3

I have problem with authentication users in my django app. I am using Python 3.5 and Django 1.10.

I wrote simple bind configuration to check if user is realy user from database:

    username = request.POST['username']
    password = request.POST['password']

    server = Server(LDAP_AUTH_URL)
    c = Connection(server, user=LDAP_AUTH_CONNECTION_USERNAME, password=LDAP_AUTH_CONNECTION_PASSWORD)

    c.open()
    c.bind()

    if c.bind():
        user_search_filter = '(uid={})'.format(username)
        c.search(search_base=LDAP_AUTH_SEARCH_BASE,
                 search_filter=user_search_filter,
                 search_scope=SUBTREE)

    username = c.response[0]['dn']
    if c.rebind(user=username, password=password):
        return HttpResponseRedirect(next)

but now I don't know what to do with it, in django we have of course something like this:

    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            auth.login(request, user)
            return HttpResponseRedirect(next)
        else:
            return render(request, 'login.html', {'error_message': 'Your account has been disabled'})
    else:
        return render(request, 'login.html', {'error_message': 'Invalid login'})

but in this situation we have to have user account in our base not from ldap authorization.

so I would like to get authorization from django when I am logging by ldap to have access to any other view with "@login_required"

Maybe something is wrong with my thinking about ldap and ldap3 for Python >3.

Anybody can help me or give me usefull links?

Grzegorz Redlicki
  • 269
  • 1
  • 6
  • 15

2 Answers2

0

Split managing of user authorization.

Add function to check ldap auth. Say it will return True/False by provided credentials.

def ldap_auth(login, password):
    ...
    return c.bind()

So in auth view you need now two different condition for ldap and non-ldap users:

# if it is ldap user check ldap_auth
# if user doesn't exist locally you could create it manually in case of successful auth
else:
    user = authenticate(username=username, password=password)

On frontend you need somehow specify is it ldap user or not. Or you can go further and add some logic based on several checks: try to find users in ordinary users, if there are no results - try to log in via ldap.

xiº
  • 4,605
  • 3
  • 28
  • 39
  • ok, first part is clear for me and of course I will do it but now I am trying to understand. Second part, I know how to do it and probably I will do something like this, but my question was about something like auth for ldap users. I would like to have access to "@login_required" if I am ldap user. Is it possible?? Or I have to make my own functions to do this?? – Grzegorz Redlicki Mar 13 '17 at 13:51
  • just put both parts to single view as I said above, and you will have that functionality out of the box. If you create in db users logged by ldap it will be same users as ordinary users. Ldap in that case not something special, It is just a way to create/auth users, so there is no reason to somehow specify them – xiº Mar 13 '17 at 14:01
  • so in this situation if I login by ldap I have to make user, add him to database and make authorization by him, yes?? – Grzegorz Redlicki Mar 13 '17 at 14:07
  • What about situation when user will change his password?? We have user with his name, but we can not login, but we can login by ldap... We can not create second user with this same name, and we can not login in this situation. – Grzegorz Redlicki Mar 13 '17 at 14:08
  • 1
    [link](https://docs.djangoproject.com/en/1.10/topics/auth/customizing/) - this is what was talking about yesterday, I found this but I can give plus for this user, because of his answer I started to look for in another way – Grzegorz Redlicki Mar 14 '17 at 07:28
0

Add a django authentication backend for LDAP Authentication something like: /users/auth/backend.py and configure this backend in your settings.py for django to use it for all login calls.

And add authenticate() method that implements LDAP auth. You also need to implement the get_user() method.

It is recommended that you sync up an user account from LDAP upon first login or when you search the user in active directory first time from within your app and maintain users model for your app.

More info on setting up the authentication backend and synchronizing users can be found here:

Customizing Django Authentication Bakcend

user4212639
  • 489
  • 6
  • 6