-
Notifications
You must be signed in to change notification settings - Fork 537
Enable LDAP
Login based ldap can be added fairly simply ...
First uncomment line in requirements.txt
:
#django-auth-ldap==1.2.0
and run next command:
$ sudo pip install -r requirements.txt
Rename local_settings.py.example
to local_settings.py
in webvirtmgr/local
directory and uncomment next line:
import ldap
from django_auth_ldap.config import LDAPSearch,GroupOfUniqueNamesType
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: True,
ldap.OPT_X_TLS_DEMAND: True,
ldap.OPT_REFERRALS: False,
ldap.OPT_X_TLS_CACERTDIR: "/etc/pki/tls/certs/",
}
AUTH_LDAP_SERVER_URI = "ldaps://ldapserverhostname.example.com"
AUTH_LDAP_BIND_DN = "uid=binduser,ou=systemusers,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "<ldapbindpassword>"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": ["cn=grouptopermit1,ou=groups,dc=example,dc=com", "cn=grouptopermit2,ou=groups,dc=example,dc=com"],
"is_staff": "cn=grouptopermit2,ou=groups,dc=example,dc=com",
"is_superuser": "cn=grouptopermit2,ou=groups,dc=example,dc=com"
}
In this example LDAPS is required to encrypt the login to the LDAP server - make sure the CA cert (or the LDAP SSL cert) is considered valid by your system when using this method. If SSL verification is not required then set the options to allow self certs as required:
http://python-ldap.org/doc/html/ldap.html#tls-options
The two groups listed in the is_active list is the groups that can log into (and change since the app currently only checks is_authenticated and not permissions) webvirtmgr with the second group also having permissions in the django admin interface (if you have enabled it).
There's further information at the django ldap auth site if you need it: