Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import ldap
- import logging
- import random
- import sys
- import traceback
- import os
- import hashlib
- from base64 import urlsafe_b64encode as encode
- from base64 import urlsafe_b64decode as decode
- LOG_FILENAME = '/tmp/logging_example.out'
- log = logging
- logging.basicConfig(filename=LOG_FILENAME,level=logging.DEBUG)
- #log = logging.getLogger('atrium.auth.backends')
- from django.conf import settings
- from django.contrib.auth.models import User
- from django.db import transaction
- class LDAPBackendError(Exception):
- pass
- #need to map all of our user attributes to a LDAP attr for commit to work
- #CHANGE THIS FOR INETORG, JWUSER
- _DEFAULTS = {
- 'bindname': None,
- 'binddn': None,
- 'bindpw': None,
- 'group': None,
- 'groupdn': None,
- 'groupsu': None,
- 'groupstaff': None,
- 'groupactive': None,
- 'replicas': True,
- 'email': 'mail',
- 'first_name': 'cn',
- 'last_name': 'sn',
- 'username' : 'uid',
- 'objectClass' : ['jwUser' ,'inetOrgPerson', 'organizationalPerson', 'person', 'top'] ,
- 'timeout': 3,
- 'disable_update': False,
- 'all_attr' : ('username', 'first_name', 'last_name', 'email' ),
- }
- _REQUIRED = ('url', 'userdn')
- _TO_ITERABLE = ('url', 'group', 'groupsu', 'groupstaff', 'groupactive')
- class LDAPBackend():
- def changePasswd(self, user, newpassword):
- log.debug('LDAPBackend.changePasswd(%s,%s)' % (user, newpassword) )
- self._modifyPasswd(user, None, newpassword)
- def authenticate(self, username=None, password=None):
- log.debug('LDAPBackend.authenticate(%s,%s)' % (username, password))
- if username is None or password is None:
- log.debug('Username or password is None, automatically returning None')
- return None
- blocks = self._buildBlocks()
- for block in blocks:
- log.debug('Processing block, settings: %s' % str(block))
- for opt in ('NETWORK_TIMEOUT', 'TIMELIMIT', 'TIMEOUT'):
- ldap.set_option(getattr(ldap, 'OPT_%s' % opt), block['timeout'])
- for uri in block['url']:
- conn = self._buildConn(uri)
- if not conn:
- log.error('Could not initialize connection to %s' % uri)
- continue
- try:
- try:
- conn.simple_bind_s('uid=%s,%s' % (username, block['userdn']), password)
- except ldap.INVALID_CREDENTIALS:
- log.debug('%s returned invalid credentials' % uri)
- if block['replicas'] is True:
- return None
- break
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- break
- if block['group'] is None:
- log.info('%s authenticated successfully against %s' % (username, uri))
- return self._return_user(username, conn, block)
- # If your directory is setup such that this user couldn't search (for whatever reason)
- # switch to an account that can so we can check the group
- if block['bindname'] is not None:
- log.debug('Rebinding to check group membership')
- conn.unbind()
- del conn
- conn = self._buildConn(uri)
- try:
- conn.simple_bind_s('cn=%s,%s' % (block['bindname'], block['binddn']), block['bindpw'])
- except ldap.LDAPError, e:
- log.error('Error during rebind: %s' % str(e))
- break
- for group in block['group']:
- log.debug('Checking if %s is a member of %s' % (username, group))
- try:
- result = conn.search_s('cn=%s,%s' % (group, block['groupdn']), ldap.SCOPE_SUBTREE, '(objectclass=*)', ['memberUid'])
- except ldap.NO_SUCH_OBJECT:
- log.error('Could not find user object cn=%s,%s' % (group, block['groupdn']) )
- continue
- print result
- # If there's more than one result, it gets ignored (there shouldn't be more than one
- # group with the same name anyway)
- if not result:
- log.debug('No group found with name %s' % group)
- continue
- if 'memberUid' not in result[0][1]:
- log.debug('No memberUid in group %s' % group)
- continue
- else:
- log.debug('memberUid in group %s found!' % group)
- result = result[0][1]['memberUid']
- #print result[0]
- #print username
- uid = 'uid=' + username + ',' + block['userdn']
- if uid in result[0]:
- log.info('%s authenticated successfully against %s' % (username, uri))
- return self._return_user(username, conn, block)
- if block['replicas'] is True:
- break
- finally:
- del conn
- log.info('User %s could not be authenticated' % username)
- return None
- def checkPassword(self, user, password):
- log.debug('LDAPBackend.checkPassword(%s,%s)' % (user,password) )
- blocks = self._buildBlocks()
- for block in blocks:
- for uri in block['url']:
- #we only compare the current changes, rather than changes between servers (this will put their state into sync incidentaly)
- conn = self._buildConn(uri)
- try:
- conn.simple_bind_s('cn=%s,%s' % (user.username, block['userdn']), password)
- except ldap.INVALID_CREDENTIALS:
- log.info('%s user could not bind, password is incorrect' % user.username)
- continue
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- continue
- return True
- #since one server has validated the authentication, we allow the user to proceed.
- return False
- def commitUser(self, user):
- log.debug('LDAPBackend.commitUser(%s)' % user)
- #log.debug('Refernece from %s to modify user')
- blocks = self._buildBlocks()
- update = False
- for block in blocks:
- for uri in block['url']:
- #we only compare the current changes, rather than changes between servers (this will put their state into sync incidentaly)
- conn = self._buildConn(uri)
- try:
- conn.simple_bind_s('cn=%s,%s' % (block['bindname'], block['binddn']), block['bindpw'])
- except ldap.INVALID_CREDENTIALS:
- log.error('%s Admin user could not bind. something is wrong...' % uri)
- continue
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- continue
- #ldap_data = self._getUserByName(user.username, user, conn, block)
- ldap_data = 'hacks'
- try:
- r = conn.search_s('uid=%s,%s' % (user.username, block['userdn']), ldap.SCOPE_SUBTREE,'(objectclass=*)', [block['email'], block['first_name'], block['last_name']])
- except ldap.NO_SUCH_OBJECT, e:
- log.warning('Could not get user information for %s, LDAP user likely does not exist' % user.username)
- ldap_data = None
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library, returning our user: %s' % str(e))
- continue
- if ldap_data == None:
- result = self._createUser(conn, block, user, uri)
- log.debug('User create returned %s' % result)
- else:
- result = self._modifyUser(conn, block, user, uri)
- log.debug('User modify returned %s' % result)
- conn.unbind()
- log.debug('Unbound from cn=%s,%s' % (block['bindname'], block['binddn']) )
- del conn
- if result:
- update = True
- #this means our update has occured on at least one server, so we can continue
- if update == False:
- log.error('%s was enabled to be (completely) saved!' % user.username)
- raise LDAPUserCreateError('%s was unabled to be saved/modified to the LDAP system. please view the logs' % user.username)
- def get_user(self, user_id):
- log.debug('LDAPBackend.get_user(%s)' % user_id )
- try:
- return LDAP_User.objects.get(pk=user_id)
- except User.DoesNotExist:
- return None
- ################
- #private methods
- ################
- def _buildBlocks(self):
- log.debug('LDAPBackend._buildBlocks()')
- if isinstance(settings.LDAP_AUTH_SETTINGS[0], dict):
- log.debug('Using complex settings')
- blocks = settings.LDAP_AUTH_SETTINGS
- else:
- log.debug('Using simple settings')
- blocks = (self._parse_simple_config(),)
- # First get our configuration into a standard format
- for block in blocks:
- for r in _REQUIRED:
- if r not in block:
- raise LDAPBackendError('Missing required configuration option: %s' % r)
- for d in _DEFAULTS:
- if d not in block:
- block[d] = _DEFAULTS[d]
- for i in _TO_ITERABLE:
- if isinstance(block[i], str):
- block[i] = (block[i],)
- #Dont make our access random, we want to access servers in the order in the config
- block['url'] = list(block['url'])
- return blocks
- def _buildConn(self, uri):
- log.debug('LDAPBackend._buildConn(%s)' % uri)
- log.debug('Attempting to authenticate to %s' % uri)
- conn = ldap.initialize(uri)
- try:
- conn.start_tls_s()
- except ldap.LDAPError, e:
- log.error("Could not start TLS")
- return conn
- def _createUser(self, conn, block, user, uri):
- log.debug('LDAPBackend._createUser(%s,%s,%s,%s)' % (conn,block,user,uri))
- log.debug('Choosing to create user %s' % user.username)
- exist = True
- #CHANGE THIS FOR INETORG
- try:
- conn.search_s('uid=%s,%s' % (user.username, block['userdn']), ldap.SCOPE_ONELEVEL, '(objectclass=jwUser)', ['uid'])
- except ldap.NO_SUCH_OBJECT, e:
- log.debug('User %s does not exist, time to insert them' % user.username)
- exist = False
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- return False
- if exist:
- log.debug('User %s already exists, migrating to %s' % (user.username, uri) )
- #if they exist, we should be adding the group membership
- try:
- r = self._migrateUser(conn, block, user, uri)
- except:
- log.debug(sys.exc_info()[0])
- return r
- #with this, since user creates are handled by the UserManage module, we can be pretty safe we are adding a new user, not overiding one.
- #we need to iterate over all our user values.
- stack = []
- #for oc in block['objectClass']:
- stack.append( ('objectClass', block['objectClass'] ) )
- #add some defaults to our stack
- password= user.password
- user.password = self._makeSecret(password)
- stack.append( ('userPassword' , user.password) )
- for attr in block['all_attr']:
- #we need a way to skip some attributes like username and password etc.
- stack.append( (block[attr] , str(getattr(user, attr)) ), )
- #now we push out our user, and hope nothing bad happens .....
- try:
- log.debug(stack)
- conn.add_s('uid=%s,%s' % (user.username, block['userdn']) , stack)
- log.debug('Succesfully created user %s' % user.username)
- except ldap.LDAPError, e:
- log.error('Error attempting to create user %s to %s' % (user.username, uri))
- #now we want to call our actually user password change method so the new user can *actually* bind and atuhenticate
- #we also want to make our userpassword ! to force validation against the LDAP
- self.adminChangePasswd(user, password)
- user.set_unusable_password()
- #we also need to add groups from the user_is active etc
- r = self._modifyUserGroup(conn, user, block)
- if r == False:
- #shit has gone down, fix it in our create
- conn.delete_s('uid=%s,%s' % (user.username, block['userdn']) )
- return True
- def _getUserByName(self, username, user, conn, block):
- log.debug('LDAPBackend._getUserByName(%s,%s,%s,%s)' % (username,user,conn,block))
- #CHANGE HERE FOR INETORG
- try:
- r = conn.search_s('uid=%s,%s' % (username, block['userdn']), ldap.SCOPE_SUBTREE,
- '(objectclass=*)', [block['email'], block['first_name'], block['last_name']])
- except ldap.NO_SUCH_OBJECT, e:
- log.warning('Could not get user information for %s, LDAP user does not exist returning possibly stale user object' % username)
- return user
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library, returning our user: %s' % str(e))
- return user
- #log.debug('Got back results %s' % r)
- results = r[0][1]
- ldap_data = {}
- if block['email'] is not None:
- ldap_data['email'] = results[block['email']][0] if block['email'] in results else ''
- if block['first_name'] is not None:
- ldap_data['first_name'] = results[block['first_name']][0] if block['first_name'] in results else ''
- if block['last_name'] is not None:
- ldap_data['last_name'] = results[block['last_name']][0] if block['last_name'] in results else ''
- for g, attr in (('groupsu', 'is_superuser'), ('groupstaff', 'is_staff'), ('groupactive', 'is_active')):
- if block[g] is not None:
- ldap_data[attr] = False
- for group in block[g]:
- #these groups MUST exist, but if not we want to log this error.
- try:
- result = conn.search_s('cn=%s,%s' % (group, block['groupdn']), ldap.SCOPE_SUBTREE,
- '(objectclass=*)', ['memberuid'])
- except ldap.NO_SUCH_OBJECT:
- log.error('Group object %s does not exist %s!' % (group, str(e)) )
- continue
- if not result or 'memberUid' not in result[0][1]:
- continue
- log.debug(result)
- result = result[0][1]['memberUid']
- if 'uid=%s,%s' % (username, block['userdn']) in result:
- ldap_data[attr] = True
- #break
- log.debug(ldap_data)
- return ldap_data
- def _makeSecret(self, password):
- log.debug('LDAPBackend._makeSecret(%s)' % password)
- salt = os.urandom(4)
- h = hashlib.sha1(password)
- h.update(salt)
- return "{SSHA}" + encode(h.digest() + salt)
- def _migrateUser(self, conn, block, user, uri):
- log.debug('LDAPBackend._migrateUser(%s,%s,%s,%s)' % (conn,block,user,uri))
- #we know our user already exists, so we need to check they have a JW user attribute
- log.debug('Checking if %s has JW attrs' % user.username)
- try:
- result = conn.search_s('uid=%s,%s' % (str(user.username), block['userdn']), ldap.SCOPE_SUBTREE, '(objectclass=*)')
- except ldap.NO_SUCH_OBJECT:
- log.error('Could not find user object, this isnt correct, uid=%s,%s' % (user.username, block['userdn']) )
- return False
- stack = []
- if result:
- if 'jwUser' not in result[0][1]['objectClass']:
- #we should make it so that we delete the other object classes, then add them back with the jwUser, providded that they are compatible.
- log.error('Cannot add %s, this would create an object class violation!' % user.username)
- return False
- #technically this section should never be called, but it will be useful to 'resync' a broken user profile that lacks the attributes it needs.
- for oclass in block['objectClass']:
- if oclass not in result[0][1]['objectClass']:
- stack.append( (ldap.MOD_ADD, 'objectClass', str(oclass) ) )
- log.debug('User %s does not have %s objectClass, adding' % (str(user.username) , oclass))
- #check that we have all of our needed attributes. if not push them to the stack to be added
- for attr in block['all_attr']:
- if block[attr] not in result[0][1]:
- stack.append( (ldap.MOD_ADD, block[attr] , str(getattr(user, attr)) ) )
- Result = self._modifyUserGroup(conn, user, block)
- if Result:
- #since we don't depend on the user migrate working, we wait till we knows groups have worked, then we commit our user.
- try:
- conn.modify_s('uid=%s,%s' % (user.username, block['userdn']), stack)
- log.debug('%s migrated succesfully' % user.username)
- except ldap.LDAPError, e:
- log.error('%s at %s migrate command failed. %s %s' % (user.username, uri, stack, str(e) ) )
- return False
- return Result
- def _modifyPasswd(self, user, oldpassword, newpassword):
- log.debug('LDAPBackend._modifyPassword(%s,%s,%s)' % (user, oldpassword, newpassword))
- blocks = self._buildBlocks()
- for block in blocks:
- for uri in block['url']:
- conn = self._buildConn(uri)
- try:
- conn.simple_bind_s('cn=%s,%s' % (block['bindname'], block['binddn']), block['bindpw'])
- conn.passwd_s('uid=%s,%s' % (user.username, block['userdn']), oldpassword, newpassword)
- except ldap.INVALID_CREDENTIALS:
- log.error('%s returned invalid admin credentials on attempt to change passwd by %s' % (uri,user.username))
- break
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- break
- try:
- conn.simple_bind_s('uid=%s,%s' % (user.username, block['userdn']), newpassword)
- log.debug('New password for %s authenticated succesfully' % user.username)
- except ldap.INVALID_CREDENTIALS:
- log.error('%s error binding as changed %s password - holy fucking shit something is bad!' % (uri, user.username))
- except ldap.LDAPError, e:
- log.error('Got error from LDAP library: %s' % str(e))
- conn.unbind()
- def _modifyUser(self, conn, block, user, uri):
- log.debug('LDAPBackend._modifyUser(%s,%s,%s,%s)' % (conn,block,user,uri))
- log.debug('Choosing to modify user %s' % user.username)
- user_stack = []
- ldap_data = self._getUserByName(user.username, user, conn, block)
- #if we dont find our user, we get the original object back and no update will occur.
- #if we do, add our uri to the stack of servers to modify / add
- #we need to work out if it is a group change or a attr change, and act accordingly
- for attr in ldap_data:
- if attr != 'username' or attr != 'password': #this allows us to skip values that should be immutable
- if getattr(user, attr) != ldap_data[attr]:
- #push our changed attr to a stack, ready to be modified
- if not (ldap.MOD_ADD, block[attr], getattr(user, attr)) in user_stack or not (ldap.MOD_REPLACE, block[attr], getattr(user, attr)) in user_stack:
- #work out if its a replace or add operation (we can have many emails etc but likely not)
- if ldap_data[attr] == None:
- user_stack.append( (ldap.MOD_ADD, block[attr], getattr(user, attr)) )
- else:
- user_stack.append( (ldap.MOD_REPLACE, block[attr], getattr(user, attr)) )
- #once we know the changes, we save them to the ldap in a single hit.
- try:
- conn.modify_s('uid=%s,%s' % (user.username, block['userdn']), user_stack)
- log.debug('%s modified succesfully' % user.username)
- except ldap.LDAPError, e:
- log.error('%s at %s modify command failed. %s %s' % (user.username, uri, user_stack, str(e) ) )
- return False
- r = self._modifyUserGroup(conn, user, block)
- return r
- #we should consider checking that it worked .....
- def _modifyUserGroup(self, conn, user, block):
- log.debug('LDAPBackend._modifyUserGroup(%s,%s,%s)' % (conn,user,block))
- #check that our membership exists
- try:
- member_stack = [ (ldap.MOD_ADD, 'memberUid', 'uid=%s,%s' % (str(user.username), block['userdn']) ) ]
- conn.modify_s('cn=%s,%s' % (block['group'][0], block['groupdn']), member_stack)
- except ldap.TYPE_OR_VALUE_EXISTS:
- log.error('%s already exists in %s' % (user.username, block['group']) )
- except ldap.LDAPError, e:
- #we hit an error, so we revent our change to the user, this one is the bad error to hit.
- log.error('Error adding %s to %s %s' % (user.username, block['group'], str(e) ) )
- return False
- for g, attr in (('groupsu', 'is_superuser'), ('groupstaff', 'is_staff'), ('groupactive', 'is_active')):
- if block[g] is not None:
- for group in block[g]:
- #now we check that our user, and add them to the group
- try:
- if getattr(user, attr) == True:
- mod_attrs = [ (ldap.MOD_ADD, 'memberUid', 'uid=%s,%s' % (str(user.username), block['userdn']) ) ]
- else:
- mod_attrs = [ (ldap.MOD_DELETE, 'memberUid', 'uid=%s,%s' % (str(user.username), block['userdn']) ) ]
- conn.modify_s('cn=%s,%s' % (group, block['groupdn']), mod_attrs)
- log.debug('Successfully modified %s with user %s' % (group, user.username) )
- except ldap.NO_SUCH_ATTRIBUTE:
- continue
- except ldap.TYPE_OR_VALUE_EXISTS:
- continue
- except ldap.LDAPError, e:
- log.error('Error adding %s to %s %s' % (user.username, group, str(e) ) )
- #we hit an error, but, in the schema of things a group error isnt to big of a deal and is easy to correct, and also extremely unlikely to occur.
- #in the majority of cases, this will only result in a user having no ablitiy to login, or permissions not granted, both of which are not bad situations
- return True
- def _parse_simple_config(self):
- log.debug('LDAPBackend._parse_simple_config()')
- if len(settings.LDAP_AUTH_SETTINGS) < 2:
- raise LDAPBackendError('In a minimal configuration, you must at least specify url and user DN')
- ret = {'url': settings.LDAP_AUTH_SETTINGS[0], 'userdn': settings.LDAP_AUTH_SETTINGS[1]}
- if len(settings.LDAP_AUTH_SETTINGS) < 3:
- return ret
- if len(settings.LDAP_AUTH_SETTINGS) < 4:
- raise LDAPBackendError('If you specify a required group, you must specify the group DN as well')
- ret['group'] = settings.LDAP_AUTH_SETTINGS[2]
- ret['groupdn'] = settings.LDAP_AUTH_SETTINGS[3]
- return ret
- def _return_user(self, username, conn, block):
- log.debug('LDAPBackend._return_user(%s,%s,%s)' % (username,conn,block))
- try:
- user = LDAP_User.objects.get(username=username)
- except User.DoesNotExist:
- log.info('User %s did not exist in Django database, creating' % username)
- user = LDAP_User(username=username, password='')
- user.set_unusable_password()
- user.save()
- if block['disable_update']:
- return user
- for p in ('first_name', 'last_name', 'email', 'groupsu', 'groupstaff', 'groupactive'):
- if block[p] is not None:
- break
- else:
- return user
- ldap_data = self._getUserByName(username, user, conn, block)
- log.debug(ldap_data)
- for attr in ldap_data:
- if getattr(user, attr) != ldap_data[attr]:
- break
- else:
- return user
- log.info('Data for user %s has changed, updating Django database' % username)
- log.debug('Setting attributes: %s' % str(ldap_data))
- for attr in ldap_data:
- setattr(user, attr, ldap_data[attr])
- #conviniently, this will pull our other servers into sync with the data our user has here.
- user.save()
- return user
- #we define our custom error handlers.
- class Error(Exception):
- pass
- class LDAPUserCreateError(Error):
- def __init__(self, expr, msg):
- self.msg = msg
- class LDAP_User(User):
- class Meta:
- proxy = True
- """
- Users within the Django authentication system are represented by this model.
- Username and password are required. Other fields are optional.
- """
- #username = models.CharField(_('username'), max_length=30, unique=True, help_text=_("Required. 30 characters or fewer. Letters, numbers and @/./+/-/_ characters"))
- #first_name = models.CharField(_('first name'), max_length=30, blank=True)
- #last_name = models.CharField(_('last name'), max_length=30, blank=True)
- #email = models.EmailField(_('e-mail address'), blank=True)
- #always query password checks
- #password = models.CharField(_('password'), max_length=128, help_text=_("Use '[algo]$[salt]$[hexdigest]' or use the <a href=\"password/\">change password form</a>."))
- #is_staff = models.BooleanField(_('staff status'), default=False, help_text=_("Designates whether the user can log into this admin site."))
- #is_active = models.BooleanField(_('active'), default=True, help_text=_("Designates whether this user should be treated as active. Unselect this instead of deleting accounts."))
- #is_superuser = models.BooleanField(_('superuser status'), default=False, help_text=_("Designates that this user has all permissions without explicitly assigning them."))
- #last_login = models.DateTimeField(_('last login'), default=datetime.datetime.now)
- #date_joined = models.DateTimeField(_('date joined'), default=datetime.datetime.now)
- #groups = models.ManyToManyField(Group, verbose_name=_('groups'), blank=True,
- # help_text=_("In addition to the permissions manually assigned, this user will also get all permissions granted to each group he/she is in."))
- #user_permissions = models.ManyToManyField(Permission, verbose_name=_('user permissions'), blank=True)
- #objects = UserManager()
- #Always query for passwork checks
- #We want to cache user data, but on modify we want to force a reload, then modify the data, and update our cache
- def save(self,*args,**kwargs):
- log.debug('LDAP_User.save()' )
- try:
- sid = transaction.savepoint()
- super(User,self).save(*args,**kwargs)
- #save to ldap here
- ldapbackend = LDAPBackend()
- # we dont want to catch this raised exception, we want to use it to hook our roll back.
- ldapbackend.commitUser(self)
- del ldapbackend
- transaction.savepoint_commit(sid)
- except:
- log.debug('Error saving user: %s' % sys.exc_info()[0] )
- transaction.savepoint_rollback(sid)
- def set_password(self, rawpassword):
- log,debug('LDAP_User.set_password(%s)' % rawpassword)
- ldapbackend = LDAPBackend()
- ldapbackend.changePasswd(self, rawpassword)
- #we should be checking if our user exists before saving, and set the unusable password anyway
- #since the user model already exists, it must have come out of the lday system, so we dont need to check.
- #we dont need to do a self.save() because it is not in the original models method, its also saved to ldap internal to the methods.
- def check_password(self, rawpassword):
- log.debug('LDAP_User.check_password(%s)' % rawpassword)
- #return a boolean of true or false if we can bind.
- ldapbackend = LDAPBackend()
- return ldapbackend.checkPasswd(self.username, rawpassword)
- #do a bind operation
- # LDAP_AUTH_SETTINGS = ('ldap://10.0.44.2', 'cn=users,dc=example,dc=com')
- #
- # LDAP_AUTH_SETTINGS = ('ldap://10.0.44.2', 'cn=users,dc=example,dc=com', 'django_login',
- # 'cn=groups,dc=example,dc=com')
- #
- # LDAP_AUTH_SETTINGS = (('ldap://10.0.44.2', 'ldaps://10.0.44.200'), 'cn=users,dc=example,dc=com',
- # ('django_login', 'staff', 'web_users'), 'cn=groups,dc=example,dc=com')
- #
- # -*> means required
- # --> means optional
- # LDAP_AUTH_SETTINGS = (
- # {'url': ('ldap://10.0.44.2', 'ldaps://10.0.44.200'), -*> can be string or iterable of strings
- # 'userdn': 'cn=users,dc=example,dc=com', -*> ldap subtree in which users are stored
- # 'bindname': 'diradmin', --> admin name if users are not allowed to search
- # 'bindpw': 'supersecret', --> password for bindname
- # 'group': ('django_users', 'web_users', 'staff'), --> can be None, string, or iterable of group names
- # if set, user must be in one of these groups
- # also, must set groupdn
- # 'groupdn': 'cn=groups,dc=example,dc=com', --> ldap subtree in which groups are stored
- # 'groupsu': ('wheel', 'admin', 'django_superusers'), --> can be None, string or iterable of group names
- # if set, users in these groups will be Django
- # "superusers"
- # 'groupstaff': ('staff', 'django_staff'), --> can be None, string or iterable of group names
- # if set, users in these groups will be Django
- # "staff"
- # 'groupactive': 'active_users', --> can be None, string or iterable of group names
- # if set, users in these groups will be "active"
- # in Django
- # users not in any group will be "inactive" in
- # Django
- # 'replicas': False, --> If True, will stop querying this block's
- # servers on the first response, positive or
- # negative. If False, it will try to authenticate
- # against each server before moving onto the next
- # block
- # 'use_for_data': True, --> If True, the Django User object first_name,
- # last_name, and email fields will be taken from
- # LDAP. See *_field settings.
- # 'email': 'mail', --> The LDAP attribute of the person object that
- # holds the user's email address
- # 'first_name': 'givenName', --> The LDAP attribute of the person object that
- # holds the user's first name
- # 'last_name': 'sn' --> The LDAP attribute of the person object that
- # holds the user's last name
- # }
- # # Can repeat with totally different set of authentication servers/settings
- # # Useful for a situation where you have multiple masters with multiple replicas that are all possibly
- # # valid authentication points
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement