LDAP _without_ built-in Django user authentication
Matt
implements LDAP support for his Django app, but it requires every user
to be in both LDAP and the user database table. This seems pointless
to me. Either you use Django's built-in database authentication or you
use LDAP, not both.
In my case, I want LDAP because we already have users in the directory.
We don't want to force users to create new accounts just for the web
app I will be building, and copying account info to the database is
simply out of the question -- only one directory is necessary.
If incorporating LDAP authentication into a Django app is not possible
without duplicating (eww) account information in the database, then I'm
afraid I'll have to resort to Ruby on Rails because it has
well-documented LDAP support. I would really prefer to use Django
because Python has been much easier for me to pick up compared to Ruby.
Joseph Kocherhans
It really depends on what parts of Django you want to use. Right now,
the admin system is intimately tied into django permissions, groups,
and users, which are all implemented in Django models. I'm currently
working on this, and I have code that authenticates against different
backends, but to work with the admin system, it needs to fake a django
user for every request.
If you aren't using the admin system, there is nothing stopping you
from using ldap and implementing your own security model. URLs, the
ORM, templates, caching, views, etc. are all totally independent from
authentication. I'm not sure what rails offers in that department.
Links to the relevent rails+ldap documents would be much appreciated
:)
Joseph
lin...@gmail.com
Here is a link to the rails+lap wiki entry:
http://wiki.rubyonrails.com/rails/pages/HowtoAuthenticateViaLdap
-- Nick
Matt
The admin feature of Django is awesome and I'd love to use it, but in
addition to the need for LDAP my app will have to parse uploaded CSV
files in order to populate certain database tables simply because there
is far too much data to insert it one row at a time. Therefore, I will
need a very customized admin interface -- at least for a few tables.
Ideally, I want to use the Django admin interface for 90% of the tables
that hold more basic info that could be entered manually, and then my
own custom interface for the CSV files. Of course, the problem is I
would only be able to use LDAP (exclusively) for the non-Django admin
stuff.
Are there plans to allow for alternate authentication methods for the
Django admin by v1.0?
ChaosKCW
I would reccomend during you LDAP auth code you simple create a user in
django.users if it doesnt already exit. This can be compeltly
transparent to the user, they will never know.
I tend to like to have to setup users to my small admin sites, cause
everyone who works for the company shouldnt have access to it even
though they could auth via ldap correctlty.
Matt
Unfortunately it's my supervisor's decision, and he wants me to use
LDAP _exclusively_ so that's what I have to do.
I don't know much about LDAP, but from what I understand users can be
grouped based on their level of access. For example, if John Doe has a
new user account on our LDAP server, then he would be in the catch-all
Employee group. However, to gain access to the web app he would need
to be the in DjangoUser group (or whatever). Thus, even though he can
be authenticated by LDAP, he wouldn't have the necessary group
permissions.
joa...@gmail.com
I would create a User model that is always synced with the LDAP users
database:
1) Whenever a user is created from Django, create the same user in the
LDAP base.
2) Hack Django a little so it can authenticate from the LDAP server.
Maybe the magic-removal branch allows for authentication mechanism
overriding without hacking the Django source itself.
3) Whenever a user wants to change his password, change it in the LDAP
database too.
4) Try to do syncing between LDAP groups and Django groups.
5) Have a way to store all user information in the LDAP database, maybe
with a dict that associates model fields to LDAP fields.
It would be nicer to have a pluggable authentication mechanism in
Django, with a certain number of methods, e.g.:
1) create_user
2) set_user_properties
3) get_user_properties
4) remove_user
5) set_user_permissions
6) add_user_permission
7) remove_user_permision
8) save_user
Matt
duplicating a lot of data. Another issue that would create problems is
adding users to LDAP directly -- Django wouldn't know about those users.
ChaosKCW
>adding users to LDAP directly -- Django wouldn't know about those users
Yes, but you create the user in django on login attempts to django
sites.
If LDAP auth successfukl:
search user DB
if not found:
add usert to db based on ldap pertmissions
Matt
database even though LDAP is the new authentication method. I thought
it would require authenticating via LDAP, then checking for the user
_and_ pass in Django's database. I didn't realize that I will only
have to copy the username (not the password), and that authentication
does not need to occur a second time against the Django user list. It
looks like I'll be able to convince the man in charge that Django is a
great framework choice for our needs.
Thanks to all for the feedback!
Matthew Flanagan
I'm using the method mentioned in the link to do LDAP auth.
http://www.carcosa.net/jason/blog/computing/django/authentication-2005-12-05-13-25.html
A dummy django user must exist, with or without your app's django
permissions or groups assigned, before LDAP is looked up. In my
environment I didn't want all LDAP users to be able to login to the
application, only thosee userrs that had had been explicitly created
in the django user db.
So the flow is this:
If user in django userdb:
check user password via ldap (or whatever) auth method.
I have written a very simple pluggable auth module that does all of
this and has support for LDAP.
I'll put it up in the django wiki next week when i get back to work if
anyone is interested. It looks like the MultiAuth stuff will supersede
this anyway in the near future.
regards
matthew