Question

我正在使用Django应用程序，该应用程序需要直接支持LDAP身份验证到默认管理页面我已经整合了django-auth-ldap并跟随documentation直到我能理解它为止。
我已经使用OpenLDAP和php图形界面配置了本地LDAP服务器（我也可以使用ldif文件配置）。当我尝试登录管理页面时，Django会在其中找到本地服务器及其用户对象，并且还可以识别用户所属的组。尽管如此，我还是无法登录。我发现错误：

[21 / Aug / 2014 11:06:53]＆＃34; GET / admin / HTTP / 1.1＆＃34; 200 1870
  search_s（＆＃39; ou = users，dc = whiteqube＆＃39;，2，＆＃39;（cn =％（user）s）＆＃39;）返回1个对象：cn = sonia，ou = users，dc = whiteqube
调试：django_auth_ldap：search_s（＆＃39; ou = users，dc = whiteqube＆＃39;，2，＆＃39;（cn =％（user）s）＆＃39;）返回1个对象：cn =索尼娅，OU =用户，DC = whiteqube
对sonia的身份验证失败
调试：django_auth_ldap：sonia的身份验证失败
[21 / Aug / 2014 11:06:56]＆＃34; POST / admin / HTTP / 1.1＆＃34; 200 2046

在Admin界面中，无法登录。
我的settings.py：

# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType

# ...connecting to ldap server (local environment uses IP)
AUTH_LDAP_SERVER_URI = "ldap://10.0.2.15"

# ...account to enter into ldap server (anonymous is not always allowed)
#AUTH_LDAP_BIND_DN = "cn=admin,dc=whiteqube"
#AUTH_LDAP_BIND_PASSWORD = "root"

# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=whiteqube",
                                    ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
                                    "(objectClass=posixGroup)" # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType() # a posixGroup is identified by the keyword "cn" into ldap server

# ...associations between ldap and django groups
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=whiteqube",
    "is_staff": "cn=staff,ou=groups,dc=whiteqube",
    "is_superuser": "cn=superuser,ou=groups,dc=whiteqube"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
    "is_awesome": ["cn=awesome,ou=groups,dc=whiteqube"]
}


# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=whiteqube",
                                   ldap.SCOPE_SUBTREE, # allow searching from current node to all nodes below
                                   "(cn=%(user)s)"
                                   #"(objectClass=posixAccount)"
                                   #"(objectClass=inetOrgPerson)"
)
# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END  LDAP CONFIGURATION - - - - #

我的LDAP充满了这些对象：

OU =基团，DC = whitecube
- CN =超级用户，OU =基团，DC = whiteqube
- CN =人员，OU =基团，DC = whiteqube
OU =用户，DC = whiteqube
- CN =索尼娅，OU =用户，DC = whiteqube

其中＆＃34;群组＆＃34;和＆＃34;用户＆＃34;是OrganizationalUnit，＆＃34; staff＆＃34;和超级用户＆＃34;是posixGroup，＆＃34; sonia＆＃34;是posixAccount。

查看图片

LDAP Tree
我确定ldap对象是必须配置的，因为Django调试可识别用户的组依赖。

Ps：我在使用django本地帐户时能够登录管理员。

我错在哪里？我错过了任何进一步的属性配置吗？

Answer 1

我终于搞定了！调试：用户必须属于所有组（活动，员工，超级用户）才能登录管理界面，至少已创建新的个人组。

在我的上一篇文章中，settings.py和LDAP树的配置是正确的，因此您可以保留有关如何创建LDAP并在django应用程序中实施的信息。请记住：如果您使用默认组，请在所有组中添加用户以允许管理员登录。

谢谢。再见

Answer 2

实际上我已经解决了有关LDAP对象的问题我在settings.py中添加了一些部分并更改了LDAP树的结构（链接到下面的图像）现在，如果我尝试使用LDAP用户的信息登录，程序将填充Django Users表中的一行。检查Django数据库我注意到Django管理员无法读取用户密码，但django_auth_ldap documentation指定它是正常的。

但是，我仍然无法登录我发现的新错误是：

[26/Aug/2014 09:42:15] "GET /admin/ HTTP/1.1" 200 1870
search_s('ou=users,dc=whiteqube', 2, '(uid=%(user)s)') returned 1 objects: cn=marco rossi,ou=users,dc=whiteqube
DEBUG:django_auth_ldap:search_s('ou=users,dc=whiteqube', 2, '(uid=%(user)s)') returned 1 objects: cn=marco rossi,ou=users,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=enabled,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=enabled,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=disabled,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=disabled,ou=groups,dc=whiteqube
Populating Django user mrossi
DEBUG:django_auth_ldap:Populating Django user mrossi
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=superuser,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=superuser,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=staff,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is not a member of cn=staff,ou=groups,dc=whiteqube
cn=marco rossi,ou=users,dc=whiteqube is a member of cn=active,ou=groups,dc=whiteqube
DEBUG:django_auth_ldap:cn=marco rossi,ou=users,dc=whiteqube is a member of cn=active,ou=groups,dc=whiteqube
/home/andrea/PycharmProjects/wq_asja_gateway_v1/env/local/lib/python2.7/site-packages/django_auth_ldap/backend.py:590: DeprecationWarning: The use of AUTH_PROFILE_MODULE to define user profiles has been deprecated.
  profile = self._user.get_profile()

WARNING:py.warnings:/home/andrea/PycharmProjects/wq_asja_gateway_v1/env/local/lib/python2.7/site-packages/django_auth_ldap/backend.py:590: DeprecationWarning: The use of AUTH_PROFILE_MODULE to define user profiles has been deprecated.
  profile = self._user.get_profile()

Django user mrossi does not have a profile to populate
DEBUG:django_auth_ldap:Django user mrossi does not have a profile to populate

我的新settings.py配置：

#  #  #  #  #  #  #  #  #  #  #  #  #  #  #
# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType

# ...connecting to ldap server (local environment uses IP)
AUTH_LDAP_GLOBAL_OPTIONS = {
    ldap.OPT_X_TLS_REQUIRE_CERT: False,
    ldap.OPT_REFERRALS: False
}
AUTH_LDAP_SERVER_URI = "ldap://10.0.2.15"

# ...account to enter into ldap server (anonymous is not always allowed)
AUTH_LDAP_BIND_DN = "cn=admin,dc=whiteqube"
AUTH_LDAP_BIND_PASSWORD = "root"

# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=whiteqube",
                                   ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                   "(uid=%(user)s)"
                                   #"(objectClass=posixAccount)"
                                   #"(objectClass=simpleSecurityObject)"
)

# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=whiteqube",
                                    ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                    "(objectClass=posixGroup)"  # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")  # a posixGroup is identified by the keyword "cn" into ldap server

# ...simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=whiteqube"
AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=whiteqube"

# ...populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
    "username": "uid",
    "password": "userPassword",
}
AUTH_LDAP_PROFILE_ATTR_MAP = {
    "home_directory": "homeDirectory"
}

# ...associations between ldap and django groups
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=whiteqube",
    "is_staff": "cn=staff,ou=groups,dc=whiteqube",
    "is_superuser": "cn=superuser,ou=groups,dc=whiteqube"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
    "is_awesome": ["cn=awesome,ou=groups,dc=whiteqube"]
}

# ...use LDAP group membership to calculate permission
AUTH_LDAP_FIND_GROUP_PERMS = True

# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END  LDAP CONFIGURATION - - - - #
#  #  #  #  #  #  #  #  #  #  #  #  #  #  #

LDAP tree ...其中：

cn = marco rossi（我用来登录的帐号）是posixAccount，cn = superuser和cn = enabled的成员，都是posixGroup。

有什么建议继续下去？

使用ldap配置文件在django admin中进行身份验证

2 个答案: