Replace django-auth-ldap with ldapdb-based auth backend.

author: Michał Górny <mgorny@gentoo.org> 2013-09-13 13:03:58 +0200
committer: Michał Górny <mgorny@gentoo.org> 2013-09-22 11:03:21 +0200
commit: 5119fd211e420a94f9202d5fddb0bdd607ee6c07 (patch)
tree: 855c4c218aef2dc5171591aa01179c3f4d6df99f /okupy/common
parent: get_bound_ldapuser(): support custom username. (diff)
download: identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.tar.gz
identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.tar.bz2
identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.zip
2 files changed, 37 insertions, 0 deletions
diff --git a/okupy/common/auth.py b/okupy/common/auth.py
index aa238fc..08d2fe6 100644
--- a/okupy/common/auth.py
+++ b/okupy/common/auth.py
@@ -5,14 +5,48 @@ from django.contrib.auth.backends import ModelBackend
 from django.db import IntegrityError
 
 from okupy.accounts.models import LDAPUser
+from okupy.common.ldap_helpers import get_bound_ldapuser
 
 from OpenSSL.crypto import load_certificate, FILETYPE_PEM
 
+import ldap
 import paramiko
 
 import base64
 
 
+class LDAPAuthBackend(ModelBackend):
+    """
+    Authentication backend that authenticates against LDAP password.
+    If authentication succeeds, it sets up secondary password
+    for the session.
+    """
+
+    def authenticate(self, request, username, password):
+        try:
+            bound_ldapuser = get_bound_ldapuser(
+                request=request,
+                username=username,
+                password=password)
+
+            with bound_ldapuser as u:
+                UserModel = get_user_model()
+                attr_dict = {
+                    UserModel.USERNAME_FIELD: u.username
+                }
+
+                user = UserModel(**attr_dict)
+                try:
+                    user.save()
+                except IntegrityError:
+                    user = UserModel.objects.get(**attr_dict)
+                return user
+        except ldap.INVALID_CREDENTIALS:
+            return None
+        except ldap.STRONG_AUTH_REQUIRED:
+            return None
+
+
 class SSLCertAuthBackend(ModelBackend):
     """
     Authentication backend taht uses client certificate information.
diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 69cacbf..c8ac5dd 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -8,6 +8,9 @@ from okupy import OkupyError
 from okupy.accounts.models import LDAPUser
 from okupy.crypto.ciphers import cipher
 
+from django.conf import settings #debug
+from django.db import connections
+
 
 def get_bound_ldapuser(request, password=None, username=None):
     """
author	Michał Górny <mgorny@gentoo.org>	2013-09-13 13:03:58 +0200
committer	Michał Górny <mgorny@gentoo.org>	2013-09-22 11:03:21 +0200
commit	5119fd211e420a94f9202d5fddb0bdd607ee6c07 (patch)
tree	855c4c218aef2dc5171591aa01179c3f4d6df99f /okupy/common
parent	get_bound_ldapuser(): support custom username. (diff)
download	identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.tar.gz identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.tar.bz2 identity.gentoo.org-5119fd211e420a94f9202d5fddb0bdd607ee6c07.zip