matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
1cee2c1a558fc083c1b8cd2976213860cd2ef981
mayan-edms/contrib/settings/ldap_connection_settings.py
Roberto Rosario af70f881eb Update example LDAP authentication settings file 
Signed-off-by: Roberto Rosario <roberto.rosario@mayan-edms.com>
2019-11-20 00:29:09 -04:00

140 lines
4.9 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
from __future__ import absolute_import
# Install Python LDAP with:
# $ pip install python-ldap
# or if using Docker, pass the environment variable MAYAN_PIP_INSTALLS:
# -e MAYAN_PIP_INSTALLS=python-ldap
import ldap
from django_auth_ldap.config import (
LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType
)
from mayan.settings.production import *
# Makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, False)
# Turn of debug output, turn this off when everything is working as expected
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
# Default: True
AUTH_LDAP_ALWAYS_UPDATE_USER = True
# Use TLS to talk to the LDAP server
# Requires acquiring the server's certificate
# $ openssl s_client -connect <LDAP server>:636
# Part of the output of this file will be the Base-64 encoded .cer file
# that was presented for LDAPS. Cut and paste into a file beginning at
# "-Begin Certificate" through "-End Certificate--" and save as a .crt, for
# example: ldapserver.crt
# $ CERT=ldapserver.crt
# $ cp /root/$CERT /usr/share/ca-certificates/$CERT
# # notice the + sign which tells to activate the certificate.
# $ echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
# $ dpkg-reconfigure ca-certificates;
AUTH_LDAP_START_TLS = False
LDAP_ADDITIONAL_USER_DN = 'dc=people'
LDAP_ADMIN_DN = ''
LDAP_BASE_DN = 'dc=<top level dc>,dc=co,dc=in'
LDAP_PASSWORD = ''
LDAP_USER_AUTO_CREATION = 'False'
LDAP_URL = 'ldap://<LDAP server>:389/'
AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
AUTH_LDAP_SERVER_URI = LDAP_URL
# Simple search
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
ldap.SCOPE_SUBTREE, '(uid=%(user)s)'
)
# If you need to search in more than one place for a user, you can use
# LDAPSearchUnion. This takes multiple LDAPSearch objects and returns the
# union of the results. The precedence of the underlying searches is
# unspecified.
# https://django-auth-ldap.readthedocs.io/en/latest/authentication.html
# AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Users,ou=Admin,dc=<top level DC>,dc=local', ldap.SCOPE_SUBTREE,
# '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<second OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# LDAPSearch(
# 'ou=Users,ou=<third OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
# ),
# )
# User attributes to map from LDAP to Mayan's user model.
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'cn',
'last_name': 'sn',
'email': 'mail'
}
# Another example map
# AUTH_LDAP_USER_ATTR_MAP = {
# 'username': 'sAMAccountName',
# 'first_name': 'givenName',
# 'last_name': 'sn',
# 'email': 'mail'
# }
# Only string fields can be mapped to attributes. Boolean fields can be
# defined by group membership:
# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# 'is_active': 'cn=active,ou=groups,dc=example,dc=com',
# 'is_staff': (
# LDAPGroupQuery('cn=staff,ou=groups,dc=example,dc=com')
# | LDAPGroupQuery('cn=admin,ou=groups,dc=example,dc=com')
# ),
# 'is_superuser': 'cn=superuser,ou=groups,dc=example,dc=com',
# }
# Simple group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
# 'ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'
# )
# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Advanced group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# LDAPSearch(
# 'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
# ldap.SCOPE_SUBTREE,
# '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
# ),
# )
# AUTH_LDAP_CACHE_GROUPS = True
# AUTH_LDAP_FIND_GROUP_PERMS = False
# AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# AUTH_LDAP_MIRROR_GROUPS = True
# To minimize traffic to the LDAP server, LDAPBackend can make use of
# Djangos cache framework to keep a copy of a users LDAP group memberships.
# To enable this feature, set AUTH_LDAP_CACHE_TIMEOUT, which determines
# the timeout of cache entries in seconds.
# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
# Limiting Access
# The simplest use of groups is to limit the users who are allowed to log in.
# If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that
# group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse:
# if given, members of this group will be rejected.
# AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=groups,dc=example,dc=com'
# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=example,dc=com'
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
)
Reference in New Issue View Git Blame Copy Permalink