Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Ldap authentication backend for Django. Users are authenticated against
- # an ldap server and their django accounts (name, email) are maintained
- # automatically.
- #
- # Configuration is done in settings.py, these are the available settings:
- #
- # # Where to find the ldap server (optional, default: ldap://localhost)
- # AUTH_LDAP_HOST = 'ldap://ldap.kaarsemaker.net'
- # # Which ldap groups to mirror in django (optional, default [])
- # AUTH_LDAP_GROUPS = ('webadmins','ubuntu')
- # # The users must be in any of these groups (optional, default [])
- # AUTH_LDAP_FILTER_GROUPS = AUTH_LDAP_GROUPS
- # # DN for binding to the server (optional, default anonymous bind)
- # #AUTH_LDAP_BINDDN = "cn=admin,dc=kaarsemaker,dc=net"
- # #AUTH_LDAP_BINDPW = "TheAdminPassword
- # # Base DN for users and groups (required)
- # AUTH_LDAP_BASEDN_USER = 'ou=People,dc=kaarsemaker,dc=net'
- # AUTH_LDAP_BASEDN_GROUP = 'ou=Group,dc=kaarsemaker,dc=net'
- # # Do we need to make the user staff?
- # AUTH_LDAP_CREATE_STAFF = True
- #
- # # If you want LDAP to be your only authentication source, use
- # AUTHENTICATION_BACKENDS = ('myproject.auth_ldap.LdapAuthBackend',)
- # # If you want to use ldap and fall back to django, use
- # AUTHENTICATION_BACKENDS = ('myproject.auth_ldap.LdapAuthBackend',
- # 'django.contrib.auth.backends.ModelBackend')
- #
- # When using ldap exclusively, the superuser created with ./manage.py
- # cannot log in unless the account also exists in ldap. So either make
- # sure the user exists in ldap or give another user superuser rights
- # before disabling the builtin authentication.
- #
- # Make sure all your ldap users have a mail attribute, otherwise this
- # module will break.
- #
- # (c)2008 Dennis Kaarsemaker <dennis@kaarsemaker.net>
- # License: Same as django
- from django.contrib.auth.models import User, Group
- from django.contrib.auth.backends import ModelBackend
- from django.conf import settings
- import ldap
- def _find_dn(ls, username):
- ls.bind_s(getattr(settings, 'AUTH_LDAP_BINDDN', ''),
- getattr(settings, 'AUTH_LDAP_BINDPW', ''))
- res = ls.search_s(settings.AUTH_LDAP_BASEDN_USER, ldap.SCOPE_ONELEVEL,
- "uid=" + username, [])
- if not len(res):
- return
- return res[0]
- def _find_groups(ls, username):
- if not getattr(settings, 'AUTH_LDAP_GROUPS', None) and \
- not getattr(settings, 'AUTH_LDAP_FILTER_GROUPS', None):
- return []
- ls.bind_s(getattr(settings, 'AUTH_LDAP_BINDDN', ''),
- getattr(settings, 'AUTH_LDAP_BINDPW', ''))
- res = ls.search_s(settings.AUTH_LDAP_BASEDN_GROUP, ldap.SCOPE_ONELEVEL,
- "memberUid=" + username, [])
- return [x[1]['cn'][0] for x in res]
- class LdapAuthBackend(ModelBackend):
- def authenticate(self, username=None, password=None):
- # Authenticate against ldap
- # Set a CA Certificate, if required
- ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, getattr(settings, 'AUTH_LDAP_CACERT_FILE', ''))
- ls = ldap.initialize(getattr(settings, 'AUTH_LDAP_HOST', 'ldap://localhost'))
- ls.protocol_version = ldap.VERSION3
- dn, attrs = _find_dn(ls, username)
- if not dn:
- ls.unbind()
- return
- try:
- ls.bind_s(dn, password)
- except ldap.INVALID_CREDENTIALS:
- ls.unbind()
- return
- # Are we allowed to log in
- groups = _find_groups(ls, username)
- if getattr(settings, 'AUTH_LDAP_FILTER_GROUPS', None):
- for group in getattr(settings,'AUTH_LDAP_FILTER_GROUPS',[]):
- if group in groups:
- break
- else:
- ls.unbind()
- return
- # OK, we've authenticated. Do we exist?
- try:
- user = User.objects.get(username=username)
- except User.DoesNotExist:
- user = User.objects.create_user(username, attrs['mail'][0], password)
- user.is_active = True
- if getattr(settings, 'AUTH_LDAP_CREATE_STAFF', False):
- user.is_staff = True
- user.first_name = attrs['givenName'][0]
- user.last_name = attrs['sn'][0]
- user.email = attrs['mail'][0]
- user.password = 'This is an LDAP account'
- # Group manglement
- for group in getattr(settings,'AUTH_LDAP_GROUPS',[]):
- dgroup, created = Group.objects.get_or_create(name=group)
- if created:
- dgroup.save()
- if dgroup in user.groups.all() and group not in groups:
- user.groups.remove(dgroup)
- if dgroup not in user.groups.all() and group in groups:
- user.groups.add(dgroup)
- # Done!
- user.save()
- ls.unbind()
- return user
Add Comment
Please, Sign In to add comment