Django-Ldap-Authentication

Question

I am trying to authenticate the user with the LDAP server in django.

I have configured my settings.py as follows:

AUTH_LDAP_SERVER_URI = "ldap.forumsys.com"
AUTH_LDAP_BIND_DN = "cn=read-only-admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_START_TLS = True


AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
    )

In my views i have tried to authenticate it with the LDAPBACKEND

from django.http import HttpResponse
from django_auth_ldap.backend import LDAPBackend
from django.contrib.auth.models import User


from django.conf import settings


def login_user(request):

    state = ""

    username = settings.AUTH_LDAP_BIND_DN
    password = settings.AUTH_LDAP_BIND_PASSWORD

    auth = LDAPBackend()

    try:
        User = auth.authenticate(username=username,password=password) 
        if User is not None:
            state = "Valid"

        else:
            state = "Invalid"

    except LDAPError as e:
            state = "Error"

    return HttpResponse(state)  

But i am getting an error as

LDAPError while authenticating cn=read-only-admin,dc=example,dc=com: LDAPError(0,'Error')

And I do have another doubt. Is the username and password is same as the bind_username and bind_password ?

Answer 1

My experience with LDAP didn't call for any view changes. I used the django-auth-ldap library which only required additional settings to use:

#-----------------------------------------------------------------------------#
#
#   LDAP Settings
#
#-----------------------------------------------------------------------------#

AUTHENTICATION_BACKENDS += ('django_auth_ldap.backend.LDAPBackend',) 

AUTH_LDAP_SERVER_URI = "ldaps://your.ldap.server"

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"

Using a bind login works as well with these additional settings:

import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_BIND_DN = "<user>"
AUTH_LDAP_BIND_PASSWORD = "<password>"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

Normal Django login views work fine with this setup.

EDIT: I should add that one should confirm that LDAP is working via the command line on the server before trying with Django. This is what held me up at first.

Answer 2

Make sure AUTH_LDAP_SERVER_URI should be hostname or IP address of AD. In django settings.py :

AUTH_LDAP_SERVER_URI = "ldap://hostname or Ip address of active directory"
AUTH_LDAP_BIND_DN = "CN=sAMAccountName,CN=Users,DC=yourdomain,DC=com"
AUTH_LDAP_BIND_PASSWORD = *******
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0,
}
AUTH_LDAP_USER_SEARCH = LDAPSearch('CN=Users,DC=yourdomain,DC=com', 
ldap.SCOPE_SUBTREE, "userPrincipalName=%(user)s")

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend')

And views.py should be like this,

from django.contrib.auth import views as auth_views
from forms import ProjectRequestForm, ExAuthenticationForm

def login(request):
    return auth_views.login(request, template_name='login.html', authentication_form=ExAuthenticationForm)

Answer 3

I would recommend to use the class based view. Also, you should assign username and password with the input of the user.

Also you should only use the authenticate() function.

from django.contrib.auth import authenticate

class LoginView(FormView):
    form_class = LoginForm
    success_url = reverse_lazy('main')
    template_name = 'module_name/login.html'

    def form_valid(self, form):
        username = form.cleaned_data['username']
        password = form.cleaned_data['password']
        user = authenticate(username=username, password=password)

        if user is not None and user.is_active:
            login(self.request, user)
                return super(LoginView, self).form_valid(form)
        else:
            return self.form_invalid(form)

Answer 4

Use the default Django LoginView to start with. It should work...

def login(request):
    return LoginView.as_view(template_name='login.html')(request)