On Mar 20, 7:44 pm, "Katz, Aryeh \(akatz\)" <[EMAIL PROTECTED]> wrote:
> The downside of this method is that the user can still authenticate against
> Django.
I set my passwords in Django to something like 'get password from
LDAP'. This is an invalid hash, so no one would ever be able to
authenticate against Django instead of LDAP. To authenticate them, I
bind as a specific LDAP user, search for the user who is
authenticating, then rebind to LDAP as them (all this over SSL-
encrypted LDAP). It's a fairly typical technique. This is the auth
backend I wrote to do it:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, settings.LDAP_CERT)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
class LdapBackend:
def authenticate(self, username=None, password=None):
l = SmartLDAPObject(
settings.LDAP_URI,
who=settings.LDAP_BIND_DN,
cred=settings.LDAP_BIND_PW,
start_tls=2
)
results = l.search_s(settings.LDAP_ROOT, ldap.SCOPE_SUBTREE,
"(sAMAccountName=%s)" % (username,), ["givenName", "sn", "mail",
"memberOf"])
print results
dn = results[0][0]
attributes = results[0][1]
try:
l.simple_bind_s(dn, password)
except:
return None
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = User(username=username, password="get from ldap")
user.first_name = attributes["givenName"][0]
user.last_name = attributes["sn"][0]
user.email = attributes["mail"][0]
user.is_staff = True
user.is_superuser = True
user.save()
return user
def get_user(self, uid):
try:
return User.objects.get(pk=uid)
except User.DoesNotExist:
return None
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
