ldap_connection_settings.py 5.16 KB
Newer Older
1 2
# Ensure this file is not saved as "ldap.py" or you will run
# into name conflicts (https://gitlab.com/mayan-edms/mayan-edms/issues/743)
3 4
# Install Python LDAP with:
# $ pip install python-ldap
5
# or if using Docker, pass the following environment variables:
6 7
# -e MAYAN_PIP_INSTALLS="python-ldap django_auth_ldap"
# -e MAYAN_APT_INSTALLS="libsasl2-dev python3-dev libldap2-dev libssl-dev libgle3 build-essential autoconf libtool pkg-config gcc"
8
# -e MAYAN_SETTINGS_MODULE=mayan_settings.ldap_connection_settings
9 10
import ldap

11 12 13 14
from django_auth_ldap.config import (
    LDAPSearch, LDAPSearchUnion, NestedActiveDirectoryGroupType
)

Roberto Rosario's avatar
Roberto Rosario committed
15
from mayan.settings.production import *  # NOQA
16

17 18
# Makes sure this works in Active Directory
ldap.set_option(ldap.OPT_REFERRALS, False)
19

20 21
# Turn of debug output, turn this off when everything is working as expected
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
22

23
# Default: True
24 25
AUTH_LDAP_ALWAYS_UPDATE_USER = True

26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
# Use TLS to talk to the LDAP server
# Requires acquiring the server's certificate
# $ openssl s_client -connect <LDAP server>:636
# Part of the output of this file will be the Base-64 encoded .cer file
# that was presented for LDAPS. Cut and paste into a file beginning at
# "-Begin Certificate" through "-End Certificate--" and save as a .crt, for
# example: ldapserver.crt
# $ CERT=ldapserver.crt
# $ cp /root/$CERT /usr/share/ca-certificates/$CERT
# # notice the + sign which tells to activate the certificate.
# $ echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
# $ dpkg-reconfigure ca-certificates;
AUTH_LDAP_START_TLS = False

LDAP_ADDITIONAL_USER_DN = 'dc=people'
LDAP_ADMIN_DN = ''
LDAP_BASE_DN = 'dc=<top level dc>,dc=co,dc=in'
LDAP_PASSWORD = ''
LDAP_USER_AUTO_CREATION = 'False'
LDAP_URL = 'ldap://<LDAP server>:389/'
46 47 48

AUTH_LDAP_BIND_DN = LDAP_ADMIN_DN
AUTH_LDAP_BIND_PASSWORD = LDAP_PASSWORD
49
AUTH_LDAP_SERVER_URI = LDAP_URL
50

51
# Simple search
Roberto Rosario's avatar
Roberto Rosario committed
52 53 54 55
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    '%s,%s' % (LDAP_ADDITIONAL_USER_DN, LDAP_BASE_DN),
    ldap.SCOPE_SUBTREE, '(uid=%(user)s)'
)
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

# If you need to search in more than one place for a user, you can use
# LDAPSearchUnion. This takes multiple LDAPSearch objects and returns the
# union of the results. The precedence of the underlying searches is
# unspecified.
# https://django-auth-ldap.readthedocs.io/en/latest/authentication.html
# AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
#     LDAPSearch(
#         'ou=Users,ou=Admin,dc=<top level DC>,dc=local', ldap.SCOPE_SUBTREE,
#         '(samaccountname=%(user)s)'
#     ),
#     LDAPSearch(
#         'ou=Users,ou=<second OU>,dc=<top level DC>,dc=local',
#         ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
#     ),
#     LDAPSearch(
#         'ou=Users,ou=<third OU>,dc=<top level DC>,dc=local',
#         ldap.SCOPE_SUBTREE, '(samaccountname=%(user)s)'
#     ),
# )

# User attributes to map from LDAP to Mayan's user model.
78
AUTH_LDAP_USER_ATTR_MAP = {
Roberto Rosario's avatar
Roberto Rosario committed
79 80 81 82
    'first_name': 'cn',
    'last_name': 'sn',
    'email': 'mail'
}
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
# Another example map
# AUTH_LDAP_USER_ATTR_MAP = {
#     'username': 'sAMAccountName',
#     'first_name': 'givenName',
#     'last_name': 'sn',
#     'email': 'mail'
# }
# Only string fields can be mapped to attributes. Boolean fields can be
# defined by group membership:
# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#     'is_active': 'cn=active,ou=groups,dc=example,dc=com',
#     'is_staff': (
#         LDAPGroupQuery('cn=staff,ou=groups,dc=example,dc=com')
#         | LDAPGroupQuery('cn=admin,ou=groups,dc=example,dc=com')
#     ),
#     'is_superuser': 'cn=superuser,ou=groups,dc=example,dc=com',
# }

# Simple group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
#     'ou=groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)'
# )
# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

# Advanced group search
# AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
#     LDAPSearch(
#         'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
#         ldap.SCOPE_SUBTREE,
#         '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
#     ),
#     LDAPSearch(
#         'ou=Domain Global,OU=Security,OU=Groups,OU=<OU>,dc=<top level DC>,dc=local',
#         ldap.SCOPE_SUBTREE,
#         '(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))'
#     ),
# )
# AUTH_LDAP_CACHE_GROUPS = True
# AUTH_LDAP_FIND_GROUP_PERMS = False
# AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# AUTH_LDAP_MIRROR_GROUPS = True

# To minimize traffic to the LDAP server, LDAPBackend can make use of
# Django’s cache framework to keep a copy of a user’s LDAP group memberships.
# To enable this feature, set AUTH_LDAP_CACHE_TIMEOUT, which determines
# the timeout of cache entries in seconds.
# AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

# Limiting Access
# The simplest use of groups is to limit the users who are allowed to log in.
# If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that
# group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse:
# if given, members of this group will be rejected.
# AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=groups,dc=example,dc=com'
# AUTH_LDAP_DENY_GROUP = 'cn=disabled,ou=groups,dc=example,dc=com'

139
AUTHENTICATION_BACKENDS = (
Roberto Rosario's avatar
Roberto Rosario committed
140
    'django_auth_ldap.backend.LDAPBackend',
141
)