import logging
# # # # # # # # # # # # # # #
# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType
# ...connecting to ldap server (local environment uses IP)
# AUTH_LDAP_GLOBAL_OPTIONS = {
# ldap.OPT_X_TLS_REQUIRE_CERT: False,
# ldap.OPT_REFERRALS: False
# }
AUTH_LDAP_SERVER_URI = "ldap://127.0.0.1:389"
# ...account to enter into ldap server (anonymous is not always allowed)
AUTH_LDAP_BIND_DN = "cn=admin,dc=hylaa,dc=com"
AUTH_LDAP_BIND_PASSWORD = "wilf66"
# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,cn=accounts,dc=hylaa,dc=com",
ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
"(uid=%(user)s)"
#"(objectClass=posixAccount)"
#"(objectClass=simpleSecurityObject)"
)
# AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=hylaa,dc=com"
# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=hylaa,dc=com",
ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
"(objectClass=posixGroup)" # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn") # a posixGroup is identified by the keyword "cn" into ldap server
# ...simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=accounts,dc=hylaa,dc=com"
# AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=hylaa,dc=com"
# ...populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
"username": "uid",
"password": "userPassword",
}
# AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"}
# AUTH_LDAP_PROFILE_ATTR_MAP = {"home_directory": "homeDirectory"}
AUTH_LDAP_PROFILE_ATTR_MAP = {
"home_directory": "homeDirectory"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# "is_active": "cn=active,ou=groups,dc=hylaa,dc=com",
# "is_staff": "cn=staff,ou=groups,dc=hylaa,dc=com",
"is_superuser": "cn=users,cn=accounts,dc=hylaa,dc=com"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
"is_awesome": ["cn=awesome,ou=groups,dc=hylaa,dc=com"]
}
# ...use LDAP group membership to calculate permission
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_ALWAYS_UPDATE_USER = True
# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END LDAP CONFIGURATION - - - - #
# # # # # # # # # # # # # # #
自己配置的时候各种坑,资料虽很多,但基本都是给个配置信息了事,实际上真正跑起来还得做些工作, "is_superuser":决定让phpadminldap上哪个组的成员能进后台,记得pip安装相应组件。
主要是在phpldapadmin上创建的Account要记得在你所需要的组那里添
- memberUID增加你需要的用户,这点对于新手要了解
- AUTH_LDAP_MIRROR_GROUPS=True #注意 此为重点:当这个值为 True, LDAP的用户条目映射并创建 Django User 的时候,会自动映创建Group
附上docker 启动openldap ,phpldapadmin的脚本
#!/bin/bash -e
docker run --name ldap-service --hostname ldap-service --env LDAP_ORGANISATION="WILF" \
--env LDAP_DOMAIN="wilf.com" --env LDAP_ADMIN_PASSWORD="wilf66" \
-p 127.0.0.1:389:389 --detach osixia/openldap:1.1.8
docker run --name phpldapadmin-service --hostname phpldapadmin-service \
--link ldap-service:ldap-host --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host -p 127.0.0.1:443:443 \
--detach osixia/phpldapadmin:0.6.12
PHPLDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" phpldapadmin-service)
echo "Go to: https://127.0.0.1:443"
echo "Login DN: cn=admin,dc=wilf,dc=com"
echo "Password: wilf66"
网友评论