Django authentication backend for LDAP with Active Directory
I created this project since i could not find proper way of doing binding with SASL using django-auth-ldap.
Problem is that not all AD setups support TLS. So if SASL is not used the password and username when doing the bind is sent cleartext over the network. SASL provides some security with for example DIGEST-MD5.
While adding support for django-auth-ldap would have been one option, the library looked too heavy for my usecase, and googling gave me messy looking snippet from snippets i decided to make minimal AD-backend of my own.
Copy the package to your django project root and add it to INSTALLED apps
Required packages: ldap and mockldap for testing
Modify your settings to contain authentication backend, for example
AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend', 'django-auth-ldap-ad.backend.LDAPBackend')
AUTH_LDAP_SERVER_URI = ["ldap://localhost:389","ldap://remote_host.org:389"]
AUTH_LDAP_SEARCH_DN = "DC=mydomain,DC=org"
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "cn",
"last_name": "sn",
"email": "email"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# Groups on left side are memberOf key values. If all the groups are found in single entry, then the flag is set to
# True. If no entry contains all required groups then the flag is set False.
"is_superuser" : ["CN=WebAdmin,DC=mydomain"],
# Above example will match on entry "CN=WebAdmin,DC=mydomain,OU=People,OU=Users"
# Above will NOT match "CN=WebAdmin,OU=People,OU=Users" (missing DC=mydomain).
"is_staff" : ["CN=Developer,DC=mydomain","CN=Tester,DC=mydomain"]
# True if one of the conditions is true.
}
# All people that are to be staff are also to belong to this group
AUTH_LDAP_USER_GROUPS_BY_GROUP = {
"AdminGroup" : AUTH_LDAP_USER_FLAGS_BY_GROUP["is_staff"],
}
# Map django user preferences
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}I use tcpdump for checking what happens on the wire and and ldapsearch to debug the AD server functionality.
For example:
ldapsearch -LLL -h "ldapdomainhere" -U "myuserid" -w "mypasswordid" -Y DIGEST-MD5 -b "dc=mydomain,dc=org" "SAMAccountName=myusername"for server in configured_servers:
try to open connection and do bind
-> except: server is down -> continue
-> except: bad credentials -> return no login from LDAP backend
try to dosearch and update django user preferences from ldap search response
-> except: no entry found -> return no login from LDAP backendDefault : { ldap.OPT_REFERRALS : 0} Set Ldap connection optios, as in python-ldap options. For the default option, see python ldap faq question 12.
Defaut : ['ldap://localhost'],List of servers to be used. Looped until one response is received (negative or positive).
Example : ['ldap://foo.org','ldap://bar.org']Defaut : { }Dictonary of 'flag_name' : list of 'required groups'. Set user flags (True/False) based on if requirement is met.
The requirement is set met for 'required groups', if the (comma separated) groups are found from single memberOf field entry. If one of the list entries meets the requirement, then the list requirement is met. That is: on match, return True, otherwise, return False.
Example : { 'is_superuser' : [ 'cn=admins,cn=website,ou=IT', 'cn=sysadmin,ou=IT' ] }Defaut : { }Dictonary of 'group name' : list of 'required groups'. Adds user to the group if all requirement is met (see USER_FLAGS_BY_GROUP).
Defaut : { }Dictonary of 'django user attribute' : 'ldap user attribute' . Maps given ldap attributes to django user attributes.
Defaut : 0Set python LDAP trace level, see python-ldap
Defaut : "DIGEST-MD5"Set SASL mechanism, see python-ldap manual.
Defaut : "DC=localdomain,DC=ORG"When performing the user search what to use as startpoint, corresponds to '-b' options in ldapsearch
Default : 'SEARCH_FILTER' : "(SAMAccountName=%(user)s)"With what to filter the search results.
Django 1.4 and Debian 7