On 1/12/2017 10:28 PM, pacopyc pacopyc wrote:
Hi, I am a beginner django programmer.
I would like to authenticate users of my web application to an ldap
server (which has about 1000 users defined).
Not all users of the ldap server must be able to access the web
application (only 50 ldap users must have access to the web application).
First problem: I can not authenticate users on ldap server. I referred
to https://django-auth-ldap.readthedocs.io/en/latest/ and some
articles on the Internet. Do you have any simple examples? I just want
to check username and password.
Many years ago I successfully used Peter Herndon's django-ldap-groups
which is no longer maintained but available here ...
https://code.google.com/archive/p/django-ldap-groups/
It took a while to get going but all my problems were in understanding
Novell Netware LDAP not in Peter's software. If you look at his code and
also the django-auth-ldap code you should detect similarities and
differences which will most likely switch on the lights for you.
Second issue: once the user has been authenticated on the ldap server,
I must verify that he can access the web application. How can I do? Do
I have to define it on Django too? How?
The only sane way to to do that is to use groups in LDAP and make a
similarly name permission group in Django. Never use individual
permissions on either system.
Third issue: web application users must have different permissions in
using the application. Permissions are defined on Django. How can I
link ldap users (only 50) to these permissions?
You should be able to interrogate the LDAP server using a privileged
username on the LDAP server issued by that server's admin. That will let
you do a search using the django login username and detect the LDAP
groups that user is in. If they are in the proper group you can add that
username to the django group (if not already in it). Likewise, if they
have been removed from that group on LDAP you can remove them from the
django group as well.
This segregates both logins and makes the task doable. If you try to
avoid a django login for a user already logged in to LDAP it becomes
much trickier requiring a custom auth backend. Single signon I think it
is called. Don't go there until you are more experienced.
Back in the day of Novell Netware this was working fine for me. I think
one of the requirements was that users wanted to stick with a the same
password on both systems - which is a security "bad" practice. If you do
that, you may get away without needing a privileged login to search the
LDAP directory and instead just use the username/password offered to
Django to log into to LDAP and check the LDAP groups then.
Its a long time since I looked at it so things may not be as I remember
them.
Good luck
Mike
Thanks
pacopyc
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/1f564b8b-da63-4f13-8305-906536f3f386%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/1f564b8b-da63-4f13-8305-906536f3f386%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/8277b5fa-fe4a-540f-4dca-a9242aa7f22f%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.
