def join_ldap_group_querys(group_list, group_dn):
s = "cn={0},{1}"
query = None
for group in group_list:
if query is None:
# First query object
query = LDAPGroupQuery(s.format(group, group_dn))
else:
# Append new querys with or
query = (query | LDAPGroupQuery(s.format(group, group_dn)))
return query
def _check_required_group(self):
"""
Returns True if the group requirement (AUTH_LDAP_REQUIRE_GROUP) is
met. Always returns True if AUTH_LDAP_REQUIRE_GROUP is None.
"""
required_group_dn = self.settings.REQUIRE_GROUP
if required_group_dn is not None:
if not isinstance(required_group_dn, LDAPGroupQuery):
required_group_dn = LDAPGroupQuery(required_group_dn)
result = required_group_dn.resolve(self)
if not result:
raise self.AuthenticationFailed("user does not satisfy AUTH_LDAP_REQUIRE_GROUP")
return True
def _check_required_group(self):
"""
Returns True if the group requirement (AUTH_LDAP_REQUIRE_GROUP) is
met. Always returns True if AUTH_LDAP_REQUIRE_GROUP is None.
"""
required_group_dn = self.settings.REQUIRE_GROUP
if required_group_dn is not None:
if not isinstance(required_group_dn, LDAPGroupQuery):
required_group_dn = LDAPGroupQuery(required_group_dn)
result = required_group_dn.resolve(self)
if not result:
raise self.AuthenticationFailed("user does not satisfy AUTH_LDAP_REQUIRE_GROUP")
return True
def _get_ldap_group_query(groups):
"""From a list of LDAP simple searches create an LDAPGroupQuery with the items in OR.
Arguments:
groups (list): the list of simple LDAP searches to OR.
Returns:
django_auth_ldap.config.LDAPGroupQuery: the search object
"""
if not groups:
return None
if len(groups) == 1:
return groups[0]
group_query = LDAPGroupQuery(groups[0])
for group in groups[1:]:
group_query |= LDAPGroupQuery(group)
return group_query
def _normalize_group_dns(self, group_dns):
"""
Converts one or more group DNs to an LDAPGroupQuery.
group_dns may be a string, a non-empty list or tuple of strings, or an
LDAPGroupQuery. The result will be an LDAPGroupQuery. A list or tuple
will be joined with the | operator.
"""
if isinstance(group_dns, LDAPGroupQuery):
query = group_dns
elif isinstance(group_dns, str):
query = LDAPGroupQuery(group_dns)
elif isinstance(group_dns, (list, tuple)) and len(group_dns) > 0:
query = reduce(operator.or_, map(LDAPGroupQuery, group_dns))
else:
raise ValueError(group_dns)
return query
LDAP_BASE_GROUP = f"cn={env('LDAP_BASE_GROUP')},{LDAP_BASE_OU}"
LDAP_PROJECT_GROUP = f"cn=radicalt,{LDAP_BASE_OU}"
# Baseline configuration
AUTH_LDAP_SERVER_URI = env("LDAP_SERVER_URI")
AUTH_LDAP_BIND_DN = env("LDAP_BIND_DN", default="")
AUTH_LDAP_BIND_PASSWORD = env("LDAP_BIND_PASSWORD", default="")
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people," + LDAP_BASE_DC
# Set up the basic group parameters
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(LDAP_BASE_OU, ldap.SCOPE_SUBTREE,
"(objectClass=posixGroup)")
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")
# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(
LDAP_PROJECT_GROUP)
# Populate the Django user from the LDAP directory
AUTH_LDAP_ALWAYS_UPDATE_USER = False
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": env("LDAP_FIRST_NAME_FIELD"),
"last_name": env("LDAP_LAST_NAME_FIELD"),
"email": env("LDAP_EMAIL_FIELD"),
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active":
LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(LDAP_PROJECT_GROUP),
"is_staff":
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn')
# Simple group restrictions
# TODO: Set this value in the project settings
AUTH_LDAP_REQUIRE_GROUP = ''
# Populate the Django user from the LDAP directory
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail'
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
'is_active':
LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU)
| LDAPGroupQuery('cn=ddh-staff,' + LDAP_BASE_OU)
| LDAPGroupQuery('cn=kdl-external,' + LDAP_BASE_OU)
| LDAPGroupQuery('cn=ddh-external,' + LDAP_BASE_OU)
| LDAPGroupQuery('cn=systems,' + LDAP_BASE_OU),
'is_staff':
'cn=kdl-staff,' + LDAP_BASE_OU,
'is_superuser':
'******' + LDAP_BASE_OU
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {}
# This is the default, but I like to be explicit
AUTH_LDAP_ALWAYS_UPDATE_USER = False
# FABRIC
# -----------------------------------------------------------------------------
FABRIC_USER = getpass.getuser()
# -----------------------------------------------------------------------------
# GLOBALS FOR JS
# -----------------------------------------------------------------------------
# Google Analytics ID
GA_ID = ''
# -----------------------------------------------------------------------------
# Automatically generated settings
# -----------------------------------------------------------------------------
# Check which db engine to use:
db_engine = 'django.db.backends.postgresql_psycopg2'
if 'django.contrib.gis' in INSTALLED_APPS:
db_engine = 'django.contrib.gis.db.backends.postgis'
AUTH_LDAP_REQUIRE_GROUP = (
(
LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU) |
LDAPGroupQuery('cn=mdh,' + LDAP_BASE_OU)
)
)
MDH_SOURCE_PATH = 'research_data'
# -----------------------------------------------------------------------------
# Automatically generated settings
# -----------------------------------------------------------------------------
# Check which db engine to use:
db_engine = 'django.db.backends.postgresql_psycopg2'
if 'django.contrib.gis' in INSTALLED_APPS:
db_engine = 'django.contrib.gis.db.backends.postgis'
AC_BASE_URL = 'https://app.activecollab.com/148987'
AC_API_URL = AC_BASE_URL + '/api/v1/'
AC_PROJECT_ID = 954
AC_USER = 36
AC_TOKEN = ''
AUTH_LDAP_REQUIRE_GROUP = ((LDAPGroupQuery('cn=kdl-staff,' + LDAP_BASE_OU)
| LDAPGroupQuery('cn=mmee,' + LDAP_BASE_OU)))
WAGTAIL_SITE_NAME = PROJECT_TITLE
ITEMS_PER_PAGE = 12
USE_PIPENV = True
# http://docs.wagtail.io/en/v2.5.1/topics/search/backends.html
WAGTAILSEARCH_BACKENDS = {
'default': {
# default and postgres have limited support for facets
# default: use the db, dev only, update_index not needed
# 'BACKEND': 'wagtail.search.backends.db',
# postgres: for production, also better text search (with stemming)
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_SERVER_URI = "ldap://pdc.base-fx.com"
AUTH_LDAP_BIND_DN = "cn=zhangyt,ou=NON,ou=BJ,ou=Basers,dc=ad,dc=base-fx,dc=com"
AUTH_LDAP_BIND_PASSWORD = "******"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"ou=Basers,dc=ad,dc=base-fx,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"ou=Basers,dc=ad,dc=base-fx,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = (
LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com")
| LDAPGroupQuery("cn=PLE,ou=Basers,dc=ad,dc=base-fx,dc=com")
)
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn", "email": "mail"}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": (
LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com")
| LDAPGroupQuery("cn=PLE,ou=Basers,dc=ad,dc=base-fx,dc=com")
),
"is_staff": (
LDAPGroupQuery("cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com")
),
# "is_active": "cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com",
# "is_staff": "cn=ITD,ou=Basers,dc=ad,dc=base-fx,dc=com",
"is_superuser": "******"
]
# LDAP Config
AUTH_LDAP_SERVER_URI = "ldap://ldap.d120.de"
AUTH_LDAP_BIND_DN = "cn=pyofahrt,ou=Services,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de"
AUTH_LDAP_BIND_PASSWORD = secrets.AUTH_LDAP_BIND_PASSWORD
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"ou=People,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Groups,dc=fachschaft,dc=com",
ldap.SCOPE_SUBTREE,
"(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff":
"cn=fachschaft,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de",
"is_superuser": (LDAPGroupQuery(
"cn=ofahrtleitung,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de"
) | LDAPGroupQuery(
"cn=developers,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de"
) | LDAPGroupQuery(
"cn=fss,ou=Group,dc=fachschaft,dc=informatik,dc=tu-darmstadt,dc=de"))
}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=localhost",
ldap.SCOPE_ONELEVEL, "(objectClass=top)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "userPrincipalName"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_superuser":
"******",
"is_staff":
(LDAPGroupQuery("cn=Web Application Administrators,ou=groups,dc=localhost")
| LDAPGroupQuery("cn=Accounting,ou=groups,dc=localhost")
| LDAPGroupQuery("cn=Support,ou=groups,dc=localhost"))
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600
ROOT_URLCONF = 'cdr_accounting.urls'
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
TEMPLATES = [
LDAP_PROJECT_GROUP = f"cn=language_acts,{LDAP_BASE_OU}"
# Baseline configuration
AUTH_LDAP_SERVER_URI = env("LDAP_SERVER_URI")
AUTH_LDAP_BIND_DN = env("LDAP_BIND_DN", default="")
AUTH_LDAP_BIND_PASSWORD = env("LDAP_BIND_PASSWORD", default="")
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people," + LDAP_BASE_DC
# Set up the basic group parameters
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
LDAP_BASE_OU, ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)"
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")
# Simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(
LDAP_PROJECT_GROUP
)
# Populate the Django user from the LDAP directory
AUTH_LDAP_ALWAYS_UPDATE_USER = False
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": env("LDAP_FIRST_NAME_FIELD"),
"last_name": env("LDAP_LAST_NAME_FIELD"),
"email": env("LDAP_EMAIL_FIELD"),
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": LDAPGroupQuery(LDAP_BASE_GROUP) | LDAPGroupQuery(LDAP_PROJECT_GROUP),
"is_staff": LDAP_BASE_GROUP,
tuple(s for s in settings_dict['ldap_staff'].split('"')
if s.lower().startswith(prefixes)),
'is_superuser':
tuple(s for s in settings_dict['ldap_super'].split('"')
if s.lower().startswith(prefixes)),
}
# LDAP and Django Group Mapping
prefixes = ('[', ',', ']')
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = tuple([
g for g in settings_dict['ldap_mirror_groups'].split('"')
if not g.startswith(prefixes)
])
AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery()
AUTH_LDAP_REQUIRE_GROUP.connector = 'OR'
AUTH_LDAP_REQUIRE_GROUP.children = _ldap_active
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 0,
ldap.OPT_REFERRALS: 0,
}
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
def parse_ldap_group_query_string(query_string):
"""Parse OpenLDAP search filter-like strings, but for group queries instead.
An example of a parseable string is::
"|(cn=admins,ou=...)(&(cn=students,ou=...)(~(cn=first_term,ou=...)))"
:return django_auth_ldap.config.LDAPGroupQuery:
"""
stack = []
operand = LDAPGroupQuery()
operand_name = ""
binary_operator_ok = True
negate_next = False
for idx, char in enumerate(query_string):
if char == "(":
# No opening parenthesis inside a name
if operand_name:
raise ValueError(f"Unexpected {char!r} at position {idx+1}")
# Also store the position at which the parenthesis was opened for eventual
# error messages about unclosed parentheses
stack.append((operand, idx))
operand = LDAPGroupQuery()
if negate_next:
operand.negate()
binary_operator_ok = True
negate_next = False
operand_name = ""
elif char == ")":
if operand_name:
operand.add(operand_name.rstrip(), operand.connector)
operand_name = ""
try:
outer_operand, _ = stack.pop()
except IndexError:
raise ValueError(
f"Closing parenthesis without prior opening at position {idx+1}"
) from None
outer_operand.add(operand, outer_operand.connector)
operand = outer_operand
binary_operator_ok = False
elif char in "~&|":
# The binary operators may only go directly after an opening parenthesis
if not binary_operator_ok or operand_name or operand:
raise ValueError(f"Unexpected {char!r} at position {idx+1}")
if char == "~":
negate_next = not negate_next
elif char == "&":
operand.connector = LDAPGroupQuery.AND
elif char == "|":
operand.connector = LDAPGroupQuery.OR
binary_operator_ok = False
else:
# Ignore whitespace at the beginning
if not operand_name and not char.strip():
continue
# Names may only go into empty operands and may not start after a binary
# operator without another opening parenthesis in between
if operand or not operand_name and not binary_operator_ok:
raise ValueError(f"Unexpected {char!r} at position {idx+1}")
operand_name += char
binary_operator_ok = False
if stack:
raise ValueError(f"Unclosed parenthesis at position {stack[0][1]+1}")
# Handle a single plain name without any parentheses at all
if operand_name:
operand.add(operand_name.rstrip(), operand.connector)
return operand
