def test_group_cache(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True,
CACHE_GROUPS=True
)
self._init_groups()
alice_id = User.objects.create(username='******').pk
bob_id = User.objects.create(username='******').pk
# Check permissions twice for each user
for i in range(2):
alice = self.backend.get_user(alice_id)
self.assertEqual(
self.backend.get_group_permissions(alice),
set(["auth.add_user", "auth.change_user"])
)
bob = self.backend.get_user(bob_id)
self.assertEqual(self.backend.get_group_permissions(bob), set())
# Should have executed one LDAP search per user
self.assertEqual(
self.ldapobj.methods_called(),
['initialize', 'simple_bind_s', 'search_s',
'initialize', 'simple_bind_s', 'search_s']
)
def test_profile_flags(self):
settings.AUTH_PROFILE_MODULE = 'django_auth_ldap.TestProfile'
self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test',
ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
PROFILE_FLAGS_BY_GROUP={
'is_special':
["cn=superuser_gon,ou=groups,o=test"]
})
def handle_user_saved(sender, **kwargs):
if kwargs['created']:
TestProfile.objects.create(user=kwargs['instance'])
django.db.models.signals.post_save.connect(handle_user_saved,
sender=User)
alice = self.backend.authenticate(username='******',
password='******')
bob = self.backend.authenticate(username='******', password='******')
self.assertTrue(alice.get_profile().is_special)
self.assertTrue(not bob.get_profile().is_special)
def test_dn_group_permissions(self):
self._init_settings(
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test',
self.mock_ldap.SCOPE_SUBTREE),
AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'),
AUTH_LDAP_FIND_GROUP_PERMS=True)
self._init_groups()
self.mock_ldap.set_return_value(
'search_s',
("ou=groups,o=test", 2,
"(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0),
[
self.active_gon, self.staff_gon, self.superuser_gon,
self.nested_gon
])
alice = User.objects.create(username='******')
alice = self.backend.get_user(alice.pk)
self.assertEqual(self.backend.get_group_permissions(alice),
set(["auth.add_user", "auth.change_user"]))
self.assertEqual(self.backend.get_all_permissions(alice),
set(["auth.add_user", "auth.change_user"]))
self.assert_(self.backend.has_perm(alice, "auth.add_user"))
self.assert_(self.backend.has_module_perms(alice, "auth"))
def test_dn_group_membership(self):
self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test',
ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
USER_FLAGS_BY_GROUP={
'is_active':
"cn=active_gon,ou=groups,o=test",
'is_staff': [
"cn=empty_gon,ou=groups,o=test",
"cn=staff_gon,ou=groups,o=test"
],
'is_superuser':
"******"
})
alice = self.backend.authenticate(username='******',
password='******')
bob = self.backend.authenticate(username='******', password='******')
self.assertTrue(alice.is_active)
self.assertTrue(alice.is_staff)
self.assertTrue(alice.is_superuser)
self.assertTrue(not bob.is_active)
self.assertTrue(not bob.is_staff)
self.assertTrue(not bob.is_superuser)
def test_group_cache(self):
self._init_settings(
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE),
AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'),
AUTH_LDAP_FIND_GROUP_PERMS=True,
AUTH_LDAP_CACHE_GROUPS=True
)
self._init_groups()
self.mock_ldap.set_return_value('search_s',
("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0),
[self.active_gon, self.staff_gon, self.superuser_gon, self.nested_gon]
)
self.mock_ldap.set_return_value('search_s',
("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=bob,ou=people,o=test))", None, 0),
[]
)
alice_id = User.objects.create(username='******').pk
bob_id = User.objects.create(username='******').pk
# Check permissions twice for each user
for i in range(2):
alice = self.backend.get_user(alice_id)
self.assertEqual(self.backend.get_group_permissions(alice),
set(["auth.add_user", "auth.change_user"]))
bob = self.backend.get_user(bob_id)
self.assertEqual(self.backend.get_group_permissions(bob), set())
# Should have executed one LDAP search per user
self.assertEqual(self.mock_ldap.ldap_methods_called(),
['initialize', 'simple_bind_s', 'search_s', 'initialize', 'simple_bind_s', 'search_s'])
def test_group_names(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
)
alice = self.backend.authenticate(username='******', password='******')
self.assertEqual(alice.ldap_user.group_names, set(['active_gon', 'staff_gon', 'superuser_gon', 'nested_gon']))
def test_foreign_user_permissions(self):
self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test',
ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True)
self._init_groups()
alice = User.objects.create(username='******')
self.assertEqual(self.backend.get_group_permissions(alice), set())
def test_authorize_external_users(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True,
AUTHORIZE_ALL_USERS=True
)
self._init_groups()
alice = User.objects.create(username='******')
self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"]))
def test_group_names(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
)
self.mock_ldap.set_return_value('search_s',
("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=alice,ou=people,o=test))", None, 0),
[self.active_gon, self.staff_gon, self.superuser_gon, self.nested_gon]
)
alice = self.backend.authenticate(username='******', password='******')
self.assertEqual(alice.ldap_user.group_names, set(['active_gon', 'staff_gon', 'superuser_gon', 'nested_gon']))
def configure_ldap_auth(config, settings):
if not config.has_section("auth_ldap"):
return
from django_auth_ldap.config import LDAPSearch, MemberDNGroupType
from ldap3 import SEARCH_SCOPE_WHOLE_SUBTREE
settings.AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
settings.AUTH_LDAP_SERVER_URI = config.get("auth_ldap", "server_uri")
settings.AUTH_LDAP_BIND_DN = config.get("auth_ldap", "bind_dn")
settings.AUTH_LDAP_BIND_PASSWORD = config.get("auth_ldap", "password")
settings.AUTH_LDAP_USER_SEARCH = LDAPSearch(
config.get("auth_ldap", "user_base_dn"),
SEARCH_SCOPE_WHOLE_SUBTREE,
get_from_config(config, "auth_ldap", "user_search_filter",
"(cn=%(user)s)"),
)
settings.AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
config.get("auth_ldap", "group_base_dn"),
SEARCH_SCOPE_WHOLE_SUBTREE,
get_from_config(config, "auth_ldap", "group_search_filter",
"(objectClass=group)"),
)
settings.AUTH_LDAP_GROUP_TYPE = MemberDNGroupType('member')
settings.AUTH_LDAP_REQUIRE_GROUP = get_from_config(config, "auth_ldap",
"require_group", None)
settings.AUTH_LDAP_USER_ATTR_MAP = {
"email":
get_from_config(config, "auth_ldap", "attr_email", "mail"),
"first_name":
get_from_config(config, "auth_ldap", "attr_first_name", "givenName"),
"last_name":
get_from_config(config, "auth_ldap", "attr_last_name", "sn"),
}
settings.AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": config.get("auth_ldap", "admin_group"),
"is_superuser": config.get("auth_ldap", "admin_group"),
}
settings.AUTH_LDAP_ALWAYS_UPDATE_USER = True
settings.AUTH_LDAP_FIND_GROUP_PERMS = False
settings.AUTH_LDAP_MIRROR_GROUPS = True
settings.AUTH_LDAP_CACHE_GROUPS = True
settings.AUTH_LDAP_GROUP_CACHE_TIMEOUT = 900
def test_authorize_external_unknown(self):
self._init_settings(
USER_SEARCH=LDAPSearch(
"ou=people,o=test", ldap.SCOPE_SUBTREE, '(uid=%(user)s)'
),
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True,
AUTHORIZE_ALL_USERS=True
)
self._init_groups()
alice = User.objects.create(username='******')
self.assertEqual(self.backend.get_group_permissions(alice), set())
def test_require_group(self):
self._init_settings(
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE),
AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'),
AUTH_LDAP_REQUIRE_GROUP="cn=active_gon,ou=groups,o=test"
)
alice = self.backend.authenticate(username='******', password='******')
bob = self.backend.authenticate(username='******', password='******')
self.assert_(alice is not None)
self.assert_(bob is None)
self.assertEqual(self.mock_ldap.ldap_methods_called(),
['initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s', 'initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s'])
def test_empty_group_permissions(self):
self._init_settings(USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test',
ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True)
self._init_groups()
bob = User.objects.create(username='******')
bob = self.backend.get_user(bob.pk)
self.assertEqual(self.backend.get_group_permissions(bob), set())
self.assertEqual(self.backend.get_all_permissions(bob), set())
self.assertTrue(not self.backend.has_perm(bob, "auth.add_user"))
self.assertTrue(not self.backend.has_module_perms(bob, "auth"))
def test_dn_group_permissions(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True
)
self._init_groups()
alice = User.objects.create(username='******')
alice = self.backend.get_user(alice.pk)
self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"]))
self.assertEqual(self.backend.get_all_permissions(alice), set(["auth.add_user", "auth.change_user"]))
self.assertTrue(self.backend.has_perm(alice, "auth.add_user"))
self.assertTrue(self.backend.has_module_perms(alice, "auth"))
def test_group_union(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearchUnion(
LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'),
LDAPSearch('ou=moregroups,o=test', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)')
),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
REQUIRE_GROUP="cn=other_gon,ou=moregroups,o=test"
)
alice = self.backend.authenticate(username='******', password='******')
bob = self.backend.authenticate(username='******', password='******')
self.assertTrue(alice is None)
self.assertTrue(bob is not None)
self.assertEqual(bob.ldap_user.group_names, set(['other_gon']))
def test_pickle(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True
)
self._init_groups()
alice0 = self.backend.authenticate(username=u'alice', password=u'password')
pickled = pickle.dumps(alice0, pickle.HIGHEST_PROTOCOL)
alice = pickle.loads(pickled)
alice.ldap_user.backend.settings = alice0.ldap_user.backend.settings
self.assertTrue(alice is not None)
self.assertEqual(self.backend.get_group_permissions(alice), set(["auth.add_user", "auth.change_user"]))
self.assertEqual(self.backend.get_all_permissions(alice), set(["auth.add_user", "auth.change_user"]))
self.assertTrue(self.backend.has_perm(alice, "auth.add_user"))
self.assertTrue(self.backend.has_module_perms(alice, "auth"))
def test_empty_group_permissions(self):
self._init_settings(
USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE),
GROUP_TYPE=MemberDNGroupType(member_attr='member'),
FIND_GROUP_PERMS=True
)
self._init_groups()
self.mock_ldap.set_return_value('search_s',
("ou=groups,o=test", 2, "(&(objectClass=*)(member=uid=bob,ou=people,o=test))", None, 0),
[]
)
bob = User.objects.create(username='******')
bob = self.backend.get_user(bob.pk)
self.assertEqual(self.backend.get_group_permissions(bob), set())
self.assertEqual(self.backend.get_all_permissions(bob), set())
self.assert_(not self.backend.has_perm(bob, "auth.add_user"))
self.assert_(not self.backend.has_module_perms(bob, "auth"))
domain = '_ldap._tcp' + domain
resolver = dns.resolver.Resolver()
result = resolver.query(domain, 'SRV')
server = result[0].target.to_text().strip('.')
if not server.startswith("ldap://") and not server.startswith("ldaps://"):
server = "ldap://" + server
return server
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 1,
ldap.OPT_REFERRALS: 0,
}
AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=et,dc=byu,dc=edu", ldap.SCOPE_SUBTREE, "(cn=%(user)s)")
AUTH_LDAP_GROUP_TYPE = MemberDNGroupType('member')
AUTH_LDAP_GROUP_SEARCH = LDAPSearch('dc=et,dc=byu,dc=edu', ldap.SCOPE_SUBTREE)
#AUTH_LDAP_REQUIRE_GROUP = "cn=caedm_admin_level1,ou=caedm groups,ou=security groups,ou=caedm,ou=departments,dc=et,dc=byu,dc=edu"
AUTH_LDAP_MIRROR_GROUPS = True
CABS_LDAP_CAN_EDIT_GROUPS = [
"Domain Admins",
]
CABS_LDAP_CAN_DISABLE_GROUPS = [
"caedm_admin_level2",
"caedm_admin_level3",
"caedm_admin_level4",
"caedm_admin_level5",
]
CABS_LDAP_CAN_VIEW_GROUPS = [
"caedm_admin_level1",
AUTH_LDAP_SERVER_URI = 'ldap://***:389'
AUTH_LDAP_BIND_DN = "cn=root"
AUTH_LDAP_BIND_PASSWORD = "******"
# ldap
AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
# 查询用户
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=users,dc=enn,dc=com"
# 查找组
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=ecloud,cn=groups, dc=enn, dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
)
AUTH_LDAP_GROUP_TYPE = MemberDNGroupType(member_attr='uniquemember', name_attr='cn')
# 设置组权限
AUTH_LDAP_REQUIRE_GROUP = "cn=ecloud,cn=groups,dc=enn,dc=com"
# AUTH_LDAP_DENY_GROUP = "cn=cloud,cn=groups,dc=enn,dc=com"
'''
# 验证 Django 的 User 的is_staff,is_active,is_superuser
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": "cn=cloud,cn=groups,dc=enn,dc=com",
"is_active": "cn=cloud,cn=groups,dc=enn,dc=com",
"is_superuser": "******",
}
'''
# 把LDAP中用户条目的属性 映射到 Django 的User