def authenticate(self, request, username=None, password=None, **keyword_arguments):
# Perform any custom security checks below.
# Returning None blocks the user's access.
username = self.clean_username(request.META.get('HTTP_AUTHORIZATION', None))
# The user must exist in the database
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
logger.warning(f"Username {username} attempted to authenticate with Kerberos via Nginx, but that username does not exist in the NEMO database. The user was denied access.")
return None
# The user must be marked active.
if not user.is_active:
logger.warning(f"User {username} successfully authenticated with Kerberos via Nginx, but that user is marked inactive in the NEMO database. The user was denied access.")
return None
# All security checks passed so let the user in.
logger.debug(f"User {username} successfully authenticated with Kerberos via Nginx and was granted access to NEMO.")
return user
def authenticate(self, request, username=None, password=None, **keyword_arguments):
if not username or not password:
return None
# The user must exist in the database
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
logger.warning(f"Username {username} attempted to authenticate with LDAP, but that username does not exist in the NEMO database. The user was denied access.")
return None
# The user must be marked active.
if not user.is_active:
logger.warning(f"User {username} successfully authenticated with LDAP, but that user is marked inactive in the NEMO database. The user was denied access.")
return None
for server in settings.LDAP_SERVERS:
try:
t = Tls(validate=CERT_REQUIRED, version=PROTOCOL_TLSv1_2, ca_certs_file=server['certificate'])
s = Server(server['url'], port=636, use_ssl=True, tls=t)
c = Connection(s, user='******'.format(server['domain'], username), password=password, auto_bind=AUTO_BIND_TLS_BEFORE_BIND, authentication=SIMPLE)
c.unbind()
# At this point the user successfully authenticated to at least one LDAP server.
return user
except LDAPBindError as e:
logger.warning(f"User {username} attempted to authenticate with LDAP, but entered an incorrect password. The user was denied access.")
pass # When this error is caught it means the username and password were invalid against the LDAP server.
except LDAPExceptionError as e:
exception(e)
# The user did not successfully authenticate to any of the LDAP servers.
return None
def log_response(*args, **kwargs):
return logger.warning(*args, extra=kwargs)