我遇到了自定义身份验证后端的问题,我是通过LDAP身份验证为Active Directory构建的。
问题是来自管理员登录页面,在它正确地验证并在数据库中创建新用户(或从LDAP服务器更新其信息)之后,然后将我返回到管理员登录页面,表明我未能输入有效的用户名和密码。
考虑到它在django数据库中验证并创建/更新用户,我做错了什么?
代码:
import ldap
import re
from django.conf import ad_settings
grps = re.compile(r'CN=(\w+)').findall
def anyof(short_group_list, adu):
all_groups_of_user = set(g for gs in adu.get('memberOf',()) for g in grps(gs))
return any(g for g in short_group_list if g in all_groups_of_user)
class ActiveDirectoryBackend(ModelBackend):
"""
This backend utilizes an ActiveDirectory server via LDAP to authenticate
users, creating them in Django if they don't already exist.
"""
def authenticate(self, username=None, password=None):
con = None
ldap.set_option(ldap.OPT_REFERRALS, 0)
try:
con = ldap.initialize('ldap://%s:%s' % (ad_settings.AD_DNS_NAME,
ad_settings.AD_LDAP_PORT))
con.simple_bind_s(username+"@"+ad_settings.AD_DNS_NAME, password)
ADUser = con.search_ext_s(ad_settings.AD_SEARCH_DN,
ldap.SCOPE_SUBTREE,
"sAMAccountName=%s" % username,
ad_settings.AD_SEARCH_FIELDS)[0][1]
con.unbind()
except ldap.LDAPError:
return None
# Does user belong to appropriate AD group?
if not anyof(ad_settings.PROJECTCODE,ADUser):
return None
# Does user already exist in Django?
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
#create Django user
user = User(username=username, is_staff = True, is_superuser = False)
#Update User info from AD
if ADUser.has_key('givenName'):
user.first_name = ADUser.get('givenName')[0]
if ADUser.has_key('sn'):
user.last_name = ADUser.get('sn')[0]
if ADUser.has_key('mail'):
user.email = ADUser.get('mail')[0]
# Does not store password in Django.
user.set_unusable_password()
user.save()
return user
编辑:想通了。用户无法登录,除非它们处于活动状态(即使文档没有说明)。因此,在给定的代码中,创建新用户的行应如下所示:
user = User(username=username, is_staff = True, is_Active = True,
is_superuser = False)
答案 0 :(得分:3)
想通了。用户无法登录,除非它们处于活动状态(即使文档没有说明)。因此,在给定的代码中,创建新用户的行应如下所示:
user = User(username=username, is_staff = True, is_Active = True,
is_superuser = False)