def test_group_cache(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True, CACHE_GROUPS=True ) self._init_groups() alice_id = User.objects.create(username='******').pk bob_id = User.objects.create(username='******').pk # Check permissions twice for each user for i in range(2): alice = self.backend.get_user(alice_id) self.assertEqual( self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"]) ) bob = self.backend.get_user(bob_id) self.assertEqual(self.backend.get_group_permissions(bob), set()) # Should have executed one LDAP search per user self.assertEqual( self.ldapobj.methods_called(), ['initialize', 'simple_bind_s', 'search_s', 'initialize', 'simple_bind_s', 'search_s'] )
def test_profile_flags(self): settings.AUTH_PROFILE_MODULE = 'django_auth_ldap.TestProfile' self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), PROFILE_FLAGS_BY_GROUP={ 'is_special': ["cn=superuser_gon,ou=groups,o=test"] }) def handle_user_saved(sender, **kwargs): if kwargs['created']: TestProfile.objects.create(user=kwargs['instance']) django.db.models.signals.post_save.connect(handle_user_saved, sender=User) alice = self.backend.authenticate(username='******', password='******') bob = self.backend.authenticate(username='******', password='******') self.assertTrue(alice.get_profile().is_special) self.assertTrue(not bob.get_profile().is_special)
def test_dn_group_permissions(self): self._init_settings( AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE), AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'), AUTH_LDAP_FIND_GROUP_PERMS=True) self._init_groups() self.mock_ldap.set_return_value( 'search_s', ("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0), [ self.active_gon, self.staff_gon, self.superuser_gon, self.nested_gon ]) alice = User.objects.create(username='******') alice = self.backend.get_user(alice.pk) self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assertEqual(self.backend.get_all_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assert_(self.backend.has_perm(alice, "auth.add_user")) self.assert_(self.backend.has_module_perms(alice, "auth"))
def test_dn_group_membership(self): self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), USER_FLAGS_BY_GROUP={ 'is_active': "cn=active_gon,ou=groups,o=test", 'is_staff': [ "cn=empty_gon,ou=groups,o=test", "cn=staff_gon,ou=groups,o=test" ], 'is_superuser': "******" }) alice = self.backend.authenticate(username='******', password='******') bob = self.backend.authenticate(username='******', password='******') self.assertTrue(alice.is_active) self.assertTrue(alice.is_staff) self.assertTrue(alice.is_superuser) self.assertTrue(not bob.is_active) self.assertTrue(not bob.is_staff) self.assertTrue(not bob.is_superuser)
def test_group_cache(self): self._init_settings( AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE), AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'), AUTH_LDAP_FIND_GROUP_PERMS=True, AUTH_LDAP_CACHE_GROUPS=True ) self._init_groups() self.mock_ldap.set_return_value('search_s', ("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0), [self.active_gon, self.staff_gon, self.superuser_gon, self.nested_gon] ) self.mock_ldap.set_return_value('search_s', ("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=bob,ou=people,o=test))", None, 0), [] ) alice_id = User.objects.create(username='******').pk bob_id = User.objects.create(username='******').pk # Check permissions twice for each user for i in range(2): alice = self.backend.get_user(alice_id) self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"])) bob = self.backend.get_user(bob_id) self.assertEqual(self.backend.get_group_permissions(bob), set()) # Should have executed one LDAP search per user self.assertEqual(self.mock_ldap.ldap_methods_called(), ['initialize', 'simple_bind_s', 'search_s', 'initialize', 'simple_bind_s', 'search_s'])
def test_group_names(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), ) alice = self.backend.authenticate(username='******', password='******') self.assertEqual(alice.ldap_user.group_names, set(['active_gon', 'staff_gon', 'superuser_gon', 'nested_gon']))
def test_foreign_user_permissions(self): self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True) self._init_groups() alice = User.objects.create(username='******') self.assertEqual(self.backend.get_group_permissions(alice), set())
def test_authorize_external_users(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True, AUTHORIZE_ALL_USERS=True ) self._init_groups() alice = User.objects.create(username='******') self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"]))
def test_group_names(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), ) self.mock_ldap.set_return_value('search_s', ("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0), [self.active_gon, self.staff_gon, self.superuser_gon, self.nested_gon] ) alice = self.backend.authenticate(username='******', password='******') self.assertEqual(alice.ldap_user.group_names, set(['active_gon', 'staff_gon', 'superuser_gon', 'nested_gon']))
def configure_ldap_auth(config, settings): if not config.has_section("auth_ldap"): return from django_auth_ldap.config import LDAPSearch, MemberDNGroupType from ldap3 import SEARCH_SCOPE_WHOLE_SUBTREE settings.AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', ) settings.AUTH_LDAP_SERVER_URI = config.get("auth_ldap", "server_uri") settings.AUTH_LDAP_BIND_DN = config.get("auth_ldap", "bind_dn") settings.AUTH_LDAP_BIND_PASSWORD = config.get("auth_ldap", "password") settings.AUTH_LDAP_USER_SEARCH = LDAPSearch( config.get("auth_ldap", "user_base_dn"), SEARCH_SCOPE_WHOLE_SUBTREE, get_from_config(config, "auth_ldap", "user_search_filter", "(cn=%(user)s)"), ) settings.AUTH_LDAP_GROUP_SEARCH = LDAPSearch( config.get("auth_ldap", "group_base_dn"), SEARCH_SCOPE_WHOLE_SUBTREE, get_from_config(config, "auth_ldap", "group_search_filter", "(objectClass=group)"), ) settings.AUTH_LDAP_GROUP_TYPE = MemberDNGroupType('member') settings.AUTH_LDAP_REQUIRE_GROUP = get_from_config(config, "auth_ldap", "require_group", None) settings.AUTH_LDAP_USER_ATTR_MAP = { "email": get_from_config(config, "auth_ldap", "attr_email", "mail"), "first_name": get_from_config(config, "auth_ldap", "attr_first_name", "givenName"), "last_name": get_from_config(config, "auth_ldap", "attr_last_name", "sn"), } settings.AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_staff": config.get("auth_ldap", "admin_group"), "is_superuser": config.get("auth_ldap", "admin_group"), } settings.AUTH_LDAP_ALWAYS_UPDATE_USER = True settings.AUTH_LDAP_FIND_GROUP_PERMS = False settings.AUTH_LDAP_MIRROR_GROUPS = True settings.AUTH_LDAP_CACHE_GROUPS = True settings.AUTH_LDAP_GROUP_CACHE_TIMEOUT = 900
def test_authorize_external_unknown(self): self._init_settings( USER_SEARCH=LDAPSearch( "ou=people,o=test", ldap.SCOPE_SUBTREE, '(uid=%(user)s)' ), GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True, AUTHORIZE_ALL_USERS=True ) self._init_groups() alice = User.objects.create(username='******') self.assertEqual(self.backend.get_group_permissions(alice), set())
def test_require_group(self): self._init_settings( AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE), AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'), AUTH_LDAP_REQUIRE_GROUP="cn=active_gon,ou=groups,o=test" ) alice = self.backend.authenticate(username='******', password='******') bob = self.backend.authenticate(username='******', password='******') self.assert_(alice is not None) self.assert_(bob is None) self.assertEqual(self.mock_ldap.ldap_methods_called(), ['initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s', 'initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s'])
def test_empty_group_permissions(self): self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True) self._init_groups() bob = User.objects.create(username='******') bob = self.backend.get_user(bob.pk) self.assertEqual(self.backend.get_group_permissions(bob), set()) self.assertEqual(self.backend.get_all_permissions(bob), set()) self.assertTrue(not self.backend.has_perm(bob, "auth.add_user")) self.assertTrue(not self.backend.has_module_perms(bob, "auth"))
