matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update example LDAP authentication settings file

Browse Source 
Signed-off-by: Roberto Rosario <roberto.rosario@mayan-edms.com>
This commit is contained in:
Roberto Rosario
2019-11-20 00:29:09 -04:00
parent 6b2aeaf421
commit af70f881eb
1 changed files with 114 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
contrib/settings/ldap_connection_settings.py
View File

@@ -1,64 +1,139 @@
from __future__ import absolute_import from __future__ import absolute_import
# Install Python LDAP with:
# $ pip install python-ldap
# or if using Docker, pass the environment variable MAYAN_PIP_INSTALLS:
# -e MAYAN_PIP_INSTALLS=python-ldap
import ldap import ldap
from django_auth_ldap.config import LDAPSearch
from .base import * # NOQA from django_auth_ldap.config import (
from django.contrib.auth import get_user_model LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType
)
SECRET_KEY = '<your secret key>' from mayan.settings.production import *
# makes sure this works in Active Directory # Makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, 0) ldap.set_option(ldap.OPT_REFERRALS, False)
# This is the default, but I like to be explicit. # Turn of debug output, turn this off when everything is working as expected
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
# Default: True
AUTH_LDAP_ALWAYS_UPDATE_USER = True AUTH_LDAP_ALWAYS_UPDATE_USER = True
LDAP_USER_AUTO_CREATION = "False" # Use TLS to talk to the LDAP server
LDAP_URL = "ldap://<your ldap server IP>:389/" # Requires acquiring the server's certificate
LDAP_BASE_DN = "dc=paramatrix,dc=co,dc=in" # $ openssl s_client -connect <LDAP server>:636
LDAP_ADDITIONAL_USER_DN = "dc=people" # Part of the output of this file will be the Base-64 encoded .cer file
LDAP_ADMIN_DN = "" # that was presented for LDAPS. Cut and paste into a file beginning at
LDAP_PASSWORD = "" # "-Begin Certificate" through "-End Certificate--" and save as a .crt, for
# example: ldapserver.crt
# $ CERT=ldapserver.crt
# $ cp /root/$CERT /usr/share/ca-certificates/$CERT
# # notice the + sign which tells to activate the certificate.
# $ echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
# $ dpkg-reconfigure ca-certificates;
AUTH_LDAP_START_TLS = False
LDAP_ADDITIONAL_USER_DN = 'dc=people'
LDAP_ADMIN_DN = ''
LDAP_BASE_DN = 'dc=<top level dc>,dc=co,dc=in'
LDAP_PASSWORD = ''
LDAP_USER_AUTO_CREATION = 'False'
LDAP_URL = 'ldap://<LDAP server>:389/'
AUTH_LDAP_SERVER_URI = LDAP_URL
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
AUTH_LDAP_SERVER_URI = LDAP_URL
# Simple search
AUTH_LDAP_USER_SEARCH = LDAPSearch( AUTH_LDAP_USER_SEARCH = LDAPSearch(
'%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN), '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
ldap.SCOPE_SUBTREE, '(uid=%(user)s)' ldap.SCOPE_SUBTREE, '(uid=%(user)s)'
) )
# If you need to search in more than one place for a user, you can use
# LDAPSearchUnion. This takes multiple LDAPSearch objects and returns the
# union of the results. The precedence of the underlying searches is
# unspecified.
# https://django-auth-ldap.readthedocs.io/en/latest/authentication.html
# AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Users,ou=Admin,dc=<top level DC>,dc=local', ldap.SCOPE_SUBTREE,
# '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<second OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<third OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# )
# User attributes to map from LDAP to Mayan's user model.
AUTH_LDAP_USER_ATTR_MAP = { AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'cn', 'first_name': 'cn',
'last_name': 'sn', 'last_name': 'sn',
'email': 'mail' 'email': 'mail'
} }
# Another example map
# AUTH_LDAP_USER_ATTR_MAP = {
# 'username': 'sAMAccountName',
# 'first_name': 'givenName',
# 'last_name': 'sn',
# 'email': 'mail'
# }
# Only string fields can be mapped to attributes. Boolean fields can be
# defined by group membership:
# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# 'is_active': 'cn=active,ou=groups,dc=example,dc=com',
# 'is_staff': (
# LDAPGroupQuery('cn=staff,ou=groups,dc=example,dc=com')
# | LDAPGroupQuery('cn=admin,ou=groups,dc=example,dc=com')
# ),
# 'is_superuser': 'cn=superuser,ou=groups,dc=example,dc=com',
# }
# Simple group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
# 'ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'
# )
# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Advanced group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# )
# AUTH_LDAP_CACHE_GROUPS = True
# AUTH_LDAP_FIND_GROUP_PERMS = False
# AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# AUTH_LDAP_MIRROR_GROUPS = True
# To minimize traffic to the LDAP server, LDAPBackend can make use of
# Djangos cache framework to keep a copy of a users LDAP group memberships.
# To enable this feature, set AUTH_LDAP_CACHE_TIMEOUT, which determines
# the timeout of cache entries in seconds.
# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
# Limiting Access
# The simplest use of groups is to limit the users who are allowed to log in.
# If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that
# group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse:
# if given, members of this group will be rejected.
# AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=groups,dc=example,dc=com'
# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=example,dc=com'
AUTHENTICATION_BACKENDS = ( AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend', 'django_auth_ldap.backend.LDAPBackend',
'mayan.settings.settings_local.EmailOrUsernameModelBackend',
) )
class EmailOrUsernameModelBackend(object):
"""
This is a ModelBacked that allows authentication with either a username or an email address.
"""
def authenticate(self, username=None, password=None):
if '@' in username:
kwargs = {'email': username}
else:
kwargs = {'username': username}
try:
user = get_user_model().objects.get(**kwargs)
if user.check_password(password):
return user
except get_user_model().DoesNotExist:
return None
def get_user(self, username):
try:
return get_user_model().objects.get(pk=username)
except get_user_model().DoesNotExist:
return None