lawlesst/ldapBackEnd.py

## ldapBackEnd.py
"""
Add below to settings.py

AUTHENTICATION_BACKENDS = (
 'ldapBackend.LDAPBackend',
 'django.contrib.auth.backends.ModelBackend',
)


Requires python-ldap
code from http://www.carthage.edu/webdev/?p=12
"""
import ldap
from django.contrib.auth.models import User

# Constants
#binding info
AUTH_LDAP_SERVER = ""
AUTH_LDAP_BASE_USER = ""
AUTH_LDAP_BASE_PASS = ""


class LDAPBackend:
  def authenticate(self, username=None, password=None):
    username = username.lower()
    #adjust
    base = "dc=sample, dc=edu"
    scope = ldap.SCOPE_SUBTREE
    filter = "(&(sAMAccountName=person) (cn=%s))" % username
    ret = ['dn']

    # Authenticate the base user so we can search
    try:
      l = ldap.open(AUTH_LDAP_SERVER)
      l.protocol_version = ldap.VERSION3
      l.simple_bind_s(AUTH_LDAP_BASE_USER,AUTH_LDAP_BASE_PASS)
    except ldap.LDAPError:
      return None

    try:
      #If your LDAP server binds anonymously below could be unnecessary
      result_id = l.search(base, scope, filter, ret)
      result_type, result_data = l.result(result_id, 0)

      # If the user does not exist in LDAP, Fail.
      if (len(result_data) != 1):
        return None

      # Attempt to bind to the user's DN
      l.simple_bind_s(username + "@school.edu",password)


      # The user existed and authenticated. Get the user
      # record or create one with no privileges.
      try:
        user = User.objects.get(username__exact=username)
      except:
      # Theoretical backdoor could be input right here. We don't
      # want that, so input an unused random password here.
      # The reason this is a backdoor is because we create a
      # User object for LDAP users so we can get permissions,
      # however we -don't- want them able to login without
      # going through LDAP with this user. So we effectively
      # disable their non-LDAP login ability by setting it to a
      # random password that is not given to them. In this way,
      # static users that don't go through ldap can still login
      # properly, and LDAP users still have a User object.
        from random import choice
        import string
        temp_pass = ""
        if username not in bib_control_users:
          if username not in reserves_users:
            if username not in special_collections_users:
              return None
        for i in range(8):
          temp_pass = temp_pass + choice(string.letters)
        user = User.objects.create_user(username, username + '@school.edu',temp_pass)
                                #add user to Admin users
        user.is_staff = True
        #below is an example of how you could add users to Django groups
        #if username in bib_control_users:
        #  user.groups.add(1)
        #if username in special_collections_users:
        #  user.groups.add(2)
        #if username in reserves_users:
        #  user.groups.add(3)
        user.save()
        # Success.
      return user

    except ldap.INVALID_CREDENTIALS:
    # Name or password were bad. Fail.
      return None

  def get_user(self, user_id):
    try:
      return User.objects.get(pk=user_id)
    except User.DoesNotExist:
      return None
	"""
	Add below to settings.py

	AUTHENTICATION_BACKENDS = (
	'ldapBackend.LDAPBackend',
	'django.contrib.auth.backends.ModelBackend',
	)


	Requires python-ldap
	code from http://www.carthage.edu/webdev/?p=12
	"""
	import ldap
	from django.contrib.auth.models import User

	# Constants
	#binding info
	AUTH_LDAP_SERVER = ""
	AUTH_LDAP_BASE_USER = ""
	AUTH_LDAP_BASE_PASS = ""



	class LDAPBackend:
	def authenticate(self, username=None, password=None):
	username = username.lower()
	#adjust
	base = "dc=sample, dc=edu"
	scope = ldap.SCOPE_SUBTREE
	filter = "(&(sAMAccountName=person) (cn=%s))" % username
	ret = ['dn']

	# Authenticate the base user so we can search
	try:
	l = ldap.open(AUTH_LDAP_SERVER)
	l.protocol_version = ldap.VERSION3
	l.simple_bind_s(AUTH_LDAP_BASE_USER,AUTH_LDAP_BASE_PASS)
	except ldap.LDAPError:
	return None

	try:
	#If your LDAP server binds anonymously below could be unnecessary
	result_id = l.search(base, scope, filter, ret)
	result_type, result_data = l.result(result_id, 0)

	# If the user does not exist in LDAP, Fail.
	if (len(result_data) != 1):
	return None

	# Attempt to bind to the user's DN
	l.simple_bind_s(username + "@school.edu",password)


	# The user existed and authenticated. Get the user
	# record or create one with no privileges.
	try:
	user = User.objects.get(username__exact=username)
	except:
	# Theoretical backdoor could be input right here. We don't
	# want that, so input an unused random password here.
	# The reason this is a backdoor is because we create a
	# User object for LDAP users so we can get permissions,
	# however we -don't- want them able to login without
	# going through LDAP with this user. So we effectively
	# disable their non-LDAP login ability by setting it to a
	# random password that is not given to them. In this way,
	# static users that don't go through ldap can still login
	# properly, and LDAP users still have a User object.
	from random import choice
	import string
	temp_pass = ""
	if username not in bib_control_users:
	if username not in reserves_users:
	if username not in special_collections_users:
	return None
	for i in range(8):
	temp_pass = temp_pass + choice(string.letters)
	user = User.objects.create_user(username, username + '@school.edu',temp_pass)
	#add user to Admin users
	user.is_staff = True
	#below is an example of how you could add users to Django groups
	#if username in bib_control_users:
	# user.groups.add(1)
	#if username in special_collections_users:
	# user.groups.add(2)
	#if username in reserves_users:
	# user.groups.add(3)
	user.save()
	# Success.
	return user

	except ldap.INVALID_CREDENTIALS:
	# Name or password were bad. Fail.
	return None

	def get_user(self, user_id):
	try:
	return User.objects.get(pk=user_id)
	except User.DoesNotExist:
	return None