1

I am authenticating Django users against an Active Directory (LDAP) database using django-auth-ldap.

Our convention for sAMAccountName (typically the unique identifier for an AD account) is firstname.surname. It is possible that this value will change for a logical user. For example, their surname might change on marriage or divorce.

We are also requiring users to log in using their email prefix rather than their sAMAccountName, for ease of use. In the majority of cases, this value is the same as sAMAccountName. However, in some cases a user has two email addresses (1. legal name, 2. English/Western-friendly name). In other cases, email and sAMAccountName differ for historical reasons.

In all cases (AD identifier changes, two email identifiers for one user, email identifier != sAMAccountName) multiple valid LDAP authentications should map to the same logical Django user -- they should not trigger the creation of multiple, independent User objects.

How can we configure authentication for this scenario?

  • Aliases. If it is possible to map a Django user onto a "Primary" user, rather than multiple authentications on the same user, that would be an acceptable solution.
  • Alternate libraries. If another well-maintained Django/LDAP authentication library will do the job (e.g. django-auth-ldap-ng)
lofidevops
  • 15,528
  • 14
  • 79
  • 119
  • Nothing in Django would prohibit mapping multiple AD users to a single Django User. How you go about that depends entirely on the Django authentication backend that you're using. – psagers Jul 05 '16 at 01:38
  • @psagers updated question to mention backend (django-auth-ldap) - open to suggestions to switch it – lofidevops Jul 05 '16 at 12:32

1 Answers1

1

django-auth-ldap has a documented mechanism to let you customize the user-creation process. By subclassing the backend and overriding this method, you can can map LDAP users to Django users any way you like.

psagers
  • 859
  • 4
  • 5