Created
October 19, 2010 23:56
-
-
Save lawlesst/635455 to your computer and use it in GitHub Desktop.
For connecting Django auth to LDAP.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Add below to settings.py | |
AUTHENTICATION_BACKENDS = ( | |
'ldapBackend.LDAPBackend', | |
'django.contrib.auth.backends.ModelBackend', | |
) | |
Requires python-ldap | |
code from http://www.carthage.edu/webdev/?p=12 | |
""" | |
import ldap | |
from django.contrib.auth.models import User | |
# Constants | |
#binding info | |
AUTH_LDAP_SERVER = "" | |
AUTH_LDAP_BASE_USER = "" | |
AUTH_LDAP_BASE_PASS = "" | |
class LDAPBackend: | |
def authenticate(self, username=None, password=None): | |
username = username.lower() | |
#adjust | |
base = "dc=sample, dc=edu" | |
scope = ldap.SCOPE_SUBTREE | |
filter = "(&(sAMAccountName=person) (cn=%s))" % username | |
ret = ['dn'] | |
# Authenticate the base user so we can search | |
try: | |
l = ldap.open(AUTH_LDAP_SERVER) | |
l.protocol_version = ldap.VERSION3 | |
l.simple_bind_s(AUTH_LDAP_BASE_USER,AUTH_LDAP_BASE_PASS) | |
except ldap.LDAPError: | |
return None | |
try: | |
#If your LDAP server binds anonymously below could be unnecessary | |
result_id = l.search(base, scope, filter, ret) | |
result_type, result_data = l.result(result_id, 0) | |
# If the user does not exist in LDAP, Fail. | |
if (len(result_data) != 1): | |
return None | |
# Attempt to bind to the user's DN | |
l.simple_bind_s(username + "@school.edu",password) | |
# The user existed and authenticated. Get the user | |
# record or create one with no privileges. | |
try: | |
user = User.objects.get(username__exact=username) | |
except: | |
# Theoretical backdoor could be input right here. We don't | |
# want that, so input an unused random password here. | |
# The reason this is a backdoor is because we create a | |
# User object for LDAP users so we can get permissions, | |
# however we -don't- want them able to login without | |
# going through LDAP with this user. So we effectively | |
# disable their non-LDAP login ability by setting it to a | |
# random password that is not given to them. In this way, | |
# static users that don't go through ldap can still login | |
# properly, and LDAP users still have a User object. | |
from random import choice | |
import string | |
temp_pass = "" | |
if username not in bib_control_users: | |
if username not in reserves_users: | |
if username not in special_collections_users: | |
return None | |
for i in range(8): | |
temp_pass = temp_pass + choice(string.letters) | |
user = User.objects.create_user(username, username + '@school.edu',temp_pass) | |
#add user to Admin users | |
user.is_staff = True | |
#below is an example of how you could add users to Django groups | |
#if username in bib_control_users: | |
# user.groups.add(1) | |
#if username in special_collections_users: | |
# user.groups.add(2) | |
#if username in reserves_users: | |
# user.groups.add(3) | |
user.save() | |
# Success. | |
return user | |
except ldap.INVALID_CREDENTIALS: | |
# Name or password were bad. Fail. | |
return None | |
def get_user(self, user_id): | |
try: | |
return User.objects.get(pk=user_id) | |
except User.DoesNotExist: | |
return None |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment