2

LDAP server which I need to use doesn't support anonymoys authentication, so I need to use user credentials but I don't want to put username and password in config. Is it a way to authenticate user by his credentials?

I can authenticate with config looks like this:

AUTH_LDAP_SERVER_URI = 'ldap://ldap.host.name'
AUTH_LDAP_BIND_DN = 'username'
AUTH_LDAP_BIND_PASSWORD = 'password'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch('OU=MyOU,DC=MyDC,DC=MySiteName,DC=com',ldap.SCOPE_SUBTREE,'(&(memberOf=CN=MyGroup,OU=MyRole,DC=MyDC,DC=MySiteName,DC=com)(sAMAccountName=%(user)s))'),
    LDAPSearch('OU=MyOtherOU,DC=MyDC,DC=MySiteName,DC=com',ldap.SCOPE_SUBTREE,'(&(memberOf=CN=MyOtherGroup,OU=MyRole,DC=MyDC,DC=MySiteName,DC=com)(sAMAccountName=%(user)s))'),
)

or this (without any additional data):

AUTH_LDAP_SERVER_URI = 'ldap://ldap.host.name'
AUTH_LDAP_USER_DN_TEMPLATE = '%(user)s'

In the second way I can't use union search so I can't use it, but it can authenticate without password. I don't know how and I can't find any information about it.

Is it a way to use first way and don't put password in config?

sebaszw
  • 1,404
  • 2
  • 14
  • 19

2 Answers2

0

Can you log in to an LDAP server as a user in order to locate the user to log in with? I'm going to go with no. If I'm understanding the question, you want something logically impossible.

If you're worried about checking credentials into source control or something, you should put them in a file on the server and read them into settings.py at runtime.

psagers
  • 859
  • 4
  • 5
  • Why logically impossible? I've got login and password, so this is everything what I need to search in LDAP. Inside search method I can check if user meet additional needs. I think it is rational question :) – sebaszw Jun 12 '14 at 05:39
  • In order to log in to LDAP as the authenticating user, you need their DN and password. You don't have their DN, since that's the thing you're trying to log in to LDAP in order to find. If you could deduce their DN from their username, you could just use AUTH_LDAP_USER_DN_TEMPLATE. In your case, you need the user's DN in order to find the user's DN. Only solution is to have some static credentials to bootstrap your way in. – psagers Jun 12 '14 at 18:11
0

If I understand you correctly - you can leave AUTH_LDAP_BIND_PASSWORD as blank in settings.py, and update it in your view with user-submitted password in a form before calling authenticate() method, like this:

def auth_and_login(request, onsuccess='/', onfail='/login/'):
    if request.method == 'POST':
        username = request.POST['user']
        password = request.POST['password']

        settings.AUTH_LDAP_BIND_PASSWORD = password
        user = auth.authenticate(username=username, password=password)

        if user is not None and user.is_active:
            auth.login(request, user)
            return redirect(onsuccess)
        else:
            return redirect(onfail)
Frank Fang
  • 151
  • 2
  • 7