问题描述
有两种方法使用验证用户的Django验证LDAP
There are two ways to authenticate a user using Django Auth LDAP
- 搜索/绑定和
- 直接绑定。
第一个包括连接到LDAP服务器或者匿名方式,或以固定的账号和搜索的认证用户的专有名称。然后我们就可以尝试与用户的密码再次绑定。
The first one involves connecting to the LDAP server either anonymously or with a fixed account and searching for the distinguished name of the authenticating user. Then we can attempt to bind again with the user’s password.
的第二种方法是从他的用户名推导用户的DN和尝试绑定作为用户直接
The second method is to derive the user’s DN from his username and attempt to bind as the user directly.
我希望能够做到用谁是试图访问该应用程序的用户的用户ID(sAMAccountName赋)和密码直接绑定。请让我知道如果有一种方法来实现这一目标?在那一刻,我似乎无法使这项工作由于下面的问题进行说明。
I want to be able to do a direct bind using the userid (sAMAccountName) and password of the user who is trying to gain access to the application. Please let me know if there is a way to achieve this? At the moment, I cannot seem to make this work due to the problem explained below.
在我的情况下,用户在LDAP的DN是以下格式的
In my case, the DN of users in LDAP is of the following format
**'CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'**
这基本上是翻译为CN =名姓,OU =用户,OU =中央,OU = US,DC =客户端,DC =总公司
This basically translates to 'CN=FirstName LastName,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
这是$ P $使用该用户的直接绑定作为 sAMAccountName赋 pventing我是 sjones ,这是对应于用户名的参数(%用户)我不能想出一个办法帧适当的 AUTH_LDAP_USER_DN_TEMPLATE ,以获得用户的DN使用。
This is preventing me from using Direct Bind as the sAMAccountName of the user is sjones and this is the parameter that corresponds to the user name (%user) and I can't figure out a way to frame a proper AUTH_LDAP_USER_DN_TEMPLATE to derive the User's DN using.
由于上述解释的问题,我使用的搜索/绑定的,但现在这需要我有一个固定的用户凭证中的 AUTH_LDAP_BIND_DN到指定和 AUTH_LDAP_BIND_PASSWORD 。
Due to the above explained problem, I am using Search/Bind for now but this requires me to have a fixed user credential to be specified in AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD.
下面是我当前的 settings.py 配置
AUTH_LDAP_SERVER_URI = "ldap://10.5.120.161:389"
AUTH_LDAP_BIND_DN='CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_BIND_PASSWORD='fga.1234'
#AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch("OU=Users, OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
LDAPSearch("OU=Users,OU=Regional,OU=Locales,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn","email":"mail"}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = 'CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
期待从美妙的人在这里的一些指导。
Looking forward for some guidance from the wonderful folks in here.
推荐答案
我有同样的问题。
我跑了防空火炮:https://bitbucket.org/psagers/django-auth-ldap/issue/21/cant-bind-and-search-on-activedirectory
笔者提出了一种方法来改变的库文件Django的身份验证,LDAP,以便它可以做一个直接的绑定。
The author brought up a way to change the library files for django-auth-ldap so that it could do a direct bind.
结果还是要改变/django_auth_ldap/backend.py包括各地的364行两行:
It came down to changing /django_auth_ldap/backend.py to include two lines around line 364:
if sticky and ldap_settings.AUTH_LDAP_USER_SEARCH:
self._search_for_user_dn()[/code]
我能得到这一点,正在运行的Arch Linux 3.9.8-1拱在我的本地macheine工作,但我无法复制它运行Ubuntu 13.04,开发服务器上
I was able to get this to work on my local macheine that was running Arch Linux 3.9.8-1-ARCH, but I was unable to replicate it on the dev server running Ubuntu 13.04.
希望这可以帮助。
这篇关于Django的验证LDAP - 使用sAMAccountName赋直接绑定的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!