localshop icon indicating copy to clipboard operation
localshop copied to clipboard

Published 20 hours ago verified publisher icon mvantellingen

userena breaks ldap authentication

Open trbs opened this issue 10 years ago • 9 comments

Because userena and localshop use a different set of login parameters then the default this breaks thirdparty backends like django_auth_ldap.

The workaround is some additional code like this:

from django_auth_ldap.backend import LDAPBackend as Orig

class LDAPBackend(Orig):
    def authenticate(self, username=None, password=None, identification=None):
        if identification and not username:
            username = identification
        return super(LDAPBackend, self).authenticate(username, password)

But it's kind of silly that users have to jump through all these hoops for a django app that should just-work(tm).

trbs avatar Oct 16 '13 10:10 trbs

Hi @trbs I've tried adding your code see #102 it work, but other pages are now now forbidden when accessed. Any tips to solve this? Thanks in advance.

cocoy avatar Mar 17 '14 23:03 cocoy

Hi @cocoy I'm using a very similar setup to your #102

Differences are:

In settings.py:

AUTHENTICATION_BACKENDS = (
    'ldap_workaround.LDAPBackend',
    'userena.backends.UserenaAuthenticationBackend',
    'guardian.backends.ObjectPermissionBackend',
    'localshop.apps.permissions.backend.CredentialBackend',
    'django.contrib.auth.backends.ModelBackend',
)

I have LDAP as the first AUTHENTICATION_BACKENDS

And I'm using in ldap_workaround.py:

# {{ ansible_managed }}

from django_auth_ldap.backend import LDAPBackend as Orig

class LDAPBackend(Orig):
    def authenticate(self, username=None, password=None, identification=None):
        if identification and not username:
            username = identification
        return super(LDAPBackend, self).authenticate(username, password)

from django.db.models.signals import post_save
from django.contrib.auth.models import User
from localshop.apps.permissions.models import AuthProfile

def create_auth_profile(sender, **kwargs):
    user = kwargs['instance']
    if kwargs['created']:
        AuthProfile(user=user).save()

post_save.connect(create_auth_profile, sender=User, dispatch_uid="create_auth_profile")

Maybe be that the order of the AUTHENTICATION_BACKENDS is causing problems for you ?

trbs avatar Mar 17 '14 23:03 trbs

@trbs Seems I missed the lines below to create profiles, I assume this is required. Thanks, will try it out.

cocoy avatar Mar 17 '14 23:03 cocoy

LDAP login works fine, can login without problem. But clicking on other pages like says Forbidden http://mylocalserver/packages/

cocoy avatar Mar 18 '14 06:03 cocoy

For the forbidden thing, make sure you have

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
        "is_active": "cn=group,cn=groups,dc=company,dc=com",
        "is_staff": ["cn=group,cn=groups,dc=company,dc=com"],
        "is_superuser": "cn=group,cn=groups,dc=company,dc=com"
    }

Seems the is_superuser is what is required to be able to browse the other pages...

sposs avatar Nov 10 '14 15:11 sposs

Seems my issue on Forbidden pages, because the group in LDAP has no access on the packages.

I have to allow package | packages | can View Packages on the admin page i.e http://localhost:8000/admin/auth/group/

Maybe this one fixes the same config at localshop.conf.py

cocoy avatar Nov 11 '14 08:11 cocoy

Indeed @sposs it works!

cocoy avatar Nov 11 '14 08:11 cocoy

ah, problem is the other permissions on admin pages were granted to the ldap user when set to is_superuser

cocoy avatar Nov 11 '14 08:11 cocoy

Just a FYI, i've just removed django-userena in the develop branch so i'm hoping to get ldap support built-in by default now. Let me know if you have any tips or can even help me with a PR

mvantellingen avatar May 25 '15 13:05 mvantellingen