Django Auth LDAP Setup
To setup LDAP authentication in a Django application, from Active Directory.
Description
This document provides a guide on how to set up LDAP authentication in a Django application using the django-auth-ldap package.
I will use a dockerfile, because on windows it's a mess to install and build python-ldap, and the final goal of this setup is to run the Django application in a container.
Don't forget to add the django-auth-ldap package to your requirements.txt file:
echo "django-auth-ldap" >> requirements.txtDockerfile
We will use a Dockerfile to build python-ldap, as it's required by django-auth-ldap, isolating this build in a stage. see: This Dockerfile example
Django Settings
In your Django settings, you need to configure the LDAP authentication backend and the necessary settings for connecting to your LDAP server.
I have add this setup at the end of settings.py file:
...
# AUTHENTICATION_BACKENDS = [] <-- Ensure this is defined if not already present
## