def join_ldap_group_querys(group_list, group_dn): s = "cn={0},{1}" query = None for group in group_list: if query is None: # First query object query = LDAPGroupQuery(s.format(group, group_dn)) else: # Append new querys with or query = (query | LDAPGroupQuery(s.format(group, group_dn))) return query
def _check_required_group(self): """ Returns True if the group requirement (AUTH_LDAP_REQUIRE_GROUP) is met. Always returns True if AUTH_LDAP_REQUIRE_GROUP is None. """ required_group_dn = self.settings.REQUIRE_GROUP if required_group_dn is not None: if not isinstance(required_group_dn, LDAPGroupQuery): required_group_dn = LDAPGroupQuery(required_group_dn) result = required_group_dn.resolve(self) if not result: raise self.AuthenticationFailed("user does not satisfy AUTH_LDAP_REQUIRE_GROUP") return True
def _check_required_group(self): """ Returns True if the group requirement (AUTH_LDAP_REQUIRE_GROUP) is met. Always returns True if AUTH_LDAP_REQUIRE_GROUP is None. """ required_group_dn = self.settings.REQUIRE_GROUP if required_group_dn is not None: if not isinstance(required_group_dn, LDAPGroupQuery): required_group_dn = LDAPGroupQuery(required_group_dn) result = required_group_dn.resolve(self) if not result: raise self.AuthenticationFailed("user does not satisfy AUTH_LDAP_REQUIRE_GROUP") return True
def _get_ldap_group_query(groups): """From a list of LDAP simple searches create an LDAPGroupQuery with the items in OR. Arguments: groups (list): the list of simple LDAP searches to OR. Returns: django_auth_ldap.config.LDAPGroupQuery: the search object """ if not groups: return None if len(groups) == 1: return groups[0] group_query = LDAPGroupQuery(groups[0]) for group in groups[1:]: group_query |= LDAPGroupQuery(group) return group_query
def _normalize_group_dns(self, group_dns): """ Converts one or more group DNs to an LDAPGroupQuery. group_dns may be a string, a non-empty list or tuple of strings, or an LDAPGroupQuery. The result will be an LDAPGroupQuery. A list or tuple will be joined with the | operator. """ if isinstance(group_dns, LDAPGroupQuery): query = group_dns elif isinstance(group_dns, str): query = LDAPGroupQuery(group_dns) elif isinstance(group_dns, (list, tuple)) and len(group_dns) > 0: query = reduce(operator.or_, map(LDAPGroupQuery, group_dns)) else: raise ValueError(group_dns) return query
LDAP_BASE_GROUP = f"cn={env('LDAP_BASE_GROUP')},{LDAP_BASE_OU}" LDAP_PROJECT_GROUP = f"cn=radicalt,{LDAP_BASE_OU}" # Baseline configuration AUTH_LDAP_SERVER_URI = env("LDAP_SERVER_URI") AUTH_LDAP_BIND_DN = env("LDAP_BIND_DN", default="") AUTH_LDAP_BIND_PASSWORD = env("LDAP_BIND_PASSWORD", default="") AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people," + LDAP_BASE_DC # Set up the basic group parameters AUTH_LDAP_GROUP_SEARCH = LDAPSearch(LDAP_BASE_OU, ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)") AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn") # Simple group restrictions AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery( LDAP_PROJECT_GROUP) # Populate the Django user from the LDAP directory AUTH_LDAP_ALWAYS_UPDATE_USER = False AUTH_LDAP_USER_ATTR_MAP = { "first_name": env("LDAP_FIRST_NAME_FIELD"), "last_name": env("LDAP_LAST_NAME_FIELD"), "email": env("LDAP_EMAIL_FIELD"), } AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(LDAP_PROJECT_GROUP), "is_staff":
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn') # Simple group restrictions # TODO: Set this value in the project settings AUTH_LDAP_REQUIRE_GROUP = '' # Populate the Django user from the LDAP directory AUTH_LDAP_USER_ATTR_MAP = { 'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail' } AUTH_LDAP_USER_FLAGS_BY_GROUP = { 'is_active': LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=ddh-staff,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=kdl-external,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=ddh-external,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=systems,' + LDAP_BASE_OU), 'is_staff': 'cn=kdl-staff,' + LDAP_BASE_OU, 'is_superuser': '******' + LDAP_BASE_OU } AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {} # This is the default, but I like to be explicit AUTH_LDAP_ALWAYS_UPDATE_USER = False
# FABRIC # ----------------------------------------------------------------------------- FABRIC_USER = getpass.getuser() # ----------------------------------------------------------------------------- # GLOBALS FOR JS # ----------------------------------------------------------------------------- # Google Analytics ID GA_ID = '' # ----------------------------------------------------------------------------- # Automatically generated settings # ----------------------------------------------------------------------------- # Check which db engine to use: db_engine = 'django.db.backends.postgresql_psycopg2' if 'django.contrib.gis' in INSTALLED_APPS: db_engine = 'django.contrib.gis.db.backends.postgis' AUTH_LDAP_REQUIRE_GROUP = ( ( LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=mdh,' + LDAP_BASE_OU) ) ) MDH_SOURCE_PATH = 'research_data'
# ----------------------------------------------------------------------------- # Automatically generated settings # ----------------------------------------------------------------------------- # Check which db engine to use: db_engine = 'django.db.backends.postgresql_psycopg2' if 'django.contrib.gis' in INSTALLED_APPS: db_engine = 'django.contrib.gis.db.backends.postgis' AC_BASE_URL = 'https://app.activecollab.com/148987' AC_API_URL = AC_BASE_URL + '/api/v1/' AC_PROJECT_ID = 954 AC_USER = 36 AC_TOKEN = '' AUTH_LDAP_REQUIRE_GROUP = ((LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU) | LDAPGroupQuery('cn=mmee,' + LDAP_BASE_OU))) WAGTAIL_SITE_NAME = PROJECT_TITLE ITEMS_PER_PAGE = 12 USE_PIPENV = True # http://docs.wagtail.io/en/v2.5.1/topics/search/backends.html WAGTAILSEARCH_BACKENDS = { 'default': { # default and postgres have limited support for facets # default: use the db, dev only, update_index not needed # 'BACKEND': 'wagtail.search.backends.db', # postgres: for production, also better text search (with stemming)
AUTH_LDAP_CACHE_TIMEOUT = 3600 AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 AUTH_LDAP_SERVER_URI = "ldap://pdc.base-fx.com" AUTH_LDAP_BIND_DN = "cn=zhangyt,ou=NON,ou=BJ,ou=Basers,dc=ad,dc=base-fx,dc=com" AUTH_LDAP_BIND_PASSWORD = "******" AUTH_LDAP_USER_SEARCH = LDAPSearch( "ou=Basers,dc=ad,dc=base-fx,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" ) AUTH_LDAP_GROUP_SEARCH = LDAPSearch( "ou=Basers,dc=ad,dc=base-fx,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=group)" ) AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() AUTH_LDAP_REQUIRE_GROUP = ( LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com") | LDAPGroupQuery("cn=PLE,ou=Basers,dc=ad,dc=base-fx,dc=com") ) AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn", "email": "mail"} AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": ( LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com") | LDAPGroupQuery("cn=PLE,ou=Basers,dc=ad,dc=base-fx,dc=com") ), "is_staff": ( LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com") ), # "is_active": "cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com", # "is_staff": "cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com", "is_superuser": "******"
] # LDAP Config AUTH_LDAP_SERVER_URI = "ldap://ldap.d120.de" AUTH_LDAP_BIND_DN = "cn=pyofahrt,ou=Services,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de" AUTH_LDAP_BIND_PASSWORD = secrets.AUTH_LDAP_BIND_PASSWORD AUTH_LDAP_USER_SEARCH = LDAPSearch( "ou=People,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de", ldap.SCOPE_SUBTREE, "(uid=%(user)s)") AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Groups,dc=fachschaft,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)") AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn", "email": "mail" } AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_staff": "cn=fachschaft,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de", "is_superuser": (LDAPGroupQuery( "cn=ofahrtleitung,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de" ) | LDAPGroupQuery( "cn=developers,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de" ) | LDAPGroupQuery( "cn=fss,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de")) }
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=localhost", ldap.SCOPE_ONELEVEL, "(objectClass=top)") AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn", "email": "userPrincipalName" } AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_superuser": "******", "is_staff": (LDAPGroupQuery("cn=Web Application Administrators,ou=groups,dc=localhost") | LDAPGroupQuery("cn=Accounting,ou=groups,dc=localhost") | LDAPGroupQuery("cn=Support,ou=groups,dc=localhost")) } AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_MIRROR_GROUPS = True AUTH_LDAP_CACHE_TIMEOUT = 3600 ROOT_URLCONF = 'cdr_accounting.urls' logger = logging.getLogger('django_auth_ldap') logger.addHandler(logging.StreamHandler()) logger.setLevel(logging.DEBUG) TEMPLATES = [
LDAP_PROJECT_GROUP = f"cn=language_acts,{LDAP_BASE_OU}" # Baseline configuration AUTH_LDAP_SERVER_URI = env("LDAP_SERVER_URI") AUTH_LDAP_BIND_DN = env("LDAP_BIND_DN", default="") AUTH_LDAP_BIND_PASSWORD = env("LDAP_BIND_PASSWORD", default="") AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people," + LDAP_BASE_DC # Set up the basic group parameters AUTH_LDAP_GROUP_SEARCH = LDAPSearch( LDAP_BASE_OU, ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)" ) AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn") # Simple group restrictions AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery( LDAP_PROJECT_GROUP ) # Populate the Django user from the LDAP directory AUTH_LDAP_ALWAYS_UPDATE_USER = False AUTH_LDAP_USER_ATTR_MAP = { "first_name": env("LDAP_FIRST_NAME_FIELD"), "last_name": env("LDAP_LAST_NAME_FIELD"), "email": env("LDAP_EMAIL_FIELD"), } AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(LDAP_PROJECT_GROUP), "is_staff": LDAP_BASE_GROUP,
tuple(s for s in settings_dict['ldap_staff'].split('"') if s.lower().startswith(prefixes)), 'is_superuser': tuple(s for s in settings_dict['ldap_super'].split('"') if s.lower().startswith(prefixes)), } # LDAP and Django Group Mapping prefixes = ('[', ',', ']') AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType() AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_MIRROR_GROUPS = tuple([ g for g in settings_dict['ldap_mirror_groups'].split('"') if not g.startswith(prefixes) ]) AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery() AUTH_LDAP_REQUIRE_GROUP.connector = 'OR' AUTH_LDAP_REQUIRE_GROUP.children = _ldap_active AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_DEBUG_LEVEL: 0, ldap.OPT_REFERRALS: 0, } AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', )
def parse_ldap_group_query_string(query_string): """Parse OpenLDAP search filter-like strings, but for group queries instead. An example of a parseable string is:: "|(cn=admins,ou=...)(&(cn=students,ou=...)(~(cn=first_term,ou=...)))" :return django_auth_ldap.config.LDAPGroupQuery: """ stack = [] operand = LDAPGroupQuery() operand_name = "" binary_operator_ok = True negate_next = False for idx, char in enumerate(query_string): if char == "(": # No opening parenthesis inside a name if operand_name: raise ValueError(f"Unexpected {char!r} at position {idx+1}") # Also store the position at which the parenthesis was opened for eventual # error messages about unclosed parentheses stack.append((operand, idx)) operand = LDAPGroupQuery() if negate_next: operand.negate() binary_operator_ok = True negate_next = False operand_name = "" elif char == ")": if operand_name: operand.add(operand_name.rstrip(), operand.connector) operand_name = "" try: outer_operand, _ = stack.pop() except IndexError: raise ValueError( f"Closing parenthesis without prior opening at position {idx+1}" ) from None outer_operand.add(operand, outer_operand.connector) operand = outer_operand binary_operator_ok = False elif char in "~&|": # The binary operators may only go directly after an opening parenthesis if not binary_operator_ok or operand_name or operand: raise ValueError(f"Unexpected {char!r} at position {idx+1}") if char == "~": negate_next = not negate_next elif char == "&": operand.connector = LDAPGroupQuery.AND elif char == "|": operand.connector = LDAPGroupQuery.OR binary_operator_ok = False else: # Ignore whitespace at the beginning if not operand_name and not char.strip(): continue # Names may only go into empty operands and may not start after a binary # operator without another opening parenthesis in between if operand or not operand_name and not binary_operator_ok: raise ValueError(f"Unexpected {char!r} at position {idx+1}") operand_name += char binary_operator_ok = False if stack: raise ValueError(f"Unclosed parenthesis at position {stack[0][1]+1}") # Handle a single plain name without any parentheses at all if operand_name: operand.add(operand_name.rstrip(), operand.connector) return operand