| | 1047 | LDAP authentication backend |
|---|
| | 1048 | --------------------------- |
|---|
| | 1049 | |
|---|
| | 1050 | Django can also authenticate users against an ldap implementation, such as OpenLDAP. |
|---|
| | 1051 | To use this backend, in settings.py, ``AUTHENTICATION_BACKENDS`` should read:: |
|---|
| | 1052 | |
|---|
| | 1053 | ('django.contrib.auth.contrib.ldapauth.LDAPBackend',) |
|---|
| | 1054 | |
|---|
| | 1055 | The LDAP backend needs several additional settings in your settings.py. |
|---|
| | 1056 | ``LDAP_SERVER_URI`` -- string, ldap uri. |
|---|
| | 1057 | default: 'ldap://localhost' |
|---|
| | 1058 | ``LDAP_SEARCHDN`` -- string of the LDAP dn to use for searching |
|---|
| | 1059 | default: 'dc=localhost' |
|---|
| | 1060 | ``LDAP_SCOPE`` -- one of: ldap.SCOPE_*, used for searching |
|---|
| | 1061 | see python-ldap docs for the search function |
|---|
| | 1062 | default = ldap.SCOPE_SUBTREE |
|---|
| | 1063 | ``LDAP_SEARCH_FILTER`` -- formated string, the filter to use for searching for a |
|---|
| | 1064 | user. Used as: filterstr = LDAP_SEARCH_FILTER % username |
|---|
| | 1065 | default = 'cn=%s' |
|---|
| | 1066 | ``LDAP_UPDATE_FIELDS`` -- boolean, do we sync the db with ldap on each auth |
|---|
| | 1067 | default = True |
|---|
| | 1068 | |
|---|
| | 1069 | Required unless LDAP_FULL_NAME is set: |
|---|
| | 1070 | ``LDAP_FIRST_NAME`` -- string, LDAP attribute to get the given name from |
|---|
| | 1071 | ``LDAP_LAST_NAME`` -- string, LDAP attribute to get the last name from |
|---|
| | 1072 | |
|---|
| | 1073 | Optional Settings: |
|---|
| | 1074 | ``LDAP_FULL_NAME`` -- string, LDAP attribute to get name from, splits on ' ' |
|---|
| | 1075 | ``LDAP_GID`` -- string, LDAP attribute to get group name/number from |
|---|
| | 1076 | ``LDAP_SU_GIDS`` -- list of strings, group names/numbers that are superusers |
|---|
| | 1077 | ``LDAP_STAFF_GIDS`` -- list of strings, group names/numbers that are staff |
|---|
| | 1078 | ``LDAP_EMAIL`` -- string, LDAP attribute to get email from |
|---|
| | 1079 | ``LDAP_DEFAULT_EMAIL_SUFFIX`` -- string, appened to username if no email found |
|---|
| | 1080 | ``LDAP_OPTIONS`` -- hash, python-ldap global options and their values |
|---|
| | 1081 | {ldap.OPT_X_TLS_CACERTDIR: '/etc/ldap/ca/'} |
|---|
| | 1082 | |
|---|
| | 1083 | You must pick a method for determining the DN of a user and set the needed settings: |
|---|
| | 1084 | * You can set ``LDAP_BINDDN`` and ``LDAP_BIND_ATTRIBUTE`` like:: |
|---|
| | 1085 | |
|---|
| | 1086 | ``LDAP_BINDDN`` = 'ou=people,dc=example,dc=com' |
|---|
| | 1087 | ``LDAP_BIND_ATTRIBUTE`` = 'uid' |
|---|
| | 1088 | |
|---|
| | 1089 | and the user DN would be: |
|---|
| | 1090 | |
|---|
| | 1091 | 'uid=%s,ou=people,dc=example,dc=com' % username |
|---|
| | 1092 | |
|---|
| | 1093 | * Look for the DN on the directory, this is what will happen if you do |
|---|
| | 1094 | not define the LDAP_BINDDN setting. In that case you may need to |
|---|
| | 1095 | define LDAP_PREBINDDN and LDAP_PREBINDPW if your LDAP server does not |
|---|
| | 1096 | allow anonymous queries. The search will be performed with the |
|---|
| | 1097 | LDAP_SEARCH_FILTER setting. |
|---|
| | 1098 | |
|---|
| | 1099 | * Override the _pre_bind() method, which receives the ldap object and |
|---|
| | 1100 | the username as it's parameters and should return the DN of the user. |
|---|
| | 1101 | |
|---|
