def _apply_ldap_settings(self, values, backend):
"""Apply configuration for given backend."""
import ldap
from django_auth_ldap.config import (LDAPSearch, PosixGroupType,
GroupOfNamesType,
ActiveDirectoryGroupType)
if not hasattr(settings, backend.setting_fullname("USER_ATTR_MAP")):
setattr(settings, backend.setting_fullname("USER_ATTR_MAP"), {
"first_name": "givenName",
"email": "mail",
"last_name": "sn"
})
ldap_uri = "ldaps://" if values["ldap_secured"] == "ssl" else "ldap://"
ldap_uri += "%s:%s" % (values[backend.srv_address_setting_name],
values[backend.srv_port_setting_name])
setattr(settings, backend.setting_fullname("SERVER_URI"), ldap_uri)
if values["ldap_secured"] == "starttls":
setattr(settings, backend.setting_fullname("START_TLS"), True)
if values["ldap_is_active_directory"]:
setattr(settings, backend.setting_fullname("GROUP_TYPE"),
ActiveDirectoryGroupType())
searchfilter = "(objectClass=group)"
elif values["ldap_group_type"] == "groupofnames":
setattr(settings, backend.setting_fullname("GROUP_TYPE"),
GroupOfNamesType())
searchfilter = "(objectClass=groupOfNames)"
else:
setattr(settings, backend.setting_fullname("GROUP_TYPE"),
PosixGroupType())
searchfilter = "(objectClass=posixGroup)"
setattr(
settings, backend.setting_fullname("GROUP_SEARCH"),
LDAPSearch(values["ldap_groups_search_base"], ldap.SCOPE_SUBTREE,
searchfilter))
if values["ldap_auth_method"] == "searchbind":
setattr(settings, backend.setting_fullname("BIND_DN"),
values["ldap_bind_dn"])
setattr(settings, backend.setting_fullname("BIND_PASSWORD"),
values["ldap_bind_password"])
search = LDAPSearch(values["ldap_search_base"], ldap.SCOPE_SUBTREE,
values["ldap_search_filter"])
setattr(settings, backend.setting_fullname("USER_SEARCH"), search)
else:
setattr(settings, backend.setting_fullname("USER_DN_TEMPLATE"),
values["ldap_user_dn_template"])
setattr(settings,
backend.setting_fullname("BIND_AS_AUTHENTICATING_USER"),
True)
if values["ldap_is_active_directory"]:
setting = backend.setting_fullname("GLOBAL_OPTIONS")
if not hasattr(settings, setting):
setattr(settings, setting, {ldap.OPT_REFERRALS: False})
else:
getattr(settings, setting)[ldap.OPT_REFERRALS] = False
def __init__(self, *args, **kwargs):
self.defaults.update({
# Server and connection settings
'SERVER_URI': 'ldap://ad.liu.se',
'START_TLS': True,
'CONNECTION_OPTIONS': {
ldap.OPT_X_TLS_REQUIRE_CERT:
ldap.OPT_X_TLS_NEVER, # Don't require certificate
},
'BIND_AS_AUTHENTICATING_USER': True,
'GROUP_TYPE': ActiveDirectoryGroupType(),
'USER_ATTR_MAP': {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail'
},
})
super(LiULDAPSettings, self).__init__(*args, **kwargs)
)
#AUTH_LDAP_START_TLS = True
AUTH_LDAP_USER_ATTR_MAP = {
"username": "******",
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"OU=Net_Groups,OU=Resources_and_Services,DC=cons,DC=tsk,DC=ru", ldap.SCOPE_SUBTREE, "(objectCategory=Group)"
)
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_superuser": "******",
"is_staff": "CN=Cert Authority User,OU=Net_Groups,OU=Resources_and_Services,DC=cons,DC=tsk,DC=ru",
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1 # 1 hour cache
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
if AUTH_METHOD == 'ldap':
import ldap
from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_SERVER_URI = LDAP_SERVER
AUTH_LDAP_BIND_DN = LDAP_BIND_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_BIND_PW
AUTH_LDAP_USER_SEARCH = LDAPSearch(LDAP_USEARCH_PATH, ldap.SCOPE_SUBTREE,
"(&(objectClass=User)(name=%(user)s))")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(LDAP_GSEARCH_PATH, ldap.SCOPE_SUBTREE,
"(objectClass=Group)")
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_USER_FLAGS_BY_GROUP = dict()
if ACTIVE_GRP:
AUTH_LDAP_USER_FLAGS_BY_GROUP['is_active'] = ACTIVE_GRP
if STAFF_GRP:
AUTH_LDAP_USER_FLAGS_BY_GROUP['is_staff'] = STAFF_GRP
if SUPERUSER_GRP:
AUTH_LDAP_USER_FLAGS_BY_GROUP['is_superuser'] = SUPERUSER_GRP
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
AUTH_LDAP_REQUIRE_GROUP = LDAP_ALLOW_GRP
# The following OPT_REFERRALS option is CRUCIAL for getting this
# working with MS Active Directory it seems, unfortunately I have
# no idea why; it just hangs if you don't set it to 0 for us.
# to use in conjunction with 'NameOIDCAB' backend. Set at least one group for each variable as this is the only way to have administrator (except local database)
OIDC_IS_STAFF_GROUP_NAMES = ['${openid.groups.isstaff}']
OIDC_IS_SUPERUSER_GROUP_NAMES = ['${openid.groups.issuperuser}']
# -------- LDAP Authentication -------------------
AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_REFERRALS: 0}
# first LDAP server configuration
AUTH_LDAP_1_SERVER_URI = "${ldap.url}"
AUTH_LDAP_1_BIND_DN = '${ldap.user}'
AUTH_LDAP_1_BIND_PASSWORD = '******'
AUTH_LDAP_1_USER_SEARCH = LDAPSearch("${ldap.base}", ldap.SCOPE_SUBTREE,
"(${ldap.object.class}=%(user)s)")
AUTH_LDAP_1_GROUP_SEARCH = LDAPSearch("${ldap.base}", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_1_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_1_USER_FLAGS_BY_GROUP = {
# authenticated users will be active
# "is_active": (LDAPGroupQuery("${ldap.group.admin}") |
# LDAPGroupQuery("${ldap.group.edit}")),
"is_staff": "${ldap.group.edit}",
"is_superuser": "******"
}
# second LDAP server configuration (uncomment "seleniumRobotServer.ldapbackends.LDAPBackend2" in AUTHENTICATION_BACKENDS to use it)
AUTH_LDAP_2_SERVER_URI = "${ldap.2.url}"
AUTH_LDAP_2_BIND_DN = '${ldap.2.user}'
AUTH_LDAP_2_BIND_PASSWORD = '******'
AUTH_LDAP_2_USER_SEARCH = LDAPSearch("${ldap.2.base}", ldap.SCOPE_SUBTREE,
"(${ldap.2.object.class}=%(user)s)")
AUTH_LDAP_2_GROUP_SEARCH = LDAPSearch("${ldap.2.base}", ldap.SCOPE_SUBTREE,
# Matching LDAP user group to user settings (superuser / active)
AUTH_LDAP_USER_FLAGS_BY_GROUP = {}
if RDRF_AUTH_LDAP_ALLOW_SUPERUSER:
AUTH_LDAP_USER_FLAGS_BY_GROUP['is_superuser'] = RDRF_AUTH_LDAP_IS_SUPERUSER_GROUP
if not RDRF_AUTH_LDAP_FORCE_ISACTIVE:
AUTH_LDAP_USER_FLAGS_BY_GROUP['is_active'] = RDRF_AUTH_LDAP_IS_ACTIVE_GROUP
# LDAP Group Search settings.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(RDRF_AUTH_LDAP_BIND_GROUP, ldap.SCOPE_SUBTREE,
f"({RDRF_AUTH_LDAP_GROUP_SEARCH_FIELD}={RDRF_AUTH_LDAP_GROUP_SEARCH_FIELD_VALUE})")
if RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "posix":
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR)
elif RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "groupofnames":
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR)
elif RDRF_AUTH_LDAP_GROUP_SEARCH_TYPE == "activedirectory":
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr=RDRF_AUTH_LDAP_GROUP_TYPE_ATTR)
AUTH_LDAP_FIND_GROUP_PERMS = env.get("auth_ldap_find_group_perms", DEV_LDAP_GROUP_PERMS)
AUTH_LDAP_CACHE_GROUPS = env.get("auth_ldap_cache_groups", DEV_LDAP_CACHE_GROUPS)
AUTH_LDAP_GROUP_CACHE_TIMEOUT = env.get("auth_ldap_group_cache_timeout", DEV_LDAP_CACHE_TIMEOUT)
# Security: set required LDAP group (user must be in this LDAP group to login in RDRF)
AUTH_LDAP_REQUIRE_GROUP = env.get("auth_ldap_require_group", "")
# these determine which authentication method to use
# apps use modelbackend by default, but can be overridden here
# see: https://docs.djangoproject.com/en/dev/ref/settings/#authentication-backends
AUTHENTICATION_BACKENDS = [
'useraudit.password_expiry.AccountExpiryBackend',
'django.contrib.auth.backends.ModelBackend',
'useraudit.backend.AuthFailedLoggerBackend',
