diff --git a/ADConnector.py b/ADConnector.py index 7b33339..47701a0 100644 --- a/ADConnector.py +++ b/ADConnector.py @@ -2,13 +2,13 @@ """ # MS Active Directory (AD) Authentication -> ActiveDirectory/LDAP authentication backend for SAL with ldap group to business unit mapping. +> ActiveDirectory/LDAP authentication backend for Sal with ldap group to business unit mapping. -This class is a django authentication backend with ActiveDirectory/LDAP integration for [SAL](https://github.com/salopensource). -* It binds to the configured AD/LDAP server with username and password from the SAL/django user login. -* Creates a SAL/django user with field information from AD/LDAP (no password is stored in django!) -* Sets SAL user profile (GA, RW, RO) based on their AD/LDAP group. -* Assigns users to SAL business units based on their AD/LDAP group. +This class is a Django authentication backend with ActiveDirectory/LDAP integration for [Sal](https://github.com/salopensource). +* It binds to the configured AD/LDAP server with username and password from the Sal/Django user login. +* Creates a Sal/Django user with field information from AD/LDAP (no password is stored in Django!) +* Sets Sal user profile (GA, RW, RO) based on their AD/LDAP group. +* Assigns users to Sal business units based on their AD/LDAP group. * Updates the user profile and business unit assignment at every login of the user. ## Requirements @@ -17,7 +17,7 @@ ## Settings -Following settings can/need to be configured in the django `settings.py` file to get this ActiveDirectory authentication backend to work. +Following settings can/need to be configured in the Django `settings.py` file to get this ActiveDirectory authentication backend to work. ### AUTHENTICATION_BACKENDS (important) @@ -67,7 +67,7 @@ ### AUTH_LDAP_USER_ATTR_MAP -Mapping of the AD/LDAP attributes to django attributes. If these settings are not configured, these default values are used. +Mapping of the AD/LDAP attributes to Django attributes. If these settings are not configured, these default values are used. ```Python AUTH_LDAP_USER_ATTR_MAP = { @@ -80,7 +80,7 @@ ### AUTH_LDAP_TRUST_ALL_CERTIFICATES -If you have a self signed certificate or an unknown certificate to the django server, you need to disable the certificate check by setting this value to `True`. +If you have a self signed certificate or an unknown certificate to the Django server, you need to disable the certificate check by setting this value to `True`. ```Python AUTH_LDAP_TRUST_ALL_CERTIFICATES = True ``` @@ -89,7 +89,7 @@ ### AUTH_LDAP_USER_PREFIX -Django users that where created via AD/LDAP recieve the ldap_ preffix. (`username` becomes `ldap_username`). This allows to have local django users and AD/LDAP users in coexistence. Furthermore, local django users and AD/LDAP users are distinguished very easy. +Django users that where created via AD/LDAP recieve the ldap_ preffix. (`username` becomes `ldap_username`). This allows to have local Django users and AD/LDAP users in coexistence. Furthermore, local Django users and AD/LDAP users are distinguished very easy. ```Python AUTH_LDAP_USER_PREFIX = 'ldap_' @@ -97,7 +97,7 @@ ### AUTH_LDAP_USER_PROFILE (important) -Mapping of the user profile level (`GA` = Global Admin, `RW` = Read & Write, `RO` = Read Only, `SO` = Stats Only (*not implemented in SAL*)) to AD/LDAP groups. Mapping is a dictionary, where the key is the user profile level and the value corresponds to the AD/LDAP group. The group can be a single group or a list/tuple of AD/LDAP groups. +Mapping of the user profile level (`GA` = Global Admin, `RW` = Read & Write, `RO` = Read Only, `SO` = Stats Only (*not implemented in Sal*)) to AD/LDAP groups. Mapping is a dictionary, where the key is the user profile level and the value corresponds to the AD/LDAP group. The group can be a single group or a list/tuple of AD/LDAP groups. ```Python AUTH_LDAP_USER_PROFILE = { @@ -128,7 +128,7 @@ ## Logging -If something does not work as expected, an extensive debug logging can be turned on. This is implemented with the python logging module and can be configured in the django settings. +If something does not work as expected, an extensive debug logging can be turned on. This is implemented with the python logging module and can be configured in the Django settings. ```Python LOGGING = { @@ -161,14 +161,14 @@ ## FAQ -### Can existing django users with identical usernames coexist with new AD/LDAP users? +### Can existing Django users with identical usernames coexist with new AD/LDAP users? Yes: This can be accomplished with the setting `AUTH_LDAP_USER_PREFIX` very easily. -This configured prefix will be added to the django username, therefore existing django users with the same username as users in the AD/LDAP can still login. +This configured prefix will be added to the Django username, therefore existing Django users with the same username as users in the AD/LDAP can still login. ### Is it possible to have a user with readonly rights in specific business unit and with write rights in a different one? -No: Unfortunately this is