From 5119fd211e420a94f9202d5fddb0bdd607ee6c07 Mon Sep 17 00:00:00 2001 From: Michał Górny Date: Fri, 13 Sep 2013 13:03:58 +0200 Subject: Replace django-auth-ldap with ldapdb-based auth backend. --- okupy/accounts/views.py | 5 ++++- okupy/common/auth.py | 34 ++++++++++++++++++++++++++++++++++ okupy/common/ldap_helpers.py | 3 +++ okupy/settings/__init__.py | 2 +- okupy/tests/settings.py | 2 +- requirements/base.txt | 1 - 6 files changed, 43 insertions(+), 4 deletions(-) diff --git a/okupy/accounts/views.py b/okupy/accounts/views.py index ab96d87..36980ee 100644 --- a/okupy/accounts/views.py +++ b/okupy/accounts/views.py @@ -139,7 +139,10 @@ def login(request): it was successful. If it retrieves None then it failed to login """ try: - user = authenticate(username=username, password=password) + user = authenticate( + request=request, + username=username, + password=password) except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) diff --git a/okupy/common/auth.py b/okupy/common/auth.py index aa238fc..08d2fe6 100644 --- a/okupy/common/auth.py +++ b/okupy/common/auth.py @@ -5,14 +5,48 @@ from django.contrib.auth.backends import ModelBackend from django.db import IntegrityError from okupy.accounts.models import LDAPUser +from okupy.common.ldap_helpers import get_bound_ldapuser from OpenSSL.crypto import load_certificate, FILETYPE_PEM +import ldap import paramiko import base64 +class LDAPAuthBackend(ModelBackend): + """ + Authentication backend that authenticates against LDAP password. + If authentication succeeds, it sets up secondary password + for the session. + """ + + def authenticate(self, request, username, password): + try: + bound_ldapuser = get_bound_ldapuser( + request=request, + username=username, + password=password) + + with bound_ldapuser as u: + UserModel = get_user_model() + attr_dict = { + UserModel.USERNAME_FIELD: u.username + } + + user = UserModel(**attr_dict) + try: + user.save() + except IntegrityError: + user = UserModel.objects.get(**attr_dict) + return user + except ldap.INVALID_CREDENTIALS: + return None + except ldap.STRONG_AUTH_REQUIRED: + return None + + class SSLCertAuthBackend(ModelBackend): """ Authentication backend taht uses client certificate information. diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py index 69cacbf..c8ac5dd 100644 --- a/okupy/common/ldap_helpers.py +++ b/okupy/common/ldap_helpers.py @@ -8,6 +8,9 @@ from okupy import OkupyError from okupy.accounts.models import LDAPUser from okupy.crypto.ciphers import cipher +from django.conf import settings #debug +from django.db import connections + def get_bound_ldapuser(request, password=None, username=None): """ diff --git a/okupy/settings/__init__.py b/okupy/settings/__init__.py index bdada0a..0541edd 100644 --- a/okupy/settings/__init__.py +++ b/okupy/settings/__init__.py @@ -26,7 +26,7 @@ MESSAGE_STORAGE = 'django.contrib.messages.storage.session.SessionStorage' # Custom authentication backend AUTHENTICATION_BACKENDS = ( - 'django_auth_ldap.backend.LDAPBackend', + 'okupy.common.auth.LDAPAuthBackend', 'okupy.common.auth.SSLCertAuthBackend', 'okupy.common.auth.SSHKeyAuthBackend', ) diff --git a/okupy/tests/settings.py b/okupy/tests/settings.py index 97b2844..1a83724 100644 --- a/okupy/tests/settings.py +++ b/okupy/tests/settings.py @@ -26,7 +26,7 @@ MESSAGE_STORAGE = 'django.contrib.messages.storage.session.SessionStorage' # Custom authentication backend AUTHENTICATION_BACKENDS = ( - 'django_auth_ldap.backend.LDAPBackend', + 'okupy.common.auth.LDAPAuthBackend', 'okupy.common.auth.SSLCertAuthBackend', 'okupy.common.auth.SSHKeyAuthBackend', ) diff --git a/requirements/base.txt b/requirements/base.txt index f63e9ab..8747082 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,5 +1,4 @@ django>=1.5 -django-auth-ldap>=1.1.4 django-compressor>=1.3 django-otp>=0.1.7 git+https://github.com/gentoo/django-ldapdb@okupy_v1#egg=django-ldapdb -- cgit v1.2.3-65-gdbad