From a5cd992c0a1de293bc395de68209cb05af2b64cd Mon Sep 17 00:00:00 2001 From: Adam Goldsmith Date: Wed, 24 Mar 2021 14:33:07 -0400 Subject: [PATCH] Add Authentication via LDAP --- Pipfile | 1 + Pipfile.lock | 53 +++++++++++++++++++++++++- member_paperwork/settings/base.py | 11 ------ member_paperwork/settings/prod_base.py | 41 ++++++++++++++++++++ 4 files changed, 94 insertions(+), 12 deletions(-) create mode 100644 member_paperwork/settings/prod_base.py diff --git a/Pipfile b/Pipfile index 140f778..77c5f99 100644 --- a/Pipfile +++ b/Pipfile @@ -6,6 +6,7 @@ name = "pypi" [packages] django = "*" mysqlclient = "*" +django-auth-ldap = "*" [dev-packages] diff --git a/Pipfile.lock b/Pipfile.lock index 8b6f552..d8e5fe6 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "d1bf637f40b6f55b53eed51857df5d23fab51ea260b3c5b04710b8b94b80f803" + "sha256": "d1de6cc0a8d6f8b2724fbc9180a4d439f784856895370901ecb45727dfcb8e02" }, "pipfile-spec": 6, "requires": { @@ -32,6 +32,14 @@ "index": "pypi", "version": "==3.1.7" }, + "django-auth-ldap": { + "hashes": [ + "sha256:5894317122a086c9955ed366562869a81459cf6b663636b152857bb5d3a0a3b7", + "sha256:cbbb476eff2504b5ab4fdf1fa92d93d2d3408fd9c8bc0c426169d987d0733153" + ], + "index": "pypi", + "version": "==2.3.0" + }, "mysqlclient": { "hashes": [ "sha256:0ac0dd759c4ca02c35a9fedc24bc982cf75171651e8187c2495ec957a87dfff7", @@ -43,6 +51,49 @@ "index": "pypi", "version": "==2.0.3" }, + "pyasn1": { + "hashes": [ + "sha256:014c0e9976956a08139dc0712ae195324a75e142284d5f87f1a87ee1b068a359", + "sha256:03840c999ba71680a131cfaee6fab142e1ed9bbd9c693e285cc6aca0d555e576", + "sha256:0458773cfe65b153891ac249bcf1b5f8f320b7c2ce462151f8fa74de8934becf", + "sha256:08c3c53b75eaa48d71cf8c710312316392ed40899cb34710d092e96745a358b7", + "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d", + "sha256:5c9414dcfede6e441f7e8f81b43b34e834731003427e5b09e4e00e3172a10f00", + "sha256:6e7545f1a61025a4e58bb336952c5061697da694db1cae97b116e9c46abcf7c8", + "sha256:78fa6da68ed2727915c4767bb386ab32cdba863caa7dbe473eaae45f9959da86", + "sha256:7ab8a544af125fb704feadb008c99a88805126fb525280b2270bb25cc1d78a12", + "sha256:99fcc3c8d804d1bc6d9a099921e39d827026409a58f2a720dcdb89374ea0c776", + "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba", + "sha256:e89bf84b5437b532b0803ba5c9a5e054d21fec423a89952a74f87fa2c9b7bce2", + "sha256:fec3e9d8e36808a28efb59b489e4528c10ad0f480e57dcc32b4de5c9d8c9fdf3" + ], + "version": "==0.4.8" + }, + "pyasn1-modules": { + "hashes": [ + "sha256:0845a5582f6a02bb3e1bde9ecfc4bfcae6ec3210dd270522fee602365430c3f8", + "sha256:0fe1b68d1e486a1ed5473f1302bd991c1611d319bba158e98b106ff86e1d7199", + "sha256:15b7c67fabc7fc240d87fb9aabf999cf82311a6d6fb2c70d00d3d0604878c811", + "sha256:426edb7a5e8879f1ec54a1864f16b882c2837bfd06eee62f2c982315ee2473ed", + "sha256:65cebbaffc913f4fe9e4808735c95ea22d7a7775646ab690518c056784bc21b4", + "sha256:905f84c712230b2c592c19470d3ca8d552de726050d1d1716282a1f6146be65e", + "sha256:a50b808ffeb97cb3601dd25981f6b016cbb3d31fbf57a8b8a87428e6158d0c74", + "sha256:a99324196732f53093a84c4369c996713eb8c89d360a496b599fb1a9c47fc3eb", + "sha256:b80486a6c77252ea3a3e9b1e360bc9cf28eaac41263d173c032581ad2f20fe45", + "sha256:c29a5e5cc7a3f05926aff34e097e84f8589cd790ce0ed41b67aed6857b26aafd", + "sha256:cbac4bc38d117f2a49aeedec4407d23e8866ea4ac27ff2cf7fb3e5b570df19e0", + "sha256:f39edd8c4ecaa4556e989147ebf219227e2cd2e8a43c7e7fcb1f1c18c5fd6a3d", + "sha256:fe0644d9ab041506b62782e92b06b8c68cca799e1a9636ec398675459e031405" + ], + "version": "==0.2.8" + }, + "python-ldap": { + "hashes": [ + "sha256:4711cacf013e298754abd70058ccc995758177fb425f1c2d30e71adfc1d00aa5" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==3.3.1" + }, "pytz": { "hashes": [ "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", diff --git a/member_paperwork/settings/base.py b/member_paperwork/settings/base.py index 33a4ef5..8fffde2 100644 --- a/member_paperwork/settings/base.py +++ b/member_paperwork/settings/base.py @@ -65,17 +65,6 @@ WSGI_APPLICATION = 'member_paperwork.wsgi.application' DATABASE_ROUTERS = ['paperwork.routers.MembershipWorksRouter', 'paperwork.routers.PaperworkRouter'] -# Password validation -# https://docs.djangoproject.com/en/3.1/ref/settings/#auth-password-validators - -AUTH_PASSWORD_VALIDATORS = [ - {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'}, - {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator'}, - {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'}, - {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'}, -] - - # Internationalization # https://docs.djangoproject.com/en/3.1/topics/i18n/ diff --git a/member_paperwork/settings/prod_base.py b/member_paperwork/settings/prod_base.py new file mode 100644 index 0000000..2df0dde --- /dev/null +++ b/member_paperwork/settings/prod_base.py @@ -0,0 +1,41 @@ +import ldap +from django_auth_ldap.config import LDAPSearch, PosixGroupType, LDAPGroupQuery + +from .base import * + +DEBUG = False + + +# LDAP Authentication +# https://django-auth-ldap.readthedocs.io/en/latest/ +# "AUTH_LDAP_SERVER_URI", "AUTH_LDAP_BIND_DN", and "AUTH_LDAP_BIND_PASSWORD" set in prod.py + +AUTHENTICATION_BACKENDS = [ + 'django_auth_ldap.backend.LDAPBackend', + 'django.contrib.auth.backends.ModelBackend', +] + +AUTH_LDAP_USER_SEARCH = LDAPSearch( + 'cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org', + ldap.SCOPE_SUBTREE, + '(uid=%(user)s)', +) + +AUTH_LDAP_USER_ATTR_MAP = { + 'first_name': 'givenName', + 'last_name': 'sn', + 'email': 'mail', +} + +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + "is_staff": LDAPGroupQuery( + "cn=MW_CMS Staff,cn=groups,dc=sawtooth,dc=claremontmakerspace,dc=org"), +} + +AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + 'cn=groups,dc=sawtooth,dc=claremontmakerspace,dc=org', + ldap.SCOPE_SUBTREE, + '(objectClass=posixGroup)', +) +AUTH_LDAP_GROUP_TYPE = PosixGroupType() +AUTH_LDAP_MIRROR_GROUPS = True