Unfortunately the Django + LDAP integration story is pretty scattered & fragmented. I suspect this is in-part due to LDAP's amorphous / "anything to anyone" nature.
Below are what I see as the main contenders for our integration and a brief summary of how I see us implementing it:
This is the Django plugin Jacob tested
- Django auth provider that talks to LDAP
- Django users are created on-demand
- Django users are updated from LDAP on each login
- Provides command / cron task
ldap_sync_users
as alternative method to keep Django users up to date - Doesn't write to LDAP
Docs: https://django-auth-ldap.readthedocs.io/en/1.2.x/
- Similar to django-python3-ldap but supports more elaborate methods for querying/syncing data from LDAP
- Supports using LDAP groups to drive Django user access & permissions
- Doesn't write to LDAP
- Provides Django ORM database adapter for LDAP
- Provides ability to create / query / update / delete LDAP objects via Django's ORM API
- Does not include a Django auth provider
- Users may use their username or any of their registered email addresses as an account identifier (UID) when logging in.
- Users may use the same credentials to log into Nadine (Django) or LDAP / LDAP-supporting systems (WiFi, shared network drives, etc)
- We can use either django-python3-ldap or django-auth-ldap (probably the latter as it allows for more flexibility when querying for users) for auth in Nadine.
- We use django-ldapdb to create new user accounts in LDAP and propagate user account updates back to LDAP.
With the proposed tools we can meet requirements (1) and (2) for Nadine/Django and it will set up the LDAP infrastructure for future integrations with other systems.
However meeting requirement (2) for non-Django/Nadine systems (WiFi, shared network drives, etc) is going to be dependant on what is supported by the specific system. Short of researching how other systems auth against LDAP, the best we can do is ensure our LDAP schema to follow common standards/conventions.
Setting up Nadine/Django LDAP auth is pretty straightforward, mostly configuration; need to provide a query to lookup the LDAP user by email and/or username/uid.
Handling new user registration & user management (updates) in Nadine and writing to LDAP will require hooking into Django/Nadine's user registration process. The extent of this is dependant on how Nadine's existing registration process is implemented and how it differs from Django's out-of-the-box registration process.
Determining this will be my next focus.