Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/django/22.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Python 将组从LDAP获取到django_Python_Django_Active Directory_Ldap_Django Auth Ldap - Fatal编程技术网
Fatal编程技术网
  • python/
  • Python 将组从LDAP获取到django

Python 将组从LDAP获取到django

python django active-directory ldap

Python 将组从LDAP获取到django,python,django,active-directory,ldap,django-auth-ldap,Python,Django,Active Directory,Ldap,Django Auth Ldap,我正在使用django ldap auth根据ldap-服务器(ActiveDirectory)对用户进行身份验证。用户可以登录,并且每个用户的标志(例如is_staff)设置正确 我还想根据ldap用户组向我的django用户添加django组。以下是我的设置: import ldap from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, ActiveDirectoryGroupType AUTH_LDAP_SER

我正在使用
django ldap auth
根据
ldap
-服务器(
ActiveDirectory
)对用户进行身份验证。用户可以登录,并且每个用户的标志(例如is_staff)设置正确

我还想根据ldap用户组向我的django用户添加django组。以下是我的设置:

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, ActiveDirectoryGroupType

AUTH_LDAP_SERVER_URI = "ldap://XXX"

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""

# I somewhere read that this should help, but it didn't:
#AUTH_LDAP_GLOBAL_OPTIONS = {
#    ldap.OPT_REFERRALS: 0
#}

AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Benutzer,ou=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX",
ldap.SCOPE_SUBTREE, "(cn=%(user)s)")
AUTH_LDAP_USER_DN_TEMPLATE = "CN=%(user)s,OU=Benutzer,OU=Konten,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"

# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=AnwenderRollen,OU=Gruppen,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX",
    ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="CN")
# also tried various possibilities for objectClass and AUTH_LDAP_GROUP_TYPE
#AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
#AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn")


# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenname",
    "last_name": "sn",
    "email": "mail"
}

AUTH_LDAP_PROFILE_ATTR_MAP = {
    #"employee_number": "employeeNumber"
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    #"is_active": "cn=active,ou=django,ou=groups,dc=example,dc=com",
    "is_staff": "CN=GROUPNAME,OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX",
    "is_superuser": "CN=GROUPNAME,OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX"
}

AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {
    #"is_awesome": "cn=awesome,ou=django,ou=groups,dc=example,dc=com",
}

# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Use LDAP group membership to calculate group permissions.
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache group memberships for an hour to minimize LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1 #3600

# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)
只有部分设置起作用:登录起作用,创建django用户,从LDAP获取属性(AUTH_LDAP_user_ATTR_MAP),并使用与AUTH_LDAP_GROUP_搜索中相同的组路径设置标志(AUTH_LDAP_user_flags_BY_GROUP)。但由于以下错误,此组搜索不起作用:

DEBUG Populating Django user USERNAME
DEBUG search_s('CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 0, '(objectClass=*)') returned 1 objects: cn=USERNAME,ou=benutzer,ou=konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX is a member of cn=GROUPNAME,ou=anwenderrollen,ou=gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX is a member of cn=GROUPNAME,ou=anwenderrollen,ou=gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG Django user USERNAMEdoes not have a profile to populate
ERROR search_s('OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 2, '(&(objectClass=groupOfNames)(member=CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX))') raised OPERATIONS_ERROR({'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'},)
DEBUG search_s('OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 2, '(&(objectClass=groupOfNames)(member=CN=USERNAME,OU=Benutzer,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX))') returned 0 objects:
因为标志和组搜索的组路径是相同的,所以我假设它应该可以工作。作为身份验证用户绑定时搜索组是否有问题

我遗漏了什么?

以下是我所做的工作:

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_BIND_DN = "existing_user"
AUTH_LDAP_BIND_PASSWORD = "existing_password"
我把
(objectClass=groupOfNames)
改为
(objectClass=top)

似乎
django_auth_ldap
使用绑定用户检查标志(is_staff,…),但不检查组。因此,我将凭证添加到这些变量中,这些变量现在用于搜索组

然而,它是有效的

要将组从ldap镜像到django,可以将
AUTH\u ldap\u mirror\u groups
标志设置为
True
。这些组将在
groups
下创建,但您必须自己设置权限。以下是我的配置示例:

"""
Ldap config. Have to set user as admin in django for successful login.
Using django_auth_ldap module
local settings should be loaded first to import env var settings
"""
import ldap
import os
import logging

from django_auth_ldap.config import LDAPSearch, PosixGroupType, LDAPGroupQuery

# Uncomment to enable verbose logging for ldap
# ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)

AUTH_LDAP_SERVER_URI = os.getenv('LDAP_HOSTS', 'ldap://localhost')
logging.warning("LDAP host(s) is {}".format(AUTH_LDAP_SERVER_URI))

# Options
ldap_timeout = float(os.getenv('LDAP_TIMEOUT') or 10.0)
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
    ldap.OPT_NETWORK_TIMEOUT: ldap_timeout,
    ldap.OPT_TIMEOUT: ldap_timeout,
}

AUTH_LDAP_START_TLS = False
AUTH_LDAP_USER_DN_TEMPLATE = "cn=%(user)s,ou=employee,dc=mycompany,dc=com"
LDAP_AUTH_USER_LOOKUP_FIELDS = ("username", )

# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
}


IS_SUPER_USER_FLAG = (
        LDAPGroupQuery("cn=ldap-wheel,ou=groups,dc=mycompany,dc=com") |
        LDAPGroupQuery("cn=ldap-admin,ou=groups,dc=mycompany,dc=com") 
)

IS_STAFF_FLAG = (
        LDAPGroupQuery("cn=ldap-product,ou=groups,dc=mycompany,dc=com")
)

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_active': IS_SUPER_USER_FLAG | IS_STAFF_FLAG,
    'is_staff': IS_SUPER_USER_FLAG | IS_STAFF_FLAG,
    'is_superuser': IS_SUPER_USER_FLAG,
}

AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn')
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'ou=groups,dc=mycompany,dc=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=posixGroup)',
)

AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True

# Cache names and group memberships for an hour to minimize LDAP traffic.
AUTH_LDAP_CACHE_TIMEOUT = 3600

AUTH_LDAP_MIRROR_GROUPS = True  # Will sync ldap groups to django, if not exist
# AUTH_LDAP_MIRROR_GROUPS_EXCEPT except some groups we don't want to mirror in django
希望有帮助

我意识到这是一个noob问题,但我怎么能说这是有效的呢?我找到了!“user.ldap\u user.group\u dns或user.ldap\u user.group\u name”。页面底部