Skip to content

Enable LDAP

Anatoliy Guskov edited this page Apr 16, 2014 · 4 revisions

Login based ldap can be added fairly simply ...

First uncomment line in requirements.txt:

#django-auth-ldap==1.2.0

and run next command:

$ sudo pip install -r requirements.txt

Rename local_settings.py.example to local_settings.py in webvirtmgr/local directory and uncomment next line:

import ldap
from django_auth_ldap.config import LDAPSearch,GroupOfUniqueNamesType

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

AUTH_LDAP_GLOBAL_OPTIONS = {
  ldap.OPT_X_TLS_REQUIRE_CERT: True,
  ldap.OPT_X_TLS_DEMAND: True,
  ldap.OPT_REFERRALS: False,
  ldap.OPT_X_TLS_CACERTDIR: "/etc/pki/tls/certs/",
}

AUTH_LDAP_SERVER_URI = "ldaps://ldapserverhostname.example.com"
AUTH_LDAP_BIND_DN = "uid=binduser,ou=systemusers,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "<ldapbindpassword>"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": ["cn=grouptopermit1,ou=groups,dc=example,dc=com", "cn=grouptopermit2,ou=groups,dc=example,dc=com"],
    "is_staff": "cn=grouptopermit2,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=grouptopermit2,ou=groups,dc=example,dc=com"
}

In this example LDAPS is required to encrypt the login to the LDAP server - make sure the CA cert (or the LDAP SSL cert) is considered valid by your system when using this method. If SSL verification is not required then set the options to allow self certs as required:

http://python-ldap.org/doc/html/ldap.html#tls-options

The two groups listed in the is_active list is the groups that can log into (and change since the app currently only checks is_authenticated and not permissions) webvirtmgr with the second group also having permissions in the django admin interface (if you have enabled it).

There's further information at the django ldap auth site if you need it:

http://pythonhosted.org/django-auth-ldap/

You can’t perform that action at this time.