def _apply_ldap_settings(self, values, backend): """Apply configuration for given backend.""" import ldap from django_auth_ldap.config import (LDAPSearch, PosixGroupType, GroupOfNamesType, ActiveDirectoryGroupType) if not hasattr(settings, backend.setting_fullname("USER_ATTR_MAP")): setattr(settings, backend.setting_fullname("USER_ATTR_MAP"), { "first_name": "givenName", "email": "mail", "last_name": "sn" }) ldap_uri = "ldaps://" if values["ldap_secured"] == "ssl" else "ldap://" ldap_uri += "%s:%s" % (values[backend.srv_address_setting_name], values[backend.srv_port_setting_name]) setattr(settings, backend.setting_fullname("SERVER_URI"), ldap_uri) if values["ldap_secured"] == "starttls": setattr(settings, backend.setting_fullname("START_TLS"), True) if values["ldap_is_active_directory"]: setattr(settings, backend.setting_fullname("GROUP_TYPE"), ActiveDirectoryGroupType()) searchfilter = "(objectClass=group)" elif values["ldap_group_type"] == "groupofnames": setattr(settings, backend.setting_fullname("GROUP_TYPE"), GroupOfNamesType()) searchfilter = "(objectClass=groupOfNames)" else: setattr(settings, backend.setting_fullname("GROUP_TYPE"), PosixGroupType()) searchfilter = "(objectClass=posixGroup)" setattr( settings, backend.setting_fullname("GROUP_SEARCH"), LDAPSearch(values["ldap_groups_search_base"], ldap.SCOPE_SUBTREE, searchfilter)) if values["ldap_auth_method"] == "searchbind": setattr(settings, backend.setting_fullname("BIND_DN"), values["ldap_bind_dn"]) setattr(settings, backend.setting_fullname("BIND_PASSWORD"), values["ldap_bind_password"]) search = LDAPSearch(values["ldap_search_base"], ldap.SCOPE_SUBTREE, values["ldap_search_filter"]) setattr(settings, backend.setting_fullname("USER_SEARCH"), search) else: setattr(settings, backend.setting_fullname("USER_DN_TEMPLATE"), values["ldap_user_dn_template"]) setattr(settings, backend.setting_fullname("BIND_AS_AUTHENTICATING_USER"), True) if values["ldap_is_active_directory"]: setting = backend.setting_fullname("GLOBAL_OPTIONS") if not hasattr(settings, setting): setattr(settings, setting, {ldap.OPT_REFERRALS: False}) else: getattr(settings, setting)[ldap.OPT_REFERRALS] = False
def __init__(self, *args, **kwargs): self.defaults.update({ # Server and connection settings 'SERVER_URI': 'ldap://ad.liu.se', 'START_TLS': True, 'CONNECTION_OPTIONS': { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, # Don't require certificate }, 'BIND_AS_AUTHENTICATING_USER': True, 'GROUP_TYPE': ActiveDirectoryGroupType(), 'USER_ATTR_MAP': { 'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail' }, }) super(LiULDAPSettings, self).__init__(*args, **kwargs)
) #AUTH_LDAP_START_TLS = True AUTH_LDAP_USER_ATTR_MAP = { "username": "******", "first_name": "givenName", "last_name": "sn", "email": "mail", } AUTH_LDAP_GROUP_SEARCH = LDAPSearch( "OU=Net_Groups,OU=Resources_and_Services,DC=cons,DC=tsk,DC=ru", ldap.SCOPE_SUBTREE, "(objectCategory=Group)" ) AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn") AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_superuser": "******", "is_staff": "CN=Cert Authority User,OU=Net_Groups,OU=Resources_and_Services,DC=cons,DC=tsk,DC=ru", } AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1 # 1 hour cache # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Quick-start development settings - unsuitable for production
if AUTH_METHOD == 'ldap': import ldap from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', ) AUTH_LDAP_SERVER_URI = LDAP_SERVER AUTH_LDAP_BIND_DN = LDAP_BIND_DN AUTH_LDAP_BIND_PASSWORD = LDAP_BIND_PW AUTH_LDAP_USER_SEARCH = LDAPSearch(LDAP_USEARCH_PATH, ldap.SCOPE_SUBTREE, "(&(objectClass=User)(name=%(user)s))") AUTH_LDAP_GROUP_SEARCH = LDAPSearch(LDAP_GSEARCH_PATH, ldap.SCOPE_SUBTREE, "(objectClass=Group)") AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() AUTH_LDAP_USER_FLAGS_BY_GROUP = dict() if ACTIVE_GRP: AUTH_LDAP_USER_FLAGS_BY_GROUP['is_active'] = ACTIVE_GRP if STAFF_GRP: AUTH_LDAP_USER_FLAGS_BY_GROUP['is_staff'] = STAFF_GRP if SUPERUSER_GRP: AUTH_LDAP_USER_FLAGS_BY_GROUP['is_superuser'] = SUPERUSER_GRP AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 AUTH_LDAP_REQUIRE_GROUP = LDAP_ALLOW_GRP # The following OPT_REFERRALS option is CRUCIAL for getting this # working with MS Active Directory it seems, unfortunately I have # no idea why; it just hangs if you don't set it to 0 for us.
# to use in conjunction with 'NameOIDCAB' backend. Set at least one group for each variable as this is the only way to have administrator (except local database) OIDC_IS_STAFF_GROUP_NAMES = ['${openid.groups.isstaff}'] OIDC_IS_SUPERUSER_GROUP_NAMES = ['${openid.groups.issuperuser}'] # -------- LDAP Authentication ------------------- AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_REFERRALS: 0} # first LDAP server configuration AUTH_LDAP_1_SERVER_URI = "${ldap.url}" AUTH_LDAP_1_BIND_DN = '${ldap.user}' AUTH_LDAP_1_BIND_PASSWORD = '******' AUTH_LDAP_1_USER_SEARCH = LDAPSearch("${ldap.base}", ldap.SCOPE_SUBTREE, "(${ldap.object.class}=%(user)s)") AUTH_LDAP_1_GROUP_SEARCH = LDAPSearch("${ldap.base}", ldap.SCOPE_SUBTREE, "(objectClass=group)") AUTH_LDAP_1_GROUP_TYPE = ActiveDirectoryGroupType() AUTH_LDAP_1_USER_FLAGS_BY_GROUP = { # authenticated users will be active # "is_active": (LDAPGroupQuery("${ldap.group.admin}") | # LDAPGroupQuery("${ldap.group.edit}")), "is_staff": "${ldap.group.edit}", "is_superuser": "******" } # second LDAP server configuration (uncomment "seleniumRobotServer.ldapbackends.LDAPBackend2" in AUTHENTICATION_BACKENDS to use it) AUTH_LDAP_2_SERVER_URI = "${ldap.2.url}" AUTH_LDAP_2_BIND_DN = '${ldap.2.user}' AUTH_LDAP_2_BIND_PASSWORD = '******' AUTH_LDAP_2_USER_SEARCH = LDAPSearch("${ldap.2.base}", ldap.SCOPE_SUBTREE, "(${ldap.2.object.class}=%(user)s)") AUTH_LDAP_2_GROUP_SEARCH = LDAPSearch("${ldap.2.base}", ldap.SCOPE_SUBTREE,
# Matching LDAP user group to user settings (superuser / active) AUTH_LDAP_USER_FLAGS_BY_GROUP = {} if RDRF_AUTH_LDAP_ALLOW_SUPERUSER: AUTH_LDAP_USER_FLAGS_BY_GROUP['is_superuser'] = RDRF_AUTH_LDAP_IS_SUPERUSER_GROUP if not RDRF_AUTH_LDAP_FORCE_ISACTIVE: AUTH_LDAP_USER_FLAGS_BY_GROUP['is_active'] = RDRF_AUTH_LDAP_IS_ACTIVE_GROUP # LDAP Group Search settings. AUTH_LDAP_GROUP_SEARCH = LDAPSearch(RDRF_AUTH_LDAP_BIND_GROUP, ldap.SCOPE_SUBTREE, f"({RDRF_AUTH_LDAP_GROUP_SEARCH_FIELD}={RDRF_AUTH_LDAP_GROUP_SEARCH_FIELD_VALUE})") if RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "posix": AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR) elif RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "groupofnames": AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR) elif RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "activedirectory": AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR) AUTH_LDAP_FIND_GROUP_PERMS = env.get("auth_ldap_find_group_perms", DEV_LDAP_GROUP_PERMS) AUTH_LDAP_CACHE_GROUPS = env.get("auth_ldap_cache_groups", DEV_LDAP_CACHE_GROUPS) AUTH_LDAP_GROUP_CACHE_TIMEOUT = env.get("auth_ldap_group_cache_timeout", DEV_LDAP_CACHE_TIMEOUT) # Security: set required LDAP group (user must be in this LDAP group to login in RDRF) AUTH_LDAP_REQUIRE_GROUP = env.get("auth_ldap_require_group", "") # these determine which authentication method to use # apps use modelbackend by default, but can be overridden here # see: https://docs.djangoproject.com/en/dev/ref/settings/#authentication-backends AUTHENTICATION_BACKENDS = [ 'useraudit.password_expiry.AccountExpiryBackend', 'django.contrib.auth.backends.ModelBackend', 'useraudit.backend.AuthFailedLoggerBackend',