def _load_user_attrs(self):
if self.dn is not None:
search = LDAPSearch(self.dn, ldap.SCOPE_BASE)
results = search.execute(self.connection)
if results is not None and len(results) > 0:
self._user_attrs = results[0][1]
def _load_user_attrs(self):
if self.dn is not None:
search = LDAPSearch(self.dn, ldap.SCOPE_BASE, attrlist=self.settings.USER_ATTRLIST)
results = search.execute(self.connection)
if results is not None and len(results) > 0:
self._user_attrs = results[0][1]
# (A) If users' email addresses are in LDAP and used as username. # (B) If LDAP only has usernames but email addresses are of the form # [email protected] # (C) If LDAP usernames are completely unrelated to email addresses. # # Fake LDAP data has e.g. ("ldapuser1", "*****@*****.**") for username/email. FAKE_LDAP_MODE = None # type: Optional[str] # FAKE_LDAP_NUM_USERS = 8 if FAKE_LDAP_MODE: import ldap from django_auth_ldap.config import LDAPSearch # To understand these parameters, read the docs in # prod_settings_template.py and on ReadTheDocs. LDAP_APPEND_DOMAIN = None AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com", ldap.SCOPE_ONELEVEL, "(uid=%(user)s)") AUTH_LDAP_REVERSE_EMAIL_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com", ldap.SCOPE_ONELEVEL, "(email=%(email)s)") if FAKE_LDAP_MODE == 'a': AUTH_LDAP_REVERSE_EMAIL_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com", ldap.SCOPE_ONELEVEL, "(uid=%(email)s)") AUTH_LDAP_USERNAME_ATTR = "uid" AUTH_LDAP_USER_ATTR_MAP = { "full_name": "cn", "avatar": "thumbnailPhoto", # This won't do much unless one changes the fact that # all users have LDAP_USER_ACCOUNT_CONTROL_NORMAL in # zerver/lib/dev_ldap_directory.py
# Ldap Config
import ldap
from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
base_dn = 'ou=People,dc=quark,dc=com'
AUTH_LDAP_SERVER_URI = 'ldap://ldap5-qf.quark.com:389'
#AUTH_LDAP_BIND_DN = 'cn=Manager,dc=quark,dc=com'
#AUTH_LDAP_BIND_PASSWORD = '******'
AUTH_LDAP_USER_SEARCH = LDAPSearch(base_dn, ldap.SCOPE_SUBTREE,
"(uid=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {"username": "******", "name": "cn", "email": "mail"}
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Group,dc=quark,dc=com',
ldap.SCOPE_SUBTREE,
"(objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")
AUTH_LDAP_REQUIRE_GROUP = 'cn=op,ou=Group,dc=quark,dc=com'
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
# Custom User Auth model
AUTH_USER_MODEL = 'users.User'
# Auth LDAP settings
AUTH_LDAP = CONFIG.AUTH_LDAP
AUTH_LDAP_SERVER_URI = CONFIG.AUTH_LDAP_SERVER_URI
AUTH_LDAP_BIND_DN = CONFIG.AUTH_LDAP_BIND_DN
AUTH_LDAP_BIND_PASSWORD = CONFIG.AUTH_LDAP_BIND_PASSWORD
AUTH_LDAP_SEARCH_OU = CONFIG.AUTH_LDAP_SEARCH_OU
AUTH_LDAP_SEARCH_FILTER = CONFIG.AUTH_LDAP_SEARCH_FILTER
AUTH_LDAP_START_TLS = CONFIG.AUTH_LDAP_START_TLS
AUTH_LDAP_USER_ATTR_MAP = CONFIG.AUTH_LDAP_USER_ATTR_MAP
AUTH_LDAP_USER_SEARCH = LDAPSearch(
AUTH_LDAP_SEARCH_OU,
ldap.SCOPE_SUBTREE,
AUTH_LDAP_SEARCH_FILTER,
)
AUTH_LDAP_GROUP_SEARCH_OU = CONFIG.AUTH_LDAP_GROUP_SEARCH_OU
AUTH_LDAP_GROUP_SEARCH_FILTER = CONFIG.AUTH_LDAP_GROUP_SEARCH_FILTER
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_OU,
ldap.SCOPE_SUBTREE,
AUTH_LDAP_GROUP_SEARCH_FILTER)
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_BACKEND = 'django_auth_ldap.backend.LDAPBackend'
if AUTH_LDAP:
AUTHENTICATION_BACKENDS.insert(0, AUTH_LDAP_BACKEND)
# Celery using redis as broker
CELERY_BROKER_URL = 'redis://:%(password)s@%(host)s:%(port)s/3' % {
}
###################below is the LDAP configration#############################
AUTH_LDAP_SERVER_URI = "ldap://10.10.7.120:389"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 1,
ldap.OPT_REFERRALS: 0,
}
ad_name = 'CN=徐德东,OU=IT部,OU=世纪高蓝,DC=goland,DC=cn'.decode("utf-8")
search_ad = 'OU=世纪高蓝,DC=goland,DC=cn'.decode("utf-8")
AUTH_LDAP_BIND_DN = ad_name
AUTH_LDAP_BIND_PASSWORD = "******"
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch(search_ad, ldap.SCOPE_SUBTREE,
"(&(objectClass=user)(mail=%(user)s))"),
LDAPSearch(search_ad, ldap.SCOPE_SUBTREE,
"(&(objectClass=user)(sAMAccountName=%(user)s))"),
)
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.10/howto/static-files/
STATIC_URL = '/static/'
LOGIN_URL = '/login/'
# ldap test
AUTH_LDAP_SERVER_URI = 'ldap://vickey-wu.com:port'
AUTH_LDAP_BIND_DN = 'cn=admin,dc=vickey-wu,dc=com'
AUTH_LDAP_BIND_PASSWORD = '******'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'dc=vickey-wu,dc=com',
ldap.SCOPE_SUBTREE,
'(uid=%(user)s)',
)
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'username': '******',
'last_name': 'cn',
'email': 'mail',
}
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_ALWAYS_UPDATE_USER = True
LOGGING['loggers']['django.db'] = {
'level': 'DEBUG',
}
# LDAP, dynamically load all overriden variables from the config
if DEBMONITOR_CONFIG.get('LDAP', {}):
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
AUTHENTICATION_BACKENDS = ('django_auth_ldap.backend.LDAPBackend', )
LOGGING['loggers']['django_auth_ldap'] = {
'handlers': ['console'],
'level': 'INFO',
}
module = sys.modules[__name__]
for key, value in DEBMONITOR_CONFIG.get('LDAP', {}).items():
if key == 'GROUP_SEARCH':
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(value, ldap.SCOPE_SUBTREE,
'(objectClass=groupOfNames)')
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
elif key == 'USER_SEARCH':
AUTH_LDAP_USER_SEARCH = LDAPSearch(
value['SEARCH'], ldap.SCOPE_ONELEVEL,
'({user_field}=%(user)s)'.format(
user_field=value['USER_FIELD']))
else:
setattr(module, 'AUTH_LDAP_' + key, value)
AUTHENTICATION_BACKENDS.append('allauth.account.auth_backends.AuthenticationBackend')
'''
LDAP, see also:
http://rdmo.readthedocs.io/en/latest/configuration/authentication/ldap.html
'''
import ldap
from django_auth_ldap.config import LDAPSearch
from rdmo.core.settings import AUTHENTICATION_BACKENDS
PROFILE_UPDATE = False
AUTH_LDAP_SERVER_URI = "ldaps://it-ldap-slave.desy.de:1636"
AUTH_LDAP_BIND_DN = "uid=library1,ou=people,ou=rgy,o=desy,c=de"
AUTH_LDAP_BIND_PASSWORD = os.environ["AUTH_LDAP_BIND_PASSWORD"]
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=RGY,o=DESY,c=DE", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
'email': 'mail'
}
AUTHENTICATION_BACKENDS.insert(
AUTHENTICATION_BACKENDS.index('django.contrib.auth.backends.ModelBackend'),
'django_auth_ldap.backend.LDAPBackend'
)
'''
Shibboleth, see also:
http://rdmo.readthedocs.io/en/latest/configuration/authentication/shibboleth.html
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', read_secret('auth_ldap_bind_password'))
# Set a string template that describes any user’s distinguished name based on the username.
AUTH_LDAP_USER_DN_TEMPLATE = os.environ.get('AUTH_LDAP_USER_DN_TEMPLATE', None)
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true'
AUTH_LDAP_USER_SEARCH_BASEDN = os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', '')
AUTH_LDAP_USER_SEARCH_ATTR = os.environ.get('AUTH_LDAP_USER_SEARCH_ATTR', 'sAMAccountName')
AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_BASEDN,
ldap.SCOPE_SUBTREE,
"(" + AUTH_LDAP_USER_SEARCH_ATTR + "=%(user)s)")
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH_BASEDN = os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', '')
AUTH_LDAP_GROUP_SEARCH_CLASS = os.environ.get('AUTH_LDAP_GROUP_SEARCH_CLASS', 'group')
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_BASEDN, ldap.SCOPE_SUBTREE,
"(objectClass=" + AUTH_LDAP_GROUP_SEARCH_CLASS + ")")
AUTH_LDAP_GROUP_TYPE = import_group_type(os.environ.get('AUTH_LDAP_GROUP_TYPE', 'GroupOfNamesType'))
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
class Base(Settings):
# Django settings for localshop project.
PROJECT_ROOT = os.path.dirname(__file__)
BASE_DIR = os.path.dirname(os.path.abspath(os.path.join(__file__, '..')))
CACHES = values.CacheURLValue('dummy://')
django_debug = os.environ.get('DJANGO_DEBUG', 'False').upper() == 'TRUE'
DEBUG = django_debug
TEMPLATE_DEBUG = DEBUG
ADMINS = (
# ('Your Name', '*****@*****.**'),
)
MANAGERS = ADMINS
DATABASES = values.DatabaseURLValue(
'sqlite:///' + os.path.join(DEFAULT_PATH, 'localshop.db'))
# Local time zone for this installation. Choices can be found here:
# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
# although not all choices may be available on all operating systems.
# On Unix systems, a value of None will cause Django to use the same
# timezone as the operating system.
# If running in a Windows environment this must be set to the same as your
# system time zone.
TIME_ZONE = values.Value('UTC')
# Language code for this installation. All choices can be found here:
# http://www.i18nguy.com/unicode/language-identifiers.html
LANGUAGE_CODE = 'en-us'
SITE_ID = 1
# If you set this to False, Django will make some optimizations so as not
# to load the internationalization machinery.
USE_I18N = True
# If you set this to False, Django will not format dates, numbers and
# calendars according to the current locale.
USE_L10N = True
# If you set this to False, Django will not use timezone-aware datetimes.
USE_TZ = True
# Absolute filesystem path to the directory that will hold user-uploaded files.
# Example: "/home/media/media.lawrence.com/media/"
# MEDIA_ROOT = 'files'
MEDIA_ROOT = '/media'
# Absolute path to the directory static files should be collected to.
# Don't put anything in this directory yourself; store your static files
# in apps' "static/" subdirectories and in STATICFILES_DIRS.
# Example: "/home/media/media.lawrence.com/static/"
# STATIC_ROOT = 'assets'
# URL prefix for static files.
# Example: "http://media.lawrence.com/static/"
STATIC_URL = '/assets/'
STATIC_ROOT = values.Value(
default=os.path.join(BASE_DIR, 'public', 'static'))
# Additional locations of static files
STATICFILES_DIRS = [os.path.join(PROJECT_ROOT, 'static')]
STATICFILES_STORAGE = 'whitenoise.django.GzipManifestStaticFilesStorage'
# List of finder classes that know how to find static files in
# various locations.
STATICFILES_FINDERS = (
'django.contrib.staticfiles.finders.FileSystemFinder',
'django.contrib.staticfiles.finders.AppDirectoriesFinder',
)
# Make this unique, and don't share it with anybody.
SECRET_KEY = values.SecretValue()
SESSION_COOKIE_AGE = 28 * 24 * 60 * 60 # 4 weeks
# List of callables that know how to import templates from various sources.
TEMPLATE_LOADERS = (
'django.template.loaders.filesystem.Loader',
'django.template.loaders.app_directories.Loader',
#'django.template.loaders.eggs.Loader',
)
TEMPLATE_CONTEXT_PROCESSORS = [
'django.contrib.auth.context_processors.auth',
'django.core.context_processors.debug',
'django.core.context_processors.i18n',
'django.core.context_processors.media',
'django.core.context_processors.static',
'django.contrib.messages.context_processors.messages',
]
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.middleware.http.ConditionalGetMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
)
ROOT_URLCONF = 'localshop.urls'
# Python dotted path to the WSGI application used by Django's runserver.
WSGI_APPLICATION = 'localshop.wsgi.application'
TEMPLATE_DIRS = (os.path.join(PROJECT_ROOT, 'templates'), )
MESSAGE_TAGS = {messages.ERROR: 'danger'}
BROKER_URL = "django://"
CELERY_ACCEPT_CONTENT = ['json']
CELERY_TASK_SERIALIZER = 'json'
CELERY_RESULT_SERIALIZER = 'json'
CELERYBEAT_SCHEDULER = 'djcelery.schedulers.DatabaseScheduler'
CELERYD_FORCE_EXECV = False
CELERYBEAT_SCHEDULE = {
# Executes every day at 1:00 AM
'every-day-1am': {
'task': 'localshop.apps.packages.tasks.update_packages',
'schedule': crontab(hour=1, minute=0),
},
}
INSTALLED_APPS = [
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
'django.contrib.admin',
'django.contrib.humanize',
'kombu.transport.django',
'djcelery',
'gunicorn',
'widget_tweaks',
'localshop',
'localshop.apps.accounts',
'localshop.apps.dashboard',
'localshop.apps.packages',
'localshop.apps.permissions',
]
# Auth settings
AUTHENTICATION_BACKENDS = (
'localshop.apps.accounts.backend.AccessKeyBackend',
'localshop.apps.accounts.backend.LDAPBackend',
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
LOGIN_URL = '/accounts/login'
LOGIN_REDIRECT_URL = '/dashboard/'
LOGOUT_URL = '/accounts/logout'
AUTH_USER_MODEL = 'accounts.User'
# A sample logging configuration. The only tangible logging
# performed by this configuration is to send an email to
# the site admins on every HTTP 500 error when DEBUG=False.
# See http://docs.djangoproject.com/en/dev/topics/logging for
# more details on how to customize your logging configuration.
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'root': {
'handlers': ['console'],
'propagate': True,
'level': 'DEBUG',
},
'handlers': {
'console': {
'level': 'INFO',
'class': 'logging.StreamHandler'
},
},
'formatters': {
'verbose': {
'format':
'%(levelname)s %(asctime)s %(module)s %(process)d %(thread)d %(message)s'
},
},
}
EMAIL = values.EmailURLValue('smtp://localhost:25/')
ALLOWED_HOSTS = ['*']
LOCALSHOP_DELETE_FILES = False
DEFAULT_FILE_STORAGE = values.Value(
'storages.backends.overwrite.OverwriteStorage')
LOCALSHOP_HTTP_PROXY = None
LOCALSHOP_ISOLATED = False
LOCALSHOP_RELEASE_OVERWRITE = True
# Use X-Forwarded-For header as the source for the client's IP.
# Use where you have Nginx/Apache/etc as a reverse proxy infront of Localshop/Gunicorn.
LOCALSHOP_USE_PROXIED_IP = False
LOCALSHOP_VERSIONING_TYPE = None
# AWS S3 Settings
AWS_ACCESS_KEY_ID = values.Value()
AWS_SECRET_ACCESS_KEY = values.Value()
AWS_STORAGE_BUCKET_NAME = values.Value()
# LDAP Authentication
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
}
AUTH_LDAP_START_TLS = True
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI',
'ldap://ldapsample.com')
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN',
'cn=username,dc=ldapsample,dc=com')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD',
'sompass')
#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=ldapsample,dc=com"
if 'AUTH_LDAP_USER_DN_TEMPLATE' in os.environ:
AUTH_LDAP_USER_DN_TEMPLATE = os.environ['AUTH_LDAP_USER_DN_TEMPLATE']
AUTH_LDAP_USER_SEARCH_BASE = os.environ.get(
'AUTH_LDAP_USER_SEARCH_BASE', 'ou=users,dc=ldapsample,dc=com')
AUTH_LDAP_USER_SEARCH_QUERY = os.environ.get('AUTH_LDAP_USER_SEARCH_QUERY',
'(uid=%(user)s)')
AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_BASE,
ldap.SCOPE_SUBTREE,
AUTH_LDAP_USER_SEARCH_QUERY)
def main():
os_environ_dict = dict(os.environ)
environ = settings_backend.get_settings_environ(os_environ_dict)
ldap_enabled = environ.get('LS2_LDAP_ENABLED', False)
if ldap_enabled == False:
sys.exit("LDAP is not enabled")
server_uri = environ.get('LS2_LDAP_SERVER_URI')
print(f'Attempting to connect to {server_uri}')
##ignore cert errors for now
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
l = ldap.initialize(server_uri, trace_level=0)
print(l)
print(f'Server initialization success')
bind_dn = environ.get('LS2_LDAP_BIND_DN')
bind_password = environ.get('LS2_LDAP_BIND_PASSWORD')
if bind_dn == None or bind_password == None:
sys.exit("LDAP bind user info missing")
print(f'Attempting to bind with DN {bind_dn}')
r = l.simple_bind_s(bind_dn, bind_password)
print(f'Bind Successful')
ldap_search_base_dn = environ.get('LS2_LDAP_SEARCH_BASE_DN')
ldap_search_scope = ldap.SCOPE_SUBTREE
ldap_search_filter_template = environ.get('LS2_LDAP_SEARCH_FILTER')
user = input("Enter a username: "******"{ldap_search_base_dn}\"')
# filter = ldap_search_filter_template % {'user': user}
print(f'Filter {filter}')
# result = l.search_s(ldap_search_base_dn,ldap_search_scope,filter)[0]
# print(result[0])
# user_dn = result[0]
# r = l.simple_bind_s(user_dn, password)
# print('Test Successful')
ldap_search = LDAPSearch(ldap_search_base_dn, ldap.SCOPE_SUBTREE,
ldap_search_filter_template)
print(ldap_search)
results = ldap_search.execute(l, {'user': user})
if results is not None and len(results) == 1:
# print(results[0])
pass
else:
print("NOT FOUND")
user_dn = results[0][0]
l.simple_bind_s(user_dn, password)
print('Test Successful')
if LDAP_ENABLED:
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CERTDIR + LDAP_CACERTFILE)
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, LDAP_CERTDIR + LDAP_CERTFILE)
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, LDAP_CERTDIR + LDAP_KEYFILE)
# Baseline configuration.
AUTH_LDAP_SERVER_URI = os.getenv('AUTH_LDAP_SERVER_URI', '')
AUTH_LDAP_BIND_DN = os.getenv('AUTH_LDAP_BIND_DN', '')
AUTH_LDAP_BIND_PASSWORD = os.getenv('AUTH_LDAP_BIND_PASSWORD', '')
AUTH_LDAP_USER_SEARCH_STR = os.getenv('AUTH_LDAP_USER_SEARCH', '')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
AUTH_LDAP_USER_SEARCH_STR, ldap.SCOPE_SUBTREE,
"(&(uid=%(user)s)(!(nsaccountlock=TRUE)))")
AUTH_LDAP_GROUP_SEARCH_STR = os.getenv('AUTH_LDAP_GROUP_SEARCH', '')
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_STR,
ldap.SCOPE_SUBTREE,
"(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_ALWAYS_UPDATE_USER = True
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
import os
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
# Baseline configuration.
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI',
'ldap://ldap.example.com')
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN',
'cn=Manager,dc=example,dc=com')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
os.environ.get('AUTH_LDAP_USER_SEARCH', 'ou=user,dc=example,dc=com'),
ldap.SCOPE_SUBTREE, '(uid=%(user)s)')
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
LOGOUT_REDIRECT_URL = "/accounts/login/?next=/snapshot/"
LOGIN_REDIRECT_URL = "/snapshot/"
LOGIN_REDIRECT_URL_FAILURE = "/accounts/login/?next=/snapshot/"
# to use in conjunction with 'NameOIDCAB' backend
OIDC_IS_STAFF_GROUP_NAMES = ['User']
OIDC_IS_SUPERUSER_GROUP_NAMES = []
# -------- LDAP Authentication -------------------
AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_REFERRALS: 0}
# first LDAP server configuration
AUTH_LDAP_1_SERVER_URI = "ldap://mycompany.com:389"
AUTH_LDAP_1_BIND_DN = 'CN=user,OU=ou,DC=company,DC=com'
AUTH_LDAP_1_BIND_PASSWORD = '******'
AUTH_LDAP_1_USER_SEARCH = LDAPSearch("OU=ou,DC=company,DC=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
# second LDAP server configuration (uncomment "seleniumRobotServer.ldapbackends.LDAPBackend2" in AUTHENTICATION_BACKENDS to use it)
AUTH_LDAP_2_SERVER_URI = "ldap://mycompany.com:389"
AUTH_LDAP_2_BIND_DN = 'CN=user,OU=ou,DC=company,DC=com'
AUTH_LDAP_2_BIND_PASSWORD = '******'
AUTH_LDAP_2_USER_SEARCH = LDAPSearch("OU=ou,DC=company,DC=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
# third LDAP server configuration (uncomment "seleniumRobotServer.ldapbackends.LDAPBackend3" in AUTHENTICATION_BACKENDS to use it)
AUTH_LDAP_3_SERVER_URI = "ldap://mycompany.com:389"
AUTH_LDAP_3_BIND_DN = 'CN=user,OU=ou,DC=company,DC=com'
AUTH_LDAP_3_BIND_PASSWORD = '******'
AUTH_LDAP_3_USER_SEARCH = LDAPSearch("OU=ou,DC=company,DC=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_CACHE_TIMEOUT = 0 AUTH_LDAP_USER_DN_TEMPLATE = '%(user)[email protected]' AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True AUTH_LDAP_NO_NEW_USERS = True # AUTH_LDAP_GROUP_TYPE = MemberDNGroupType() # AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( # LDAPSearch('DC=MSKCC,DC=ROOT,DC=MSKCC,DC=ORG', ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)"), # ) AUTH_LDAP_USER_SEARCH = LDAPSearch( 'DC=MSKCC,DC=ROOT,DC=MSKCC,DC=ORG', ldap.SCOPE_SUBTREE, '(sAMAccountName=%(user)s)', ['sAMAccountName', 'displayName', 'memberOf', 'title'] ) # AUTH_LDAP_GROUP_SEARCH = LDAPSearch( # 'DC=MSKCC,DC=ROOT,DC=MSKCC,DC=ORG', # ldap.SCOPE_SUBTREE, # '(sAMAccountName=%(user)s)', # '(objectClass=posixGroup)',) AUTH_LDAP_ALWAYS_UPDATE_USER = True AUTHENTICATION_BACKENDS = [ 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', ]
BITBUCKET_CONSUMER_KEY = env('BITBUCKET_CONSUMER_KEY')
BITBUCKET_CONSUMER_SECRET = env('BITBUCKET_CONSUMER_SECRET')
####################
# sentry-ldap-auth #
####################
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType
AUTH_LDAP_SERVER_URI = env('AUTH_LDAP_SERVER_URI')
AUTH_LDAP_BIND_DN = env('AUTH_LDAP_BIND_DN')
AUTH_LDAP_BIND_PASSWORD = env('AUTH_LDAP_BIND_PASSWORD')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
env('AUTH_LDAP_USER_SEARCH_DN') or '',
ldap.SCOPE_SUBTREE,
env('AUTH_LDAP_USER_SEARCH_FILTER') or '(mail=%(user)s)',
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
env('AUTH_LDAP_GROUP_SEARCH_DN') or '', ldap.SCOPE_SUBTREE,
env('AUTH_LDAP_GROUP_SEARCH_FILTER') or '(objectClass=groupOfUniqueNames)')
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None
AUTH_LDAP_USER_ATTR_MAP = {'name': 'cn', 'email': 'mail'}
AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
# https://docs.djangoproject.com/en/2.1/howto/static-files/
STATIC_URL = '/static/'
import ldap
from django_auth_ldap.config import LDAPSearch, PosixGroupType
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend', # 配置为先使用LDAP认证,如通过认证则不再使用后面的认证方式
'django.contrib.auth.backends.ModelBackend', # sso系统中手动创建的用户也可使用,优先级靠后。注意这2行的顺序
)
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'ou=People,%s' % base_dn, ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
) # 用户的DN是uid=caojun,ou=People,dc=ldap,dc=ssotest,dc=net,所以用uid
'''
AUTH_LDAP_USER_ATTR_MAP = { # key为数据库字段名,value为ldap中字段名,此字典解决django model与ldap字段名可能出现的不一致问题
"username": "******",
"name": "cn",
"email": "mail"
}
# 组权限管理 #
AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Group,dc=ldap,dc=ssotest,dc=net', ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn") # 组的DN是cn=员工,ou=Group,dc=ldap,dc=ssotest,dc=net,所以type是cn
AUTH_LDAP_USER_FLAGS_BY_GROUP = { # django admin的is_staff|superuser属性映射为ldap的管理员
"is_staff": u"cn=管理员,ou=Group,dc=ldap,dc=ssotest,dc=net",
"is_superuser": u"cn=管理员,ou=Group,dc=ldap,dc=ssotest,dc=net"
}
# AUTHENTIFICATION LDAP #
##############################################
# You can use LDAP Authentication by using 'Django Auth LDAP'#
# 1 - Activate logging :
# logging
if DEBUG:
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# 2 - Specify your LDAP settings :
AUTH_LDAP_SERVER_URI = "ldap://clusterldap1.ircam.fr"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"ou=People,dc=ircam,dc=fr",
ldap.SCOPE_SUBTREE,
"(uid=%(user)s)"
)
# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"ou=People,dc=ircam,dc=fr",
ldap.SCOPE_SUBTREE,
"(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
SSH_TIMEOUT = DEVEOPS_CONF.SSH_TIMEOUT
# LDAP
if ENVIRONMENT != 'TRAVIS':
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
import ldap
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_SERVER_URI = DEVEOPS_CONF.LDAP_SERVER
AUTH_LDAP_BIND_DN = "cn=tools,ou=Zabbix,ou=TEST,dc=zbjt,dc=com"
AUTH_LDAP_BIND_PASSWORD = DEVEOPS_CONF.LDAP_PASSWD
OU = DEVEOPS_CONF.LDAP_OU
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(OU, ldap.SCOPE_SUBTREE,
"(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
AUTH_LDAP_USER_SEARCH = LDAPSearch(
OU, ldap.SCOPE_SUBTREE, "(&(objectClass=*)(sAMAccountName=%(user)s))")
AUTH_LDAP_USER_ATTR_MAP = {
"full_name": "cn",
"description": "description",
"first_name": "sn",
"phone": "mobile",
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
# AUTH_LDAP_MIRROR_GROUPS = True
else:
pass
#CHANNEL
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI',
'ldap://ipa1.msbone.net')
LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS',
'True').lower() == 'true'
AUTH_LDAP_BIND_DN = os.environ.get(
'AUTH_LDAP_BIND_DN', 'uid=orc,cn=users,cn=accounts,dc=msbone,dc=net')
AUTH_LDAP_BIND_PASSWORD = _read_secret(
'auth_ldap_bind_password', os.environ.get('AUTH_LDAP_BIND_PASSWORD', ''))
AUTH_LDAP_USER_SEARCH_BASEDN = os.environ.get(
'AUTH_LDAP_USER_SEARCH_BASEDN', 'cn=users,cn=accounts,dc=msbone,dc=net')
AUTH_LDAP_USER_SEARCH_ATTR = os.environ.get('AUTH_LDAP_USER_SEARCH_ATTR',
'uid')
AUTH_LDAP_USER_SEARCH = LDAPSearch(
AUTH_LDAP_USER_SEARCH_BASEDN, ldap.SCOPE_SUBTREE,
"(" + AUTH_LDAP_USER_SEARCH_ATTR + "=%(user)s)")
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
"last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
"email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
}
# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
os.environ.get('AUTH_LDAP_GROUP_SEARCH',
'cn=groups,cn=accounts,dc=msbone,dc=net'),
ldap.SCOPE_SUBTREE,
"(objectClass=groupOfNames)",
LOGOUT_REDIRECT_URL = LOGOUT_URL
# LDAP settings
AUTH_LDAP_SERVER_URI = env('LDAP_SERVER_URI', 'ldap_server')
AUTH_LDAP_BIND_DN = env('LDAP_BIND_DN', 'ldap_bind')
AUTH_LDAP_BIND_PASSWORD = env('LDAP_BIND_PASSWORD', 'ldap_password')
AUTH_LDAP_ALWAYS_UPDATE_USER = False
AUTH_LDAP_AUTHORIZE_ALL_USERS = True
AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_MIRROR_GROUPS = False
AUTH_LDAP_CACHE_GROUPS = False
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch("DC=corporateict,DC=domain", ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)"),
LDAPSearch("DC=corporateict,DC=domain", ldap.SCOPE_SUBTREE,
"(mail=%(user)s)"),
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"DC=corporateict,DC=domain",
ldap.SCOPE_SUBTREE, "(objectClass=group)"
)
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False,
ldap.OPT_REFERRALS: False,
}
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
# Django LDAP backend configuration.
# See https://pythonhosted.org/django-auth-ldap/reference.html
# for variables' details.
# In order to debug LDAP configuration it is possible to enable
# verbose logging from auth-ldap plugin:
# https://pythonhosted.org/django-auth-ldap/logging.html
if LDAP_ENDPOINT:
AUTHENTICATION_BACKENDS = (
"django_auth_ldap.backend.LDAPBackend", ) + AUTHENTICATION_BACKENDS
AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
AUTH_LDAP_BIND_DN = LDAP_BIND_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_BIND_PASSWORD
AUTH_LDAP_USER_SEARCH = LDAPSearch(base_dn=LDAP_USER_BASEDN,
scope=ldap.SCOPE_SUBTREE,
filterstr="(%s=%%(user)s)" %
LDAP_USER_FILTER)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(base_dn=LDAP_GROUP_BASEDN,
scope=ldap.SCOPE_SUBTREE,
filterstr="(%s)" % LDAP_GROUP_FILTER)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
"username": LDAP_USER_FILTER,
}
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False,
ldap.OPT_REFERRALS: False
}
########
# LDAP integration, part 2: Mapping user info from LDAP to Zulip.
#
# For detailed instructions, see the Zulip documentation:
# https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#ldap
# The LDAP search query to find a given user.
#
# The arguments to `LDAPSearch` are (base DN, scope, filter). In the
# filter, the string `%(user)s` is a Python placeholder. The Zulip
# server will replace this with the user's Zulip username, i.e. the
# name they type into the Zulip login form.
#
# For more details and alternatives, see the documentation linked above.
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
# Domain to combine with a user's username to figure out their email address.
#
# If users log in as e.g. "sam" when their email address is "*****@*****.**",
# set this to "example.com". If users log in with their full email addresses,
# leave as None; if the username -> email address mapping isn't so simple,
# leave as None and see LDAP_EMAIL_ATTR.
LDAP_APPEND_DOMAIN = None # type: Optional[str]
# LDAP attribute to find a user's email address.
#
# Leave as None if users log in with their email addresses,
# or if using LDAP_APPEND_DOMAIN.
LDAP_EMAIL_ATTR = None # type: Optional[str]
# 启用LDAP
# LDAP配置如下,请按照自己公司的LDAP配置进行更正
LDAP_SUPPORT = {
'enable': False, # 为True启用LDAP,为False禁用LDAP
'config': {
'AUTH_LDAP_SERVER_URI':
"ldap://ldapxx.xxx.com:389",
'AUTH_LDAP_ALWAYS_UPDATE_USER':
True,
'AUTH_LDAP_BIND_DN':
"cn=admin,dc=xxx,dc=com", # 用户,绝对路径
'AUTH_LDAP_BIND_PASSWORD':
'******', # 密码
'AUTH_LDAP_USER_SEARCH':
LDAPSearch("ou=people,dc=xxx,dc=com", ldap.SCOPE_SUBTREE,
"(uid=%(user)s)"),
# 用户映射,key为系统表字段,value为ldap字段
'AUTH_LDAP_USER_ATTR_MAP': {
'username': '******',
'email': 'mail',
'displayname': 'givenName',
'mobile': 'mobile'
}
}
}
# ALTER操作
# 是否启用Gh-ost工具改表,github地址:https://github.com/github/gh-ost
# Gh-ost工具对MySQL的ALTER操作有效
GHOST_TOOL = {
'enable':
AUTH_LDAP_USER_DN_TEMPLATE = (
os.environ.get("WEBLATE_AUTH_LDAP_USER_DN_TEMPLATE") or None)
AUTHENTICATION_BACKENDS += ("django_auth_ldap.backend.LDAPBackend", )
AUTH_LDAP_USER_ATTR_MAP = get_env_map("WEBLATE_AUTH_LDAP_USER_ATTR_MAP", {
"full_name": "name",
"email": "mail"
})
AUTH_LDAP_BIND_DN = os.environ.get("WEBLATE_AUTH_LDAP_BIND_DN", "")
AUTH_LDAP_BIND_PASSWORD = os.environ.get("WEBLATE_AUTH_LDAP_BIND_PASSWORD",
"")
_AUTH_LDAP_USER_SEARCH = get_env_list("")
if "WEBLATE_AUTH_LDAP_USER_SEARCH" in os.environ:
AUTH_LDAP_USER_SEARCH = LDAPSearch(
os.environ["WEBLATE_AUTH_LDAP_USER_SEARCH"],
ldap.SCOPE_SUBTREE,
os.environ.get("WEBLATE_AUTH_LDAP_USER_SEARCH_FILTER",
"(uid=%(user)s)"),
)
# Always include Weblate backend
AUTHENTICATION_BACKENDS += ("weblate.accounts.auth.WeblateUserBackend", )
# Social auth settings
SOCIAL_AUTH_PIPELINE = (
"social_core.pipeline.social_auth.social_details",
"social_core.pipeline.social_auth.social_uid",
"social_core.pipeline.social_auth.auth_allowed",
"social_core.pipeline.social_auth.social_user",
"weblate.accounts.pipeline.store_params",
"weblate.accounts.pipeline.verify_open",
"social_core.pipeline.user.get_username",
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.10/howto/static-files/
STATIC_URL = '/static/'
STATICFILES_DIRS = [
os.path.join(BASE_DIR, "static"),
]
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_SERVER_URI = config_dict['ldap_server_url']
AUTH_LDAP_BIND_DN = config_dict['ldap_bind_dn']
AUTH_LDAP_BIND_PASSWORD = config_dict['ldap_bind_password']
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"ou=盛成,dc=mama,dc=cn",
ldap.SCOPE_SUBTREE,
"(uid=%(user)s)",
)
AUTH_LDAP_USER_ATTR_MAP = {
"username": "******",
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
def add_ldap_config(self, ldap_config):
ldap_url = ldap_config.LDAP_URL.get()
if ldap_url is None:
LOG.warn("Could not find LDAP URL required for authentication.")
return None
else:
setattr(self._backend.settings, 'SERVER_URI', ldap_config.LDAP_URL.get())
if ldap_url.lower().startswith('ldaps') and ldap_config.USE_START_TLS.get():
LOG.warn("Cannot configure LDAP with SSL and enable STARTTLS.")
if ldap_config.SEARCH_BIND_AUTHENTICATION.get():
# New Search/Bind Auth
base_dn = ldap_config.BASE_DN.get()
user_name_attr = ldap_config.USERS.USER_NAME_ATTR.get()
user_filter = ldap_config.USERS.USER_FILTER.get()
if not user_filter.startswith('('):
user_filter = '(' + user_filter + ')'
if ldap_config.BIND_DN.get():
bind_dn = ldap_config.BIND_DN.get()
setattr(self._backend.settings, 'BIND_DN', bind_dn)
bind_password = ldap_config.BIND_PASSWORD.get()
if not bind_password:
bind_password = ldap_config.BIND_PASSWORD_SCRIPT.get()
setattr(self._backend.settings, 'BIND_PASSWORD', bind_password)
if user_filter is None:
search_bind_results = LDAPSearch(base_dn,
ldap.SCOPE_SUBTREE, "(" + user_name_attr + "=%(user)s)")
else:
search_bind_results = LDAPSearch(base_dn,
ldap.SCOPE_SUBTREE, "(&(" + user_name_attr + "=%(user)s)" + user_filter + ")")
setattr(self._backend.settings, 'USER_SEARCH', search_bind_results)
else:
nt_domain = ldap_config.NT_DOMAIN.get()
if nt_domain is None:
pattern = ldap_config.LDAP_USERNAME_PATTERN.get()
pattern = pattern.replace('<username>', '%(user)s')
setattr(self._backend.settings, 'USER_DN_TEMPLATE', pattern)
else:
# %(user)s is a special string that will get replaced during the authentication process
setattr(self._backend.settings, 'USER_DN_TEMPLATE', "%(user)s@" + nt_domain)
# If Secure ldaps is specified in hue.ini then ldap code automatically use SSL/TLS communication
if not ldap_url.lower().startswith('ldaps'):
setattr(self._backend.settings, 'START_TLS', ldap_config.USE_START_TLS.get())
# Certificate-related config settings
if ldap_config.LDAP_CERT.get():
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ldap_config.LDAP_CERT.get())
else:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
if ldap_config.FOLLOW_REFERRALS.get():
ldap.set_option(ldap.OPT_REFERRALS, 1)
else:
ldap.set_option(ldap.OPT_REFERRALS, 0)
#
# Fake LDAP data has e.g. ("ldapuser1", "*****@*****.**") for username/email.
FAKE_LDAP_MODE = None # type: Optional[str]
# FAKE_LDAP_NUM_USERS = 8
if FAKE_LDAP_MODE:
# To understand these parameters, read the docs in
# prod_settings_template.py and on ReadTheDocs.
LDAP_APPEND_DOMAIN = None
AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=zulip,dc=com'
if FAKE_LDAP_MODE == 'a':
import ldap
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com",
ldap.SCOPE_SUBTREE,
"(email=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {
"full_name": "cn",
"avatar": "thumbnailPhoto",
# This won't do much unless one changes the fact that
# all users have LDAP_USER_ACCOUNT_CONTROL_NORMAL in
# zerver/lib/dev_ldap_directory.py
"userAccountControl": "userAccountControl",
}
elif FAKE_LDAP_MODE == 'b':
LDAP_APPEND_DOMAIN = 'zulip.com'
AUTH_LDAP_USER_ATTR_MAP = {
"full_name": "cn",
"avatar": "jpegPhoto",
"custom_profile_field__birthday": "birthDate",
def _load_user_attrs(self):
search = LDAPSearch(self.dn, self.ldap.SCOPE_BASE)
results = search.execute(self.connection)
self._user_attrs = results[0][1]
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
}
}
# Basis Konfiguration
AUTH_LDAP_SERVER_URI = "ldap://192.168.1.12"
AUTH_LDAP_BIND_DN = "LDAP_IPA"
AUTH_LDAP_BIND_PASSWORD = "******"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 1,
ldap.OPT_REFERRALS: 0
}
# Standart Parameter setzen
AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=sbvg,DC=ch", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=sbvg,DC=ch", ldap.SCOPE_SUBTREE, "(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# Welche Attribute sollen ausgelesen werden.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
"title": "title",
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=ipa-users,cn=users,DC=sbvg,DC=ch",
"is_staff": "CN=ipa-users,cn=users,DC=sbvg,DC=ch",
"is_superuser": "******"
if PROFILE:
INSTALLED_APPS.append("silk")
MIDDLEWARE.append("silk.middleware.SilkyMiddleware")
SILKY_PYTHON_PROFILER = PROFILE
SILKY_PYTHON_PROFILER_BINARY = PROFILE
ROOT_URLCONF = "interface.urls"
LOGIN_URL = "/"
AUTH_LDAP_SERVER_URI = os.getenv("LDAP_SERVER_URI")
AUTH_LDAP_BIND_DN = os.getenv("LDAP_BIND_DN")
AUTH_LDAP_BIND_PASSWORD = os.getenv("LDAP_BIND_PASSWORD")
AUTH_LDAP_USER_SEARCH = LDAPSearch(
os.getenv("LDAP_USER_TREE"),
ldap.SCOPE_SUBTREE,
os.getenv("LDAP_USER_FILTER"),
)
AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTHENTICATION_BACKENDS = [
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {ldap.OPT_REFERRALS: 0}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS',
'False').lower() == 'true'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),