Django: authenticating against remote LDAP user - simple example?
I'm using django_a开发者_JS百科uth_ldap - we have an existing User database, and an external LDAP system that shares usernames with the User database I already have.
I could really do with a simple example of how to
- get a user's local name (they're signed into a Windows LDAP system - can I get it the username from the browser somehow?)
- authenticate it against the remote Windows LDAP server
- use this in a Django template (just displaying the name would be fine)
Could anyone provide the (hopefully) few lines of code for a simple example of how to do this?
thanks!
In your python setting file add line
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.ActiveDirectoryGroupMembershipSSLBackend',
'django.contrib.auth.backends.ModelBackend'
)
Here is my code just replace it with your information. Save this file as backend.py Place the file into a folder called django_auth_ldap. Make sure the folder has the __init.py inside.
import ldap;
from django.contrib.auth.models import User, Group
class ActiveDirectoryGroupMembershipSSLBackend:
#Required parameters
AD_DNS_NAME ='your remote ldap server location';
AD_LDAP_PORT = 636
AD_LDAP_URL = 'ldaps://%s' % AD_DNS_NAME;
AD_SEARCH_DN = 'dc=bbc,dc=ad,dc=bcc,dc=net'; # this is your search dn
AD_NT4_DOMAIN = 'bbc.ad.bbc.net'; #its your ad domain
AD_SEARCH_FIELDS = ['mail','givenName','sn','sAMAccountName','memberOf'];
AD_MEMBERSHIP_REQ = ['Group_Required','Alternative_Group'];
AD_CERT_FILE = "C:/player/Python/Application/cert/mycert.cer";
AD_DEBUG = False;
AD_DEBUG_FILE ='';
def authenticate(self,username=None,password=None):
try:
if len(password) == 0:
return None
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 2)
l = ldap.initialize(self.AD_LDAP_URL)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
binddn = "%s@%s" % (username,self.AD_NT4_DOMAIN)
l.simple_bind_s(binddn,password)
l.unbind_s()
return self.get_or_create_user(username,password)
except ImportError:
pass
except ldap.INVALID_CREDENTIALS:
pass
def get_or_create_user(self, username, password):
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
try:
# debug info
debug=0
if len(self.AD_DEBUG_FILE) > 0:
if self.AD_DEBUG:
debug = open(self.AD_DEBUG_FILE,'w')
print >>debug, "create user %s" % username
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,self.AD_CERT_FILE)
ldap.set_option(ldap.OPT_REFERRALS,0) # DO NOT TURN THIS OFF OR SEARCH WON'T WORK!
# initialize
if debug:
print >>debug, 'ldap.initialize...'
l = ldap.initialize(self.AD_LDAP_URL)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
# bind
if debug:
print >>debug, 'bind...'
binddn = "%s@%s" % (username,self.AD_NT4_DOMAIN)
l.bind_s(binddn,password)
# search
if debug:
print >>debug, 'search...'
result = l.search_ext_s(self.AD_SEARCH_DN,ldap.SCOPE_SUBTREE,"sAMAccountName=%s" % username,self.AD_SEARCH_FIELDS)[0][1]
if debug:
print >>debug, result
# Validate that they are a member of review board group
if result.has_key('memberOf'):
membership = result['memberOf']
else:
membership = None
if debug:
print >>debug, "required:%s" % self.AD_MEMBERSHIP_REQ
bValid=0
for req_group in self.AD_MEMBERSHIP_REQ:
if debug:
print >>debug, "Check for %s group..." % req_group
for group in membership:
group_str="CN=%s," % req_group
if group.find(group_str) >= 0:
if debug:
print >>debug, "User authorized: group_str membership found!"
bValid=1
break
if bValid == 0:
if debug:
print >>debug, "User not authorized, correct group membership not found!"
return None
# get email
if result.has_key('mail'):
mail = result['mail'][0]
else:
mail = None
if debug:
print >>debug, "mail=%s" % mail
# get surname
if result.has_key('sn'):
last_name = result['sn'][0]
else:
last_name = None
if debug:
print >>debug, "sn=%s" % last_name
# get display name
if result.has_key('givenName'):
first_name = result['givenName'][0]
else:
first_name = None
if debug:
print >>debug, "first_name=%s" % first_name
l.unbind_s()
user = User(username=username,first_name=first_name,last_name=last_name,email=mail)
except Exception, e:
if debug:
print >>debug, "exception caught!"
print >>debug, e
return None
user.is_staff = False
user.is_superuser = False
user.set_password('ldap authenticated')
user.save()
# add user to default group
group=Group.objects.get(pk=1)
if debug:
print >>debug, group
if debug:
print >>debug, "add %s to group %s" % (username,group)
user.groups.add(group)
user.save()
if debug:
print >>debug, "successful group add"
if debug:
debug.close()
return user
def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None
Are you trying to get some Single Sign On solution working for your MS Windows users?
Then you'll find all the hints you need in http://docs.djangoproject.com/en/dev/howto/auth-remote-user/
加载中,请稍侯......
精彩评论