diff --git a/contrib/settings/ldap_connection_settings.py b/contrib/settings/ldap_connection_settings.py index 6ae809a3be..a708ae9fb9 100644 --- a/contrib/settings/ldap_connection_settings.py +++ b/contrib/settings/ldap_connection_settings.py @@ -1,64 +1,139 @@ from __future__ import absolute_import +# Install Python LDAP with: +# $ pip install python-ldap +# or if using Docker, pass the environment variable MAYAN_PIP_INSTALLS: +# -e MAYAN_PIP_INSTALLS=python-ldap import ldap -from django_auth_ldap.config import LDAPSearch -from .base import * # NOQA -from django.contrib.auth import get_user_model +from django_auth_ldap.config import ( + LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType +) -SECRET_KEY = '' +from mayan.settings.production import * -# makes sure this works in Active Directory -ldap.set_option(ldap.OPT_REFERRALS, 0) +# Makes sure this works in Active Directory +ldap.set_option(ldap.OPT_REFERRALS, False) -# This is the default, but I like to be explicit. +# Turn of debug output, turn this off when everything is working as expected +ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) + +# Default: True AUTH_LDAP_ALWAYS_UPDATE_USER = True -LDAP_USER_AUTO_CREATION = "False" -LDAP_URL = "ldap://:389/" -LDAP_BASE_DN = "dc=paramatrix,dc=co,dc=in" -LDAP_ADDITIONAL_USER_DN = "dc=people" -LDAP_ADMIN_DN = "" -LDAP_PASSWORD = "" +# Use TLS to talk to the LDAP server +# Requires acquiring the server's certificate +# $ openssl s_client -connect :636 +# Part of the output of this file will be the Base-64 encoded .cer file +# that was presented for LDAPS. Cut and paste into a file beginning at +# "-Begin Certificate" through "-End Certificate--" and save as a .crt, for +# example: ldapserver.crt +# $ CERT=ldapserver.crt +# $ cp /root/$CERT /usr/share/ca-certificates/$CERT +# # notice the + sign which tells to activate the certificate. +# $ echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert +# $ dpkg-reconfigure ca-certificates; +AUTH_LDAP_START_TLS = False + +LDAP_ADDITIONAL_USER_DN = 'dc=people' +LDAP_ADMIN_DN = '' +LDAP_BASE_DN = 'dc=,dc=co,dc=in' +LDAP_PASSWORD = '' +LDAP_USER_AUTO_CREATION = 'False' +LDAP_URL = 'ldap://:389/' -AUTH_LDAP_SERVER_URI = LDAP_URL AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD +AUTH_LDAP_SERVER_URI = LDAP_URL - +# Simple search AUTH_LDAP_USER_SEARCH = LDAPSearch( '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN), ldap.SCOPE_SUBTREE, '(uid=%(user)s)' ) + +# If you need to search in more than one place for a user, you can use +# LDAPSearchUnion. This takes multiple LDAPSearch objects and returns the +# union of the results. The precedence of the underlying searches is +# unspecified. +# https://django-auth-ldap.readthedocs.io/en/latest/authentication.html +# AUTH_LDAP_USER_SEARCH = LDAPSearchUnion( +# LDAPSearch( +# 'ou=Users,ou=Admin,dc=,dc=local', ldap.SCOPE_SUBTREE, +# '(samaccountname=%(user)s)' +# ), +# LDAPSearch( +# 'ou=Users,ou=,dc=,dc=local', +# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)' +# ), +# LDAPSearch( +# 'ou=Users,ou=,dc=,dc=local', +# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)' +# ), +# ) + +# User attributes to map from LDAP to Mayan's user model. AUTH_LDAP_USER_ATTR_MAP = { 'first_name': 'cn', 'last_name': 'sn', 'email': 'mail' } +# Another example map +# AUTH_LDAP_USER_ATTR_MAP = { +# 'username': 'sAMAccountName', +# 'first_name': 'givenName', +# 'last_name': 'sn', +# 'email': 'mail' +# } +# Only string fields can be mapped to attributes. Boolean fields can be +# defined by group membership: +# AUTH_LDAP_USER_FLAGS_BY_GROUP = { +# 'is_active': 'cn=active,ou=groups,dc=example,dc=com', +# 'is_staff': ( +# LDAPGroupQuery('cn=staff,ou=groups,dc=example,dc=com') +# | LDAPGroupQuery('cn=admin,ou=groups,dc=example,dc=com') +# ), +# 'is_superuser': 'cn=superuser,ou=groups,dc=example,dc=com', +# } + +# Simple group search +# AUTH_LDAP_GROUP_SEARCH = LDAPSearch( +# 'ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)' +# ) +# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() + +# Advanced group search +# AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( +# LDAPSearch( +# 'ou=Domain Global,OU=Security,OU=Groups,OU=,dc=,dc=local', +# ldap.SCOPE_SUBTREE, +# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))' +# ), +# LDAPSearch( +# 'ou=Domain Global,OU=Security,OU=Groups,OU=,dc=,dc=local', +# ldap.SCOPE_SUBTREE, +# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))' +# ), +# ) +# AUTH_LDAP_CACHE_GROUPS = True +# AUTH_LDAP_FIND_GROUP_PERMS = False +# AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType() +# AUTH_LDAP_MIRROR_GROUPS = True + +# To minimize traffic to the LDAP server, LDAPBackend can make use of +# Django’s cache framework to keep a copy of a user’s LDAP group memberships. +# To enable this feature, set AUTH_LDAP_CACHE_TIMEOUT, which determines +# the timeout of cache entries in seconds. +# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 + +# Limiting Access +# The simplest use of groups is to limit the users who are allowed to log in. +# If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that +# group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse: +# if given, members of this group will be rejected. +# AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=groups,dc=example,dc=com' +# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=example,dc=com' + AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', - 'mayan.settings.settings_local.EmailOrUsernameModelBackend', ) - - -class EmailOrUsernameModelBackend(object): - """ - This is a ModelBacked that allows authentication with either a username or an email address. - """ - def authenticate(self, username=None, password=None): - if '@' in username: - kwargs = {'email': username} - else: - kwargs = {'username': username} - try: - user = get_user_model().objects.get(**kwargs) - if user.check_password(password): - return user - except get_user_model().DoesNotExist: - return None - - def get_user(self, username): - try: - return get_user_model().objects.get(pk=username) - except get_user_model().DoesNotExist: - return None