not possible by design of SAL. A user does always have **one** user profile which is valid for all assigned business unit. +No: Unfortunately this is not possible by design of Sal. A user does always have **one** user profile which is valid for all assigned business unit. ### What happens if the authenticated user is not in any of the configured user profiles (GA, RW, RO)? @@ -178,11 +178,11 @@ This is possible with business unit `#ALL_BU` in the `AUTH_LDAP_USER_TO_BUSINESS_UNIT` configuration. -### Assigned business units in SAL get reset every time a user logs in? +### Assigned business units in Sal get reset every time a user logs in? The user profile and all assigned business units of a user get a reset every time a user logs in. Otherwise it is not possible to ensure that users get removed from business units they shouldn't have access anymore. -Therefore it is not possible and recommended to mix the assignment between SAL and the AD/LDAP configuration. +Therefore it is not possible and recommended to mix the assignment between Sal and the AD/LDAP configuration. ### Does this authentication work with another ldap implementation than AD/LDAP as well? @@ -418,7 +418,7 @@ def authenticate(self, username=None, password=None): else: self.logger.debug('No ldap group for user profile "RO" defined in settings OR user profile already set to GA or RW.') - # SO = Stats Only (not implemented (yet?) in SAL) + # SO = Stats Only (not implemented (yet?) in Sal) #------------------------------------------------ user_profile_groups = None # temporary variable with ldap groups try: # Check if setting exist @@ -505,7 +505,7 @@ def authenticate(self, username=None, password=None): else: self.logger.debug('User %s is NOT member of group %s.' % (ldap_username, group)) else: - self.logger.warn('Business unit in settings (AUTH_LDAP_USER_TO_BUSINESS_UNIT) %s does not exist in existing SAL business units (%s)' % + self.logger.warn('Business unit in settings (AUTH_LDAP_USER_TO_BUSINESS_UNIT) %s does not exist in existing Sal business units (%s)' % (business_unit, ''.join(all_business_units))) elif user_profile == 'GA': self.logger.debug('User %s has user profile GA (Global Admin), therefore not necessary to assign business units to the user.' % username_django) @@ -661,7 +661,7 @@ def __is_user_member_of_ldap_group(self, ldap_connection, username, group_dn, ld return False - # SAL Stuff - profile and business unit permissions + # Sal Stuff - profile and business unit permissions ################################################### def __set_userprofile(self, username, level): @@ -671,7 +671,7 @@ def __set_userprofile(self, username, level): If the userprofile does not yet exist in the database, create it. Args: - username: django username + username: Django username level: GA, RW, RO, SO; has to be in the list of UserProfile.LEVEL_CHOICES Returns: Nothing @@ -680,7 +680,7 @@ def __set_userprofile(self, username, level): assert str(level).upper() in dict(UserProfile.LEVEL_CHOICES).keys() assert username is not None - # Get django user + # Get Django user try: user = User.objects.get(username=username) except User.DoesNotExist as udne: @@ -709,7 +709,7 @@ def __get_business_units(self, username = None): business_units_names = [str(unit.name) for unit in business_units] self.logger.debug('All Business units: %s' % ', '.join(business_units_names)) else: - # Get django user + # Get Django user try: self.logger.debug('Get all business units of user %s.' % username) user = User.objects.get(username=username) @@ -728,8 +728,8 @@ def __add_user_to_business_unit(self, username, business_unit_name): Assign business unit to user. If the user does not exist, raise an exception. Args: - username: django username (NOT a django user object!) - business_unit_name: Name of the business unit (Not a django BusinessUnit object) + username: Django username (NOT a Django user object!) + business_unit_name: Name of the business unit (Not a Django BusinessUnit object) Returns: Nothing @@ -738,7 +738,7 @@ def __add_user_to_business_unit(self, username, business_unit_name): assert username is not None assert business_unit_name is not None - # Get django user + # Get Django user try: user = User.objects.get(username=username) except User.DoesNotExist as udne: @@ -754,8 +754,8 @@ def __remove_user_from_business_unit(self, username, business_unit_name): Remove business unit of user. If the business unit is not assigned to the user, the assignment can't get removed. If the user does not exist, raise an exception. Args: - username: django username (NOT a django user object!) - business_unit_name: Name of the business unit (Not a django BusinessUnit object) + username: Django username (NOT a Django user object!) + business_unit_name: Name of the business unit (Not a Django BusinessUnit object) Returns: Nothing @@ -779,8 +779,8 @@ def __remove_user_from_business_unit(self, username, business_unit_name): def __get_or_create_django_user(self, username, first_name = None, last_name = None, email = None): """ - Get or create a django user. If a dango user with the given username does already exist, - update the given fields and return the django user object. If a user with the given username does not yet exist, + Get or create a Django user. If a dango user with the given username does already exist, + update the given fields and return the Django user object. If a user with the given username does not yet exist, create a user with all given fields. Args: @@ -789,13 +789,13 @@ def __get_or_create_django_user(self, username, first_name = None, last_name = N last_name: email: - Returns: A django user object. + Returns: A Django user object. """ assert username is not None - self.logger.debug('Get or create django user %s (fist_name: %s, last_name: %s, email: %s)' % + self.logger.debug('Get or create Django user %s (fist_name: %s, last_name: %s, email: %s)' % (username, first_name, last_name, email)) try: @@ -819,7 +819,7 @@ def __get_or_create_django_user(self, username, first_name = None, last_name = N # Required for your backend to work properly - unchanged in most scenarios def get_user(self, user_id): - self.logger.debug('Get django user %s' % user_id) + self.logger.debug('Get Django user %s' % user_id) try: return User.objects.get(pk=user_id) except User.DoesNotExist: diff --git a/README.md b/README.md index 21fd599..17234e3 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,20 @@ # MS Active Directory (AD) Connector -> ActiveDirectory/LDAP authentication backend extension for SAL with ldap group to business unit mapping. +> ActiveDirectory/LDAP authentication backend extension for Sal with ldap group to business unit mapping. -This docker container extends [SAL](https://github.com/salopensource/sal) by adding a django authentication +This docker container extends [Sal](https://github.com/salopensource/sal) by adding a Django authentication backend with ActiveDirectory/LDAP integration. Currently, this connector works with MS ActiveDirectory/LDAP only. # Features -* Binding to the configured AD/LDAP server with username and password from the SAL/django user login. -* Creating a SAL/django user with field information from AD/LDAP (no password is stored in django!) -* Setting SAL user profile (GA, RW, RO) based on their AD/LDAP group. -* Assigning users to SAL business units based on their AD/LDAP group. +* Binding to the configured AD/LDAP server with username and password from the Sal/Django user login. +* Creating a Sal/Django user with field information from AD/LDAP (no password is stored in Django!) +* Setting Sal user profile (GA, RW, RO) based on their AD/LDAP group. +* Assigning users to Sal business units based on their AD/LDAP group. * Updating the user profile and business unit assignment at every login of the user. # Docker Setup -The setup is idantical to a standard sal docker container as described in the [SAL Wiki](https://github.com/salopensource/sal/wiki/Docker). +The setup is idantical to a standard Sal docker container as described in the [Sal Wiki](https://github.com/salopensource/sal/wiki/Docker). In addition you have to link your `settings.py` into the container. ```bash @@ -30,7 +30,7 @@ $ docker run -d --name="sal"\ ``` # Settings -Following settings can/need to be configured in the django `settings.py` file to get this ActiveDirectory authentication backend to work. +Following settings can/need to be configured in the Django `settings.py` file to get this ActiveDirectory authentication backend to work. See the `settings_example.py` for guidance. ## AUTHENTICATION_BACKENDS (important) @@ -71,7 +71,7 @@ AUTH_LDAP_USER_SEARCH = ('DC=ch,DC=ads,DC=company,DC=com', 'DC=uk,DC=ads,DC=comp ``` ## AUTH_LDAP_USER_ATTR_MAP -Mapping of the AD/LDAP attributes to django attributes. If these settings are not configured, these default values are used. +Mapping of the AD/LDAP attributes to Django attributes. If these settings are not configured, these default values are used. ```Python AUTH_LDAP_USER_ATTR_MAP = { "username": "sAMAccountName", @@ -82,20 +82,20 @@ AUTH_LDAP_USER_ATTR_MAP = { ``` ## AUTH_LDAP_TRUST_ALL_CERTIFICATES -If you have a self signed certificate or an unknown certificate to the django server, you need to disable the certificate check by setting this value to `True`. +If you have a self signed certificate or an unknown certificate to the Django server, you need to disable the certificate check by setting this value to `True`. ```Python AUTH_LDAP_TRUST_ALL_CERTIFICATES = True ``` -The parameter defaults to `False`, causing sal to trust certificates with a valide certificate chain only. +The parameter defaults to `False`, causing Sal to trust certificates with a valide certificate chain only. ## AUTH_LDAP_USER_PREFIX -Django users that where created via AD/LDAP recieve the ldap_ preffix. (`username` becomes `ldap_username`). This allows to have local django users and AD/LDAP users in coexistence. Furthermore, local django users and AD/LDAP users are distinguished very easy. +Django users that where created via AD/LDAP recieve the ldap_ preffix. (`username` becomes `ldap_username`). This allows to have local Django users and AD/LDAP users in coexistence. Furthermore, local Django users and AD/LDAP users are distinguished very easy. ```Python AUTH_LDAP_USER_PREFIX = 'ldap_' ``` ## AUTH_LDAP_USER_PROFILE (important) -Mapping of the user profile level (`GA` = Global Admin, `RW` = Read & Write, `RO` = Read Only, `SO` = Stats Only (*not implemented in SAL*)) to AD/LDAP groups. Mapping is a dictionary, where the key is the user profile level and the value corresponds to the AD/LDAP group. The group can be a single group or a list/tuple of AD/LDAP groups. +Mapping of the user profile level (`GA` = Global Admin, `RW` = Read & Write, `RO` = Read Only, `SO` = Stats Only (*not implemented in Sal*)) to AD/LDAP groups. Mapping is a dictionary, where the key is the user profile level and the value corresponds to the AD/LDAP group. The group can be a single group or a list/tuple of AD/LDAP groups. ```Python AUTH_LDAP_USER_PROFILE = { 'RO': ('CN=all-users,OU=it,DC=ad,DC=company,DC=com',), @@ -120,7 +120,7 @@ AUTH_LDAP_USER_TO_BUSINESS_UNIT = { **Attention**: `#ALL_BU` is a special business unit. All users in this configured groups get access to all existing business units. # Logging -If something does not work as expected, an extensive debug logging can be turned on. This is implemented with the python logging module and can be configured in the django settings. +If something does not work as expected, an extensive debug logging can be turned on. This is implemented with the python logging module and can be configured in the Django settings. ```Python LOGGING = { 'version': 1, @@ -151,24 +151,23 @@ LOGGING = { With this configuration everything is logged to `/tmp/sal.log`. Make sure that you turn off this option in production environment! # FAQ -## Can existing django users with identical usernames coexist with new AD/LDAP users? +## Can existing Django users with identical usernames coexist with new AD/LDAP users? Yes: This can be accomplished with the setting `AUTH_LDAP_USER_PREFIX` very easily. -This configured prefix will be added to the django username, therefore existing django users with the same username as users in the AD/LDAP can still login. +This configured prefix will be added to the Django username, therefore existing Django users with the same username as users in the AD/LDAP can still login. ## Is it possible to have a user with readonly rights in specific business unit and with write rights in a different one? -No: Unfortunately this is not possible by design of SAL. A user does always have **one** user profile which is valid for all assigned business unit. +No: Unfortunately this is not possible by design of Sal. A user does always have **one** user profile which is valid for all assigned business unit. ## What happens if the authenticated user is not in any of the configured user profiles (GA, RW, RO)? Then the default user profile is set, which is read only (RO). Defined at `UserProfile._meta.get_field('level').get_default()`. ## Can a user get assigned to all existing business units? This is possible with business unit `#ALL_BU` in the `AUTH_LDAP_USER_TO_BUSINESS_UNIT` configuration. -## Assigned business units in SAL get reset every time a user logs in? +## Assigned business units in Sal get reset every time a user logs in? The user profile and all assigned business units of a user get a reset every time a user logs in. Otherwise it is not possible to ensure that users get removed from business units they shouldn't have access anymore. -Therefore it is not possible and recommended to mix the assignment between SAL and the AD/LDAP configuration. +Therefore it is not possible and recommended to mix the assignment between Sal and the AD/LDAP configuration. ## Does this authentication work with another ldap implementation than AD/LDAP as well? May be! But it is not tested or guaranteed. There are some AD/LDAP specific notations used to get nested groups (`memberOf:1.2.840.113556.1.4.1941:=`), therefore I would not trust on a connection to another ldap implementation. ## This sounds like a nice feature but I don't have a need for it. How do I disable it? -The AD/LDAP connector is not enabled by default. If you intend to use the connector, you haveto add it to your `AUTHENTICATION_BACKENDS` settings and configure it correctly. # Possible improvements There are always things which can be improved! @@ -177,11 +176,11 @@ There are always things which can be improved! # Versions -## 1.0.1 +The version is identical with the version of Sal in the Dockerfile. This version of Sal is tested and proved to work with the given AD/LDAP authentication. -- [Support multiple user scopes](https://github.com/haribert/sal-ActiveDirectory/issues/1) -- Documentation update - -## 1.0.0 +It could be that new authentication features get introduced between different version. See the changelog below for details. -- Initial Version \ No newline at end of file +## 3.2.14 +- Sal version 3.2.14 in docker container +- [Support multiple user scopes](https://github.com/haribert/sal-ActiveDirectory/issues/1) +- Documentation update \ No newline at end of file