn.bind()
conn.password = None

Thanks for highlighting this security issue.

With Regards,
Nathan

1 Like

Thank you again Nathan for the fast resonse!
That works for now. I am still concerned that this vulnerability is in a widely used library and nobody is concerned.

Here is the link to the issue: Please remove password from the Connection class · Issue #1136 · cannatag/ldap3 · GitHub
Please support.

Kind Regards
Kai Poitschke

1 Like

Hello Nathan, just saw v 0.2.4 is out. What did change?

Hi Kaizen, ver 0.2.4 is fix for Cookie handler issue 'SigninEvent' object has no attribute 'remember' error when don’t want to use cookie.

Hello Nathan,

First off thanks for this great component, it worked on my first try so I knew it was going to be a winner.

Everything is working great except for one thing, it is not storing the jwt token in my browser and I confirmed w/ dev tools. When I comment out auth and just invoke CookieController and use your CookieController sample code, it sets and removes cookies fine.

I downloaded the component code and stepped through the .py code with vscode debugger and this line from cookie_controller.py “_cookie_controller(method=‘set’, name=name, value=value, options=options)” works when calling CookieController directly. The same line fails when called through Ldap Auth. I didn’t see any errors.

Any help is appreciated. Thanks again. Jim

Hi @jcbarr,

I believe it is due to latency between server and client is long. I think it is due to didn’t have enough time to save browser cookie before Streamlit rerun the page when the login successful. In ver 0.2.4, 0.1 sec delay after set cookie was hard coded in the package. Hence i updated to ver 0.2.5 to be able to configure delay_sec in Cookie_config.

You can try to update to ver 0.2.5 then increase the delay_sec in Cookie_Config when initialize the authenticate object.

You can add delay_sec in the auth_cookie session in Streamlit secret.toml file

[auth_cookie]
name = "login_cookie"
key = "{any password for encryption}"
expiry_days = 1
auto_renewal = true
delay_sec = 0.5

Then you can add the cookie config during authenticate object is created

# Declare the authentication object
auth = Authenticate(
    st.secrets['ldap'],
    st.secrets['session_state_names'],
    st.secrets['auth_cookie'],
    st.secrets['encryptor']
)

Do let me know if it works. Thanks for bringing my attention on this issue.

Hi Nathan, it still doesn’t work for me. I’m monitoring with Developer tools and the cookie never gets written, regardless of the delay. I’m trying in Chrome and Edge.

it’s great for authentication system

Nathan…also when I examine values of cookie_configs within the __setCookie function, the values for expiry_days and delay_sec are always the 1 and .1 defaults, never what I have in the .toml file. The other values are fine.

I have fixed the issue of cookie_config not assigned correctly in ver 0.2.6. Do let me know if it doesn’t still solve the issue.

Nathan, the expiry_days and delay_sec values are now passing correctly, however the JWT cookie is still not being written to the browser so reauth still doesn’t work. Let me know if you want me to try different versions of things or see a pip freeze. I’m using Windows w/ python 3.12.3 and Rocky Linux 3.12.1 with the lastest streamlit-ldap-authenticator.

Nathan! Good news, I think I found the issue! One of the LDAP attributes I need is is memberOf and I have a very long list of group memberships. I think the JWT token was too big so somewhere the SET was failing (without an error). Is it possible to take a list of “valid” CNs and strip them from memberOf before storing the cookie? Bottom line is I want to control access via AD Global Groups. Thanks!

Is there a way to setup a page redirect/switch after a successful login? As an added layer, it it’s possible to store the redirect page as a value in the Active Directory, is there a way to grab that and then redirect the user after a successful login?

Hi, is there a way to turn the Remember Me option off? I’d like to hide it from the login.

hi Nathan, i try to enable cookie, but result show as bellowed. whether i need another setting or actions. and when i disable cookie_auth, no error found, but i need cookie.


I dont seem to get it how to add a bind user which needs to be setup for binding (making searches on ldap) before you can login with a normal user. Is this possible with this component?