def test_dn_group_permissions(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True ) self._init_groups() alice = User.objects.create(username='******') alice = self.backend.get_user(alice.pk) self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assertEqual(self.backend.get_all_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assertTrue(self.backend.has_perm(alice, "auth.add_user")) self.assertTrue(self.backend.has_module_perms(alice, "auth"))
def test_group_union(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearchUnion( LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'), LDAPSearch('ou=moregroups,o=test', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)') ), GROUP_TYPE=MemberDNGroupType(member_attr='member'), REQUIRE_GROUP="cn=other_gon,ou=moregroups,o=test" ) alice = self.backend.authenticate(username='******', password='******') bob = self.backend.authenticate(username='******', password='******') self.assertTrue(alice is None) self.assertTrue(bob is not None) self.assertEqual(bob.ldap_user.group_names, set(['other_gon']))
def test_pickle(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True ) self._init_groups() alice0 = self.backend.authenticate(username=u'alice', password=u'password') pickled = pickle.dumps(alice0, pickle.HIGHEST_PROTOCOL) alice = pickle.loads(pickled) alice.ldap_user.backend.settings = alice0.ldap_user.backend.settings self.assertTrue(alice is not None) self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assertEqual(self.backend.get_all_permissions(alice), set(["auth.add_user", "auth.change_user"])) self.assertTrue(self.backend.has_perm(alice, "auth.add_user")) self.assertTrue(self.backend.has_module_perms(alice, "auth"))
def test_empty_group_permissions(self): self._init_settings( USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test', GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE), GROUP_TYPE=MemberDNGroupType(member_attr='member'), FIND_GROUP_PERMS=True ) self._init_groups() self.mock_ldap.set_return_value('search_s', ("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=bob,ou=people,o=test))", None, 0), [] ) bob = User.objects.create(username='******') bob = self.backend.get_user(bob.pk) self.assertEqual(self.backend.get_group_permissions(bob), set()) self.assertEqual(self.backend.get_all_permissions(bob), set()) self.assert_(not self.backend.has_perm(bob, "auth.add_user")) self.assert_(not self.backend.has_module_perms(bob, "auth"))
domain = '_ldap._tcp' + domain resolver = dns.resolver.Resolver() result = resolver.query(domain, 'SRV') server = result[0].target.to_text().strip('.') if not server.startswith("ldap://") and not server.startswith("ldaps://"): server = "ldap://" + server return server AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_DEBUG_LEVEL: 1, ldap.OPT_REFERRALS: 0, } AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=et,dc=byu,dc=edu", ldap.SCOPE_SUBTREE, "(cn=%(user)s)") AUTH_LDAP_GROUP_TYPE = MemberDNGroupType('member') AUTH_LDAP_GROUP_SEARCH = LDAPSearch('dc=et,dc=byu,dc=edu', ldap.SCOPE_SUBTREE) #AUTH_LDAP_REQUIRE_GROUP = "cn=caedm_admin_level1,ou=caedm groups,ou=security groups,ou=caedm,ou=departments,dc=et,dc=byu,dc=edu" AUTH_LDAP_MIRROR_GROUPS = True CABS_LDAP_CAN_EDIT_GROUPS = [ "Domain Admins", ] CABS_LDAP_CAN_DISABLE_GROUPS = [ "caedm_admin_level2", "caedm_admin_level3", "caedm_admin_level4", "caedm_admin_level5", ] CABS_LDAP_CAN_VIEW_GROUPS = [ "caedm_admin_level1",
AUTH_LDAP_SERVER_URI = 'ldap://***:389' AUTH_LDAP_BIND_DN = "cn=root" AUTH_LDAP_BIND_PASSWORD = "******" # ldap AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0} # 查询用户 AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=enn,dc=com" # 查找组 AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=ecloud,cn=groups, dc=enn, dc=com", ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)" ) AUTH_LDAP_GROUP_TYPE = MemberDNGroupType(member_attr='uniquemember', name_attr='cn') # 设置组权限 AUTH_LDAP_REQUIRE_GROUP = "cn=ecloud,cn=groups,dc=enn,dc=com" # AUTH_LDAP_DENY_GROUP = "cn=cloud,cn=groups,dc=enn,dc=com" ''' # 验证 Django 的 User 的is_staff,is_active,is_superuser AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_staff": "cn=cloud,cn=groups,dc=enn,dc=com", "is_active": "cn=cloud,cn=groups,dc=enn,dc=com", "is_superuser": "******", } ''' # 把LDAP中用户条目的属性 映射到 Django 的User