Initially create django users from AD

[Rolf Håvard Blindheim]

Hello

First of all, this is a great project!

I can now successfully create and log in django users by assigning them to AD groups. Running Django 1.3, python2.7 and python-ldap2.3, and a Windows 2008 R2 server with AD.

I've spent all day making this work, and just want to share my setup, since I've encountered a few problems along the way.

This is my settings.py. Note that I had to change the user search ldap.SCOPE_SUBTREE to use "sAMAccountName" instead of "uid", as well as using the group search (objectClass=group), and ActiveDirectoryGroupType() GROUP_TYPE.

#===============================================================================

# LDAP CONFIGURATION

# http://packages.python.org/django-auth-ldap/

#===============================================================================

# Basexampleine configuration.

AUTH_LDAP_SERVER_URI = 'ldap://host.example.local'

AUTH_LDAP_BIND_DN = 'cn=bind_user,cn=Users,dc=example,dc=local'

AUTH_LDAP_BIND_PASSWORD = 'password_here'

AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=local', ldap.SCOPE_SUBTREE, '(sAMAccountName=%(user)s)',)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Application_OU,ou=Grupper,dc=example,dc=local', ldap.SCOPE_SUBTREE, '(objectClass=group)')

AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()

# Only users in this group can log in.

AUTH_LDAP_REQUIRE_GROUP = 'cn=enabled,ou=Application_OU,ou=Grupper,dc=example,dc=local'

# Populate the Django user from the LDAP directory.

AUTH_LDAP_USER_ATTR_MAP = {

    'first_name': 'givenName',

    'last_name': 'sn',

    'email': 'mail'

}

#AUTH_LDAP_PROFILE_ATTR_MAP = {

#    "employee_number": "employeeNumber"

#}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    'is_active': 'cn=active,ou=Application_OU,ou=Grupper,dc=example,dc=local',

    'is_staff': 'cn=staff,ou=Application_OU,ou=Grupper,dc=example,dc=local',

    'is_superuser': 'cn=superuser,ou=Application_OU,ou=Grupper,dc=example,dc=local'

}

# This is the default, but I like to be explicit.

AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Use LDAP group membership to calculate group permissions.

AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache group memberships for 5 minutes to reduce LDAP traffic

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300

AUTH_LDAP_GLOBAL_OPTIONS = {

    ldap.OPT_X_TLS_REQUIRE_CERT: False,

    ldap.OPT_REFERRALS: False,

}

# Keep ModexampleBackend around for per-user permissions and maybe a local

# superuser.

AUTHENTICATION_BACKENDS = (

    'django_auth_ldap.backend.LDAPBackend',

    'django.contrib.auth.backends.ModexampleBackend',

)

However, I've one last issue I can't seem to figure out.

When using the AUTH_LDAP_USER_FLAGS_BY_GROUP to set permission flags on the django user account, I need to add the AD user to all this groups before I log in and the user will be created as a django user.

Shouldn't the user get only the flags set(by adding the user to the desired groups on AD)? If I try to create a django user by only adding the user to ie. "enabled" and "active" AD groups, It seems natural to me that the django user which will be created should be able to log in(because he's in the "enabled" group, and have is_active flag set True (since he's in the "active" AD group). But this fails with an error like this:

2011-09-29 22:52:23 WARNING django_auth_ldap Caught LDAPError while authenticating username: NO_SUCH_ATTRIBUTE({'info': '00002080: AtrErr: DSID-0308014F, #1:\n\t0: 00002080: DSID-0308014F, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 1f (member)\n', 'desc': 'No such attribute'},)

Is this intended behaviour?

[Peter Sagerson]

It looks like you're pretty close. As you discovered, the examples in the documentation are all based on OpenLDAP, so they take a little more massaging for AD than for other systems. I don't have access to an AD server myself, but your settings look similar to other AD configurations I've seen.

The exception is apparently raised looking for the "member" attribute on your group objects. ActiveDirectoryGroupType uses "member" as the attribute to search for member DNs. Again, I have no independent knowledge that this is correct; it was contributed by a user early on. So it seems likely that your group search is finding objects that don't include the member attribute in their schemas, either because your search is returning objects that aren't groups or because "member" is the wrong attribute for your server. This is on the edge of my LDAP knowledge, so someone else may be able to diagnose the exception more accurately.

In any case, my recommendation would be to examine your particular directory, understand how the groups work, and configure one of the primitive classes (probably MemberDNGroupType). The subclasses exist for convenience and readability, but there's no guarantee they'll be right for you.

[Rolf Håvard Blindheim]

Thanks for reply.

I think member is the correct group membership attribute for AD.

See http://msdn.microsoft.com/en-us/library/windows/desktop/ms676913(v=vs.85).aspx for overview of group attributes.

As far as I can see, it should allow the user to login even if the user is not in the "active", "superuser" or "staff" group, as long as he is in the "enabled" group.

If I add the user to all of these groups in AD, I can log in, and the appropriate flags are set on the user account. If I remove the user from one or more of these groups, I'll get the NO_SUCH_ATTRIBUTE error.

So it seems to me that the code works as intended as it converts the membership of these groups into True while the user is in the group, but are unable to set it False if the user is not.

Does this sound about right?

[Peter Sagerson]

That sounds convincing; it could well be a bug somewhere. If only we could find someone with a repro case and a debugger. :)

[Percy Ameri]

Hi Rolf :

but if there are some user access and not any other solution. 

please help .....!!!

[Yip Terence]

Hi Rolf,

 

Since you have already integrated the LDAP auth with edx.  Could you please give me a hand?

 

I already installed the open edx and django ldap package.  However, I don't know where is the settings.py file.  Could you show me the path?  and where such I insert the LDAP string?  

 

Best Regards,

Terence

Rolf Håvard Blindheim於 2011年9月30日星期五 UTC+8上午5時18分11秒寫道：

[Rolf Håvard Blindheim]

Hi Terence,

By ‘edx’ you mean Microsoft Exchange Server I guess?

It has been some years since I did this setup, but I’ll give it a shot ;)

The ’settings.py’ file is the django project configuration file. It’s usually located in a directory inside your main application directory called the same as your project (the name you gave your application when running ‘django-admin.py startproject’).

I’ll just paste the settings I had in my project, but you’ll need to adapt it for your exchange setup.

Paste the below in your settings.py file.

# LDAP configuration

# See http://packages.python.org/django-auth-ldap/

# for more details

AUTH_LDAP_SERVER_URI = 'ldap://192.168.1.1'  # IP to your real LDAP server

AUTH_LDAP_BIND_DN = 'cn=Your LDAP CN,ou=Your OU,dc=example,dc=com'

AUTH_LDAP_BIND_PASSWORD = 'secret-password-here'

AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=com', ldap.SCOPE_SUBTREE, '(sAMAccountName=%(user)s)',)  # Search entire forest

AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Your OU,ou=Groups,dc=example,dc=com', ldap.SCOPE_SUBTREE, '(objectClass=group)')

AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()

# Only users in this group can log in.

AUTH_LDAP_REQUIRE_GROUP = 'cn=Enabled-Users,ou=Your OU,ou=Groups,dc=example,dc=com'

# Populate the Django user from the LDAP directory.

AUTH_LDAP_USER_ATTR_MAP = {

    'first_name': 'givenName',

    'last_name': 'sn',

    'email': 'mail'

}

# This is the default, but I like to be explicit.

AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Use LDAP group membership to calculate group permissions.

AUTH_LDAP_FIND_GROUP_PERMS = True

# Mirror user groups from LDAP

AUTH_LDAP_MIRROR_GROUPS = True

# Cache group memberships for 5 minutes to reduce LDAP traffic

AUTH_LDAP_CACHE_GROUPS = False

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300

AUTH_LDAP_GLOBAL_OPTIONS = {

    ldap.OPT_X_TLS_REQUIRE_CERT: False,

    ldap.OPT_REFERRALS: False,

    

}

# Keep ModelBackend around for per-user permissions and maybe a local

# superuser.

AUTHENTICATION_BACKENDS = (

    'django.contrib.auth.backends.ModelBackend',

    'django_auth_ldap.backend.LDAPBackend',

)

Hope you sort it out, cheers!

--

Med vennlig hilsen/Best regards

Rolf Håvard Blindheim

rhb...@gmail.com

--
You received this message because you are subscribed to a topic in the Google Groups "django-auth-ldap" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-auth-ldap/20-l9a0jPRg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-auth-ld...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rolf Håvard Blindheim]

Hi again, Terence,

"By ‘edx’ you mean Microsoft Exchange Server I guess?”

Wow, I just realized what I wrote. Exchange server is the mail server, not Active Directory. Sorry, by ‘edx’ I have no idea what you mean =)

It’s a while since I’ve worked with the Microsoft platform, sorry for confusing you.

Anyway, the code I pasted is my configuration for authenticating with Microsoft Active Directory.  

--

Med vennlig hilsen/Best regards

Rolf Håvard Blindheim

rhb...@gmail.com

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638