| 23 | |
| 24 | class LDAPBackend(object): |
| 25 | """ |
| 26 | Authenticate a user against LDAP. |
| 27 | Requires python-ldap to be installed. |
| 28 | |
| 29 | Requires the following things to be in settings.py: |
| 30 | LDAP_BINDDN -- string of the LDAP dn to use for binding |
| 31 | LDAP_SEARCHDN -- string of the LDAP dn to use for searching |
| 32 | LDAP_BIND_ATTRIBUTE -- string of the LDAP attribute to use in binding |
| 33 | also used to search for a user. |
| 34 | LDAP_SERVER_URI -- string, ldap uri |
| 35 | LDAP_SCOPE -- one of: ldap.SCOPE_*, used for searching |
| 36 | ldap.SCOPE_BASE = 0 |
| 37 | ldap.SCOPE_ONELEVEL = 1 |
| 38 | ldap.SCOPE_SUBTREE = 2 |
| 39 | see python-ldap docs for the search function |
| 40 | LDAP_UPDATE_FIELDS -- boolean, do we sync the db with ldap with each auth |
| 41 | |
| 42 | Required unless LDAP_FULL_NAME is set: |
| 43 | LDAP_FIRST_NAME -- string, LDAP attribute to get the given name from |
| 44 | LDAP_LAST_NAME -- string, LDAP attribute to get the last name from |
| 45 | |
| 46 | Optional Settings: |
| 47 | LDAP_FULL_NAME -- string, LDAP attribute to get name from, splits on ' ' |
| 48 | LDAP_GID -- string, LDAP attribute to get group name/number from |
| 49 | LDAP_SU_GIDS -- list of strings, group names/numbers that are superusers |
| 50 | LDAP_STAFF_GIDS -- list of strings, group names/numbers that are staff |
| 51 | LDAP_EMAIL = string, LDAP attribute to get email from |
| 52 | LDAP_DEFAULT_EMAIL_SUFFIX = string, appened to username if no email found |
| 53 | |
| 54 | Not yet implemented Settings: |
| 55 | LDAP_SSL = boolean, whether to use ssl or not |
| 56 | |
| 57 | How Binds Work: |
| 58 | LDAP_BINDDN = 'ou=people,dc=example,dc=com' |
| 59 | LDAP_BIND_ATTRIBUTE = 'uid' |
| 60 | # The bind would be performed via: |
| 61 | # uid=username,ou=people,dc=example,dc=com |
| 62 | """ |
| 63 | import ldap |
| 64 | |
| 65 | def authenticate(self, username=None, password=None): |
| 66 | l = ldap.initialize(settings.LDAP_SERVER_URI) |
| 67 | |
| 68 | if not username and password is not Null: # we need a user/pass |
| 69 | l.unbind_s() |
| 70 | return None |
| 71 | |
| 72 | bind_string = "%s=%s,%s" % (settings.LDAP_BIND_ATTRIBUTE, username, |
| 73 | settings.LDAP_BINDDN) |
| 74 | try: |
| 75 | l.bind_s(bind_string, password) |
| 76 | except ldap.INVALID_CREDENTIALS: # Failed user/pass |
| 77 | l.unbind_s() |
| 78 | return None |
| 79 | |
| 80 | try: |
| 81 | user = User.objects.get(username=username) |
| 82 | except User.DoesNotExist: |
| 83 | user = None |
| 84 | |
| 85 | if user is not None: |
| 86 | if settings.LDAP_UPDATE_FIELDS: |
| 87 | LDAPBackend.update_user(l, user) |
| 88 | else: |
| 89 | user = LDAPBackend.get_ldap_user(l, username) |
| 90 | |
| 91 | l.unbind_s() |
| 92 | return user |
| 93 | |
| 94 | def get_user(self, user_id): |
| 95 | try: |
| 96 | return User.objects.get(pk=user_id) |
| 97 | except: |
| 98 | return None |
| 99 | |
| 100 | def get_ldap_user(l, username): |
| 101 | """ |
| 102 | Helper method, makes a user object and call update_user to populate |
| 103 | """ |
| 104 | |
| 105 | user = User(username=username, password='Made by LDAP') |
| 106 | LDAPBackend.update_user(l, user) |
| 107 | return user |
| 108 | get_ldap_user = staticmethod(get_ldap_user) |
| 109 | |
| 110 | def update_user(l, user): |
| 111 | """ |
| 112 | Helper method, populates a user object with various attributes from |
| 113 | LDAP |
| 114 | """ |
| 115 | |
| 116 | username = user.username |
| 117 | filter_str = "%s=%s" % (settings.LDAP_BIND_ATTRIBUTE, username) |
| 118 | attrs = l.search_s(settings.LDAP_SEARCHDN, settings.LDAP_SCOPE, |
| 119 | filterstr=filter_str)[0][1] |
| 120 | |
| 121 | if (hasattr(settings, 'LDAP_FIRST_NAME') |
| 122 | and hasattr(settings, 'LDAP_LAST_NAME')): |
| 123 | if (settings.LDAP_FIRST_NAME in attrs |
| 124 | and settings.LDAP_LAST_NAME in attrs): |
| 125 | user.first_name = attrs[settings.LDAP_FIRST_NAME][0] |
| 126 | user.last_name = attrs[settings.LDAP_LAST_NAME][0] |
| 127 | else: |
| 128 | raise NameError('Missing needed fields %s or %s in LDAP' |
| 129 | % (settings.LDAP_FIRST_NAME, settings.LDAP_LAST_NAME)) |
| 130 | elif hasattr(settings, 'LDAP_FULL_NAME'): |
| 131 | if settings.LDAP_FULL_NAME in attrs: |
| 132 | tmp = attrs[settings.FULL_NAME_FIELD][0] |
| 133 | user.first_name = tmp.split(' ')[0] |
| 134 | user.last_name = ' '.join(tmp.split(' ')[1:]) |
| 135 | else: |
| 136 | raise NameError('Required field %s missing in LDAP' |
| 137 | % (settings.LDAP_FULL_NAME)) |
| 138 | else: |
| 139 | raise NameError('Name fields not defined in settings.py') |
| 140 | |
| 141 | if hasattr(settings, 'LDAP_EMAIL') and settings.LDAP_EMAIL in attrs: |
| 142 | user.email = attrs[settings.EMAIL_FIELD][0] |
| 143 | elif hasattr(settings, 'LDAP_DEFAULT_EMAIL_SUFFIX'): |
| 144 | user.email = username + settings.LDAP_DEFAULT_EMAIL_SUFFIX |
| 145 | |
| 146 | if (hasattr(settings, 'LDAP_GID') |
| 147 | and settings.LDAP_GID in attrs |
| 148 | and hasattr(settings, 'LDAP_SU_GIDS') |
| 149 | and attrs[settings.LDAP_GID][0] in settings.LDAP_SU_GIDS): |
| 150 | user.is_superuser = True |
| 151 | user.is_staff = True |
| 152 | elif (hasattr(settings, 'LDAP_GID') |
| 153 | and settings.LDAP_GID in attrs |
| 154 | and hasattr(settings, 'LDAP_STAFF_GIDS') |
| 155 | and attrs[settings.LDAP_GID][0] in settings.LDAP_STAFF_GIDS): |
| 156 | user.is_superuser = False |
| 157 | user.is_staff = True |
| 158 | else: |
| 159 | user.is_superuser = False |
| 160 | user.is_staff = False |
| 161 | |
| 162 | user.save() |
| 163 | update_user = staticmethod(update_user) |