Ticket #2507: ldap.3.diff

django/conf/global_settings.py

@@ -296 +296 @@
-##################
-
-AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend',)
+
+# Defaults for LDAPBackend
+LDAP_SERVER_URI = 'ldap://localhost'
+LDAP_SEARCHDN = 'dc=localhost'
+LDAP_SCOPE = 2  # ldap.SCOPE_SUBTREE
+LDAP_SEARCH_FILTER = 'cn=%s'
+LDAP_UPDATE_FIELDS = True
+LDAP_BIND_DN = 'dc=localhost'
+LDAP_BIND_ATTRIBUTE = 'dn'

django/contrib/auth/backends.py

@@ -1 +1 @@
-from django.contrib.auth.models import User
+from django.conf import settings
-
-class ModelBackend:
-    """
@@ -19 +20 @@
-            return User.objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return None
+
+class LDAPBackend(object):
+    """
+    Authenticate a user against LDAP.
+    Requires python-ldap to be installed.
+
+    Requires the following things to be in settings.py:
+    LDAP_SERVER_URI -- string, ldap uri.
+        default: 'ldap://localhost'
+    LDAP_SEARCHDN -- string of the LDAP dn to use for searching
+        default: 'dc=localhost'
+    LDAP_SCOPE -- one of: ldap.SCOPE_*, used for searching
+        ldap.SCOPE_BASE = 0
+        ldap.SCOPE_ONELEVEL = 1
+        ldap.SCOPE_SUBTREE = 2
+        see python-ldap docs for the search function
+        default = ldap.SCOPE_SUBTREE
+    LDAP_SEARCH_FILTER -- formated string, the filter to use for searching for a
+        user. Used as: filterstr = LDAP_SEARCH_FILTER % username
+        default = 'cn=%s'
+    LDAP_UPDATE_FIELDS -- boolean, do we sync the db with ldap on each auth
+        default = True
+
+    Bind Options (Required unless _pre_bind() is overridden):
+    LDAP_BINDDN -- string of the LDAP dn to use for binding
+    LDAP_BIND_ATTRIBUTE -- string of the LDAP attribute to use in binding.
+
+    Required unless LDAP_FULL_NAME is set:
+    LDAP_FIRST_NAME -- string, LDAP attribute to get the given name from
+    LDAP_LAST_NAME -- string, LDAP attribute to get the last name from
+
+    Optional Settings:
+    LDAP_FULL_NAME -- string, LDAP attribute to get name from, splits on ' '
+    LDAP_GID -- string, LDAP attribute to get group name/number from
+    LDAP_SU_GIDS -- list of strings, group names/numbers that are superusers
+    LDAP_STAFF_GIDS -- list of strings, group names/numbers that are staff
+    LDAP_EMAIL -- string, LDAP attribute to get email from
+    LDAP_DEFAULT_EMAIL_SUFFIX -- string, appened to username if no email found
+    LDAP_OPTIONS -- hash, python-ldap global options and their values
+        {ldap.OPT_X_TLS_CACERTDIR: '/etc/ldap/ca/'}
+
+    How binding is done:
+    LDAP_BINDDN = 'ou=people,dc=example,dc=com'
+    LDAP_BIND_ATTRIBUTE = 'uid'
+    # The bind would be performed via:
+    # uid=username,ou=people,dc=example,dc=com
+
+    By inheriting this class you can change:
+    * How the dn to bind with is produced by overriding _pre_bind()
+    * What type of user object to use by overriding: _get_user_by_name(), 
+      _create_user_object(), and get_user()
+    See mk_pre_auth.__doc__ for more information on overriding _pre_bind()
+    """ 
+    import ldap
+
+    def authenticate(self, username=None, password=None):
+        import ldap
+        if not username and password is not None: # we need a user/pass
+            return None
+
+        if hasattr(settings, 'LDAP_OPTIONS'):
+            for k in settings.LDAP_OPTIONS:
+                ldap.set_option(k, settings.LDAP_OPTIONS[k])
+
+        l = ldap.initialize(settings.LDAP_SERVER_URI)
+
+        bind_string = self._pre_bind(l, username)
+
+        try:
+            l.bind_s(bind_string, password)
+        except ldap.INVALID_CREDENTIALS: # Failed user/pass
+            l.unbind_s()
+            return None
+
+        try:
+            user = self._get_user_by_name(username)
+        except User.DoesNotExist:
+            user = None
+
+        if user is not None:
+            if settings.LDAP_UPDATE_FIELDS:
+                self._update_user(l, user)
+        else:
+            user = self._get_ldap_user(l, username)
+
+        l.unbind_s()
+        return user
+
+# Functions provided to override to customize to your LDAP configuration.
+    def _pre_bind(self, l, username):
+        """
+        Function that returns the dn to bind against ldap with.
+        called as: self._pre_bind(ldapobject, username)
+        """
+        return "%s=%s,%s" % (settings.LDAP_BIND_ATTRIBUTE, username,
+                settings.LDAP_BINDDN)
+    
+    def _get_user_by_name(self, username):
+        """
+        Returns an object of contrib.auth.models.User that has a matching
+        username.
+        called as: self._get_user_by_name(username)
+        """
+        return User.objects.get(username=username)
+
+    def _create_user_object(self, username, password):
+        """
+        Creates and returns an object of contrib.auth.models.User.
+        called as: self._create_user_object(username, password)
+        """
+        return User(username=username, password=password)
+
+    # Required for an authentication backend
+    def get_user(self, user_id):
+        try:
+            return User.objects.get(pk=user_id)
+        except:
+            return None
+# End of functions to override
+
+    def _get_ldap_user(self, l, username):
+        """
+        Helper method, makes a user object and call update_user to populate
+        """
+
+        # Generate a random password string.
+        from random import choice
+        import string
+        password = ''.join([choice(string.printable) for i in range(10)])
+
+        user = self._create_user_object(username, password)
+        self._update_user(l, user)
+        return user
+
+    def _update_user(self, l, user):
+        """
+        Helper method, populates a user object with various attributes from
+        LDAP.
+        """
+
+        username = user.username
+        filter = settings.LDAP_SEARCH_FILTER % username
+
+        # Get results of search and make sure something was found.
+        # At this point this shouldn't fail.
+        hold = l.search_s(settings.LDAP_SEARCHDN, settings.LDAP_SCOPE,
+                filter)
+        if len(hold) < 1:
+            raise AssertionError('No results found with: %s' % (filter))
+
+        attrs = hold[0][1]
+
+        if (hasattr(settings, 'LDAP_FIRST_NAME')
+                and hasattr(settings, 'LDAP_LAST_NAME')):
+            if (settings.LDAP_FIRST_NAME in attrs
+                    and settings.LDAP_LAST_NAME in attrs):
+                user.first_name = attrs[settings.LDAP_FIRST_NAME][0]
+                user.last_name = attrs[settings.LDAP_LAST_NAME][0]
+            else:
+                raise NameError('Missing needed fields %s or %s in LDAP'
+                        % (settings.LDAP_FIRST_NAME, settings.LDAP_LAST_NAME))
+        elif hasattr(settings, 'LDAP_FULL_NAME'):
+                if settings.LDAP_FULL_NAME in attrs:
+                    tmp = attrs[settings.FULL_NAME_FIELD][0]
+                    user.first_name = tmp.split(' ')[0]
+                    user.last_name = ' '.join(tmp.split(' ')[1:])
+                else:
+                    raise NameError('Required field %s missing in LDAP'
+                            % (settings.LDAP_FULL_NAME))
+        else:
+            raise NameError('Name fields not defined in settings.py')
+
+        if hasattr(settings, 'LDAP_EMAIL') and settings.LDAP_EMAIL in attrs:
+            user.email = attrs[settings.EMAIL_FIELD][0]
+        elif hasattr(settings, 'LDAP_DEFAULT_EMAIL_SUFFIX'):
+            user.email = username + settings.LDAP_DEFAULT_EMAIL_SUFFIX
+
+        if (hasattr(settings, 'LDAP_GID')
+                and settings.LDAP_GID in attrs 
+                and hasattr(settings, 'LDAP_SU_GIDS')
+                and attrs[settings.LDAP_GID][0] in settings.LDAP_SU_GIDS):
+            user.is_superuser = True
+            user.is_staff = True
+        elif (hasattr(settings, 'LDAP_GID')
+                and settings.LDAP_GID in attrs 
+                and hasattr(settings, 'LDAP_STAFF_GIDS')
+                and attrs[settings.LDAP_GID][0] in settings.LDAP_STAFF_GIDS):
+            user.is_superuser = False
+            user.is_staff = True
+        else:
+            user.is_superuser = False
+            user.is_staff = False
+
+        user.save()
+
+    def mk_pre_auth_bind(auth_user, auth_pass,
+            search_base=settings.LDAP_SEARCHDN,
+            search_scope=settings.LDAP_SCOPE,
+            search_filter=settings.LDAP_SEARCH_FILTER):
+        """
+        Returns a function, to be used to override pre_bind().
+        auth_user -- string, ldap formatted user to bind with
+        auth_pass -- string, password for auth_user
+        search_base -- string, base for the ldap search
+        search_filter -- string, ldap search filter to use, %'d with username
+        search_scope -- ldap.SCOPE_* value, search scope
+
+        Used in a child class:
+        class MyLDAPBackend(LDAPBackend):
+            pre_bind = LDAPBackend.mk_pre_auth_bind('dn=Me,dc=example,dc=com',
+                    'pass')
+        which defaults to:
+        class MyLDAPBackend(LDAPBackend):
+            pre_bind = LDAPBackend.mk_pre_auth_bind('dn=Me,dc=example,dc=com',
+                    'pass', LDAP_SEARCHDN, LDAP_SCOPE, LDAP_SEARCH_FILTER)
+        or you can customize it:
+        class MyLDAPBackend(LDAPBackend):
+            pre_bind = LDAPBackend.mk_pre_auth_bind('dn=Me,dc=example,dc=com',
+                    'pass', 'ou=people,dc=example,dc=com'',
+                    ldap.SCOPE_SUBTREE, '(&(objectclass=person) (cn=%s))')
+        """
+        def pre_auth_bind(l, user): 
+            try: 
+                l.simple_bind_s(auth_user, auth_pass)
+            except ldap.LDAPError:
+                return None
+
+            filter = search_filter % user
+
+            result = l.search_s(search_base, search_scope, filter,
+                    attrsonly=1)
+
+            if len(result) != 1:
+                return None
+
+            return result[0][0]
+        return pre_auth_bind