Skip to content

Instantly share code, notes, and snippets.

@tnightingale

tnightingale/django-ldap-notes.md

Last active October 31, 2017 20:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tnightingale/af250b975131bcf1dfd71fbb5c860a64 to your computer and use it in GitHub Desktop.
Save tnightingale/af250b975131bcf1dfd71fbb5c860a64 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
django-ldap-notes.md

Django + LDAP integration options

Unfortunately the Django + LDAP integration story is pretty scattered & fragmented. I suspect this is in-part due to LDAP's amorphous / "anything to anyone" nature.

Below are what I see as the main contenders for our integration and a brief summary of how I see us implementing it:

django-python3-ldap

This is the Django plugin Jacob tested

  • Django auth provider that talks to LDAP
  • Django users are created on-demand
  • Django users are updated from LDAP on each login
  • Provides command / cron task ldap_sync_users as alternative method to keep Django users up to date
  • Doesn't write to LDAP

django-auth-ldap

Docs: https://django-auth-ldap.readthedocs.io/en/1.2.x/

  • Similar to django-python3-ldap but supports more elaborate methods for querying/syncing data from LDAP
  • Supports using LDAP groups to drive Django user access & permissions
  • Doesn't write to LDAP

django-ldapdb

  • Provides Django ORM database adapter for LDAP
  • Provides ability to create / query / update / delete LDAP objects via Django's ORM API
  • Does not include a Django auth provider

Our requirements

  1. Users may use their username or any of their registered email addresses as an account identifier (UID) when logging in.
  2. Users may use the same credentials to log into Nadine (Django) or LDAP / LDAP-supporting systems (WiFi, shared network drives, etc)

Proposal

  • We can use either django-python3-ldap or django-auth-ldap (probably the latter as it allows for more flexibility when querying for users) for auth in Nadine.
  • We use django-ldapdb to create new user accounts in LDAP and propagate user account updates back to LDAP.

Limitations

With the proposed tools we can meet requirements (1) and (2) for Nadine/Django and it will set up the LDAP infrastructure for future integrations with other systems.

However meeting requirement (2) for non-Django/Nadine systems (WiFi, shared network drives, etc) is going to be dependant on what is supported by the specific system. Short of researching how other systems auth against LDAP, the best we can do is ensure our LDAP schema to follow common standards/conventions.

Implementation

Setting up Nadine/Django LDAP auth is pretty straightforward, mostly configuration; need to provide a query to lookup the LDAP user by email and/or username/uid.

Handling new user registration & user management (updates) in Nadine and writing to LDAP will require hooking into Django/Nadine's user registration process. The extent of this is dependant on how Nadine's existing registration process is implemented and how it differs from Django's out-of-the-box registration process.

Determining this will be my next focus.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment