Ticket #2507: backends.py.diff

backends.py

@@ -1 +1 @@
-from django.contrib.auth.models import User
+from django.conf import settings
-
-class ModelBackend:
-    """
@@ -19 +20 @@
-            return User.objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return None
+
+class LDAPBackend(object):
+    """
+    Authenticate a user against LDAP.
+    Requires python-ldap to be installed.
+
+    Requires the following things to be in settings.py:
+    LDAP_BINDDN -- string of the LDAP dn to use for binding
+    LDAP_SEARCHDN -- string of the LDAP dn to use for searching
+    LDAP_BIND_ATTRIBUTE -- string of the LDAP attribute to use in binding
+        also used to search for a user.
+    LDAP_SERVER_URI -- string, ldap uri
+    LDAP_SCOPE -- one of: ldap.SCOPE_*, used for searching
+        ldap.SCOPE_BASE = 0
+        ldap.SCOPE_ONELEVEL = 1
+        ldap.SCOPE_SUBTREE = 2
+        see python-ldap docs for the search function
+    LDAP_UPDATE_FIELDS -- boolean, do we sync the db with ldap with each auth
+
+    Required unless LDAP_FULL_NAME is set:
+    LDAP_FIRST_NAME -- string, LDAP attribute to get the given name from
+    LDAP_LAST_NAME -- string, LDAP attribute to get the last name from
+
+    Optional Settings:
+    LDAP_FULL_NAME -- string, LDAP attribute to get name from, splits on ' '
+    LDAP_GID -- string, LDAP attribute to get group name/number from
+    LDAP_SU_GIDS -- list of strings, group names/numbers that are superusers
+    LDAP_STAFF_GIDS -- list of strings, group names/numbers that are staff
+    LDAP_EMAIL = string, LDAP attribute to get email from
+    LDAP_DEFAULT_EMAIL_SUFFIX = string, appened to username if no email found
+
+    Not yet implemented Settings:
+    LDAP_SSL = boolean, whether to use ssl or not
+
+    How Binds Work:
+    LDAP_BINDDN = 'ou=people,dc=example,dc=com'
+    LDAP_BIND_ATTRIBUTE = 'uid'
+    # The bind would be performed via:
+    # uid=username,ou=people,dc=example,dc=com
+    """ 
+    import ldap
+
+    def authenticate(self, username=None, password=None):
+        l = ldap.initialize(settings.LDAP_SERVER_URI)
+
+        if not username and password is not Null: # we need a user/pass
+            l.unbind_s()
+            return None
+
+        bind_string = "%s=%s,%s" % (settings.LDAP_BIND_ATTRIBUTE, username,
+                settings.LDAP_BINDDN)
+        try:
+            l.bind_s(bind_string, password)
+        except ldap.INVALID_CREDENTIALS: # Failed user/pass
+            l.unbind_s()
+            return None
+
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            user = None
+
+        if user is not None:
+            if settings.LDAP_UPDATE_FIELDS:
+                LDAPBackend.update_user(l, user)
+        else:
+            user = LDAPBackend.get_ldap_user(l, username)
+
+        l.unbind_s()
+        return user
+
+    def get_user(self, user_id):
+        try:
+            return User.objects.get(pk=user_id)
+        except:
+            return None
+
+    def get_ldap_user(l, username):
+        """
+        Helper method, makes a user object and call update_user to populate
+        """
+
+        user = User(username=username, password='Made by LDAP')
+        LDAPBackend.update_user(l, user)
+        return user
+    get_ldap_user = staticmethod(get_ldap_user)
+
+    def update_user(l, user):
+        """
+        Helper method, populates a user object with various attributes from
+        LDAP
+        """
+
+        username = user.username
+        filter_str = "%s=%s" % (settings.LDAP_BIND_ATTRIBUTE, username)
+        attrs = l.search_s(settings.LDAP_SEARCHDN, settings.LDAP_SCOPE,
+                filterstr=filter_str)[0][1]
+
+        if (hasattr(settings, 'LDAP_FIRST_NAME')
+                and hasattr(settings, 'LDAP_LAST_NAME')):
+            if (settings.LDAP_FIRST_NAME in attrs
+                    and settings.LDAP_LAST_NAME in attrs):
+                user.first_name = attrs[settings.LDAP_FIRST_NAME][0]
+                user.last_name = attrs[settings.LDAP_LAST_NAME][0]
+            else:
+                raise NameError('Missing needed fields %s or %s in LDAP'
+                        % (settings.LDAP_FIRST_NAME, settings.LDAP_LAST_NAME))
+        elif hasattr(settings, 'LDAP_FULL_NAME'):
+                if settings.LDAP_FULL_NAME in attrs:
+                    tmp = attrs[settings.FULL_NAME_FIELD][0]
+                    user.first_name = tmp.split(' ')[0]
+                    user.last_name = ' '.join(tmp.split(' ')[1:])
+                else:
+                    raise NameError('Required field %s missing in LDAP'
+                            % (settings.LDAP_FULL_NAME))
+        else:
+            raise NameError('Name fields not defined in settings.py')
+
+        if hasattr(settings, 'LDAP_EMAIL') and settings.LDAP_EMAIL in attrs:
+            user.email = attrs[settings.EMAIL_FIELD][0]
+        elif hasattr(settings, 'LDAP_DEFAULT_EMAIL_SUFFIX'):
+            user.email = username + settings.LDAP_DEFAULT_EMAIL_SUFFIX
+
+        if (hasattr(settings, 'LDAP_GID')
+                and settings.LDAP_GID in attrs 
+                and hasattr(settings, 'LDAP_SU_GIDS')
+                and attrs[settings.LDAP_GID][0] in settings.LDAP_SU_GIDS):
+            user.is_superuser = True
+            user.is_staff = True
+        elif (hasattr(settings, 'LDAP_GID')
+                and settings.LDAP_GID in attrs 
+                and hasattr(settings, 'LDAP_STAFF_GIDS')
+                and attrs[settings.LDAP_GID][0] in settings.LDAP_STAFF_GIDS):
+            user.is_superuser = False
+            user.is_staff = True
+        else:
+            user.is_superuser = False
+            user.is_staff = False
+
+        user.save()
+    update_user = staticmethod(update_user)