API tools faq
paste
Guest User

Untitled

a guest
May 9th, 2018
237
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
raw download clone embed print report
  1. # Ldap authentication backend for Django. Users are authenticated against
  2. # an ldap server and their django accounts (name, email) are maintained
  3. # automatically.
  4. #
  5. # Configuration is done in settings.py, these are the available settings:
  6. #
  7. # # Where to find the ldap server (optional, default: ldap://localhost)
  8. # AUTH_LDAP_HOST = 'ldap://ldap.kaarsemaker.net'
  9. # # Which ldap groups to mirror in django (optional, default [])
  10. # AUTH_LDAP_GROUPS = ('webadmins','ubuntu')
  11. # # The users must be in any of these groups (optional, default [])
  12. # AUTH_LDAP_FILTER_GROUPS = AUTH_LDAP_GROUPS
  13. # # DN for binding to the server (optional, default anonymous bind)
  14. # #AUTH_LDAP_BINDDN = "cn=admin,dc=kaarsemaker,dc=net"
  15. # #AUTH_LDAP_BINDPW = "TheAdminPassword
  16. # # Base DN for users and groups (required)
  17. # AUTH_LDAP_BASEDN_USER = 'ou=People,dc=kaarsemaker,dc=net'
  18. # AUTH_LDAP_BASEDN_GROUP = 'ou=Group,dc=kaarsemaker,dc=net'
  19. # # Do we need to make the user staff?
  20. # AUTH_LDAP_CREATE_STAFF = True
  21. #
  22. # # If you want LDAP to be your only authentication source, use
  23. # AUTHENTICATION_BACKENDS = ('myproject.auth_ldap.LdapAuthBackend',)
  24. # # If you want to use ldap and fall back to django, use
  25. # AUTHENTICATION_BACKENDS = ('myproject.auth_ldap.LdapAuthBackend',
  26. # 'django.contrib.auth.backends.ModelBackend')
  27. #
  28. # When using ldap exclusively, the superuser created with ./manage.py
  29. # cannot log in unless the account also exists in ldap. So either make
  30. # sure the user exists in ldap or give another user superuser rights
  31. # before disabling the builtin authentication.
  32. #
  33. # Make sure all your ldap users have a mail attribute, otherwise this
  34. # module will break.
  35. #
  36. # (c)2008 Dennis Kaarsemaker <dennis@kaarsemaker.net>
  37. # License: Same as django
  38.  
  39. from django.contrib.auth.models import User, Group
  40. from django.contrib.auth.backends import ModelBackend
  41. from django.conf import settings
  42. import ldap
  43.  
  44. def _find_dn(ls, username):
  45. ls.bind_s(getattr(settings, 'AUTH_LDAP_BINDDN', ''),
  46. getattr(settings, 'AUTH_LDAP_BINDPW', ''))
  47. res = ls.search_s(settings.AUTH_LDAP_BASEDN_USER, ldap.SCOPE_ONELEVEL,
  48. "uid=" + username, [])
  49. if not len(res):
  50. return
  51. return res[0]
  52.  
  53. def _find_groups(ls, username):
  54. if not getattr(settings, 'AUTH_LDAP_GROUPS', None) and \
  55. not getattr(settings, 'AUTH_LDAP_FILTER_GROUPS', None):
  56. return []
  57. ls.bind_s(getattr(settings, 'AUTH_LDAP_BINDDN', ''),
  58. getattr(settings, 'AUTH_LDAP_BINDPW', ''))
  59. res = ls.search_s(settings.AUTH_LDAP_BASEDN_GROUP, ldap.SCOPE_ONELEVEL,
  60. "memberUid=" + username, [])
  61. return [x[1]['cn'][0] for x in res]
  62.  
  63. class LdapAuthBackend(ModelBackend):
  64. def authenticate(self, username=None, password=None):
  65. # Authenticate against ldap
  66.  
  67. # Set a CA Certificate, if required
  68. ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, getattr(settings, 'AUTH_LDAP_CACERT_FILE', ''))
  69. ls = ldap.initialize(getattr(settings, 'AUTH_LDAP_HOST', 'ldap://localhost'))
  70. ls.protocol_version = ldap.VERSION3
  71. dn, attrs = _find_dn(ls, username)
  72. if not dn:
  73. ls.unbind()
  74. return
  75. try:
  76. ls.bind_s(dn, password)
  77. except ldap.INVALID_CREDENTIALS:
  78. ls.unbind()
  79. return
  80.  
  81. # Are we allowed to log in
  82. groups = _find_groups(ls, username)
  83. if getattr(settings, 'AUTH_LDAP_FILTER_GROUPS', None):
  84. for group in getattr(settings,'AUTH_LDAP_FILTER_GROUPS',[]):
  85. if group in groups:
  86. break
  87. else:
  88. ls.unbind()
  89. return
  90.  
  91. # OK, we've authenticated. Do we exist?
  92. try:
  93. user = User.objects.get(username=username)
  94. except User.DoesNotExist:
  95. user = User.objects.create_user(username, attrs['mail'][0], password)
  96. user.is_active = True
  97. if getattr(settings, 'AUTH_LDAP_CREATE_STAFF', False):
  98. user.is_staff = True
  99. user.first_name = attrs['givenName'][0]
  100. user.last_name = attrs['sn'][0]
  101. user.email = attrs['mail'][0]
  102. user.password = 'This is an LDAP account'
  103.  
  104. # Group manglement
  105. for group in getattr(settings,'AUTH_LDAP_GROUPS',[]):
  106. dgroup, created = Group.objects.get_or_create(name=group)
  107. if created:
  108. dgroup.save()
  109. if dgroup in user.groups.all() and group not in groups:
  110. user.groups.remove(dgroup)
  111. if dgroup not in user.groups.all() and group in groups:
  112. user.groups.add(dgroup)
  113.  
  114. # Done!
  115. user.save()
  116. ls.unbind()
  117. return user
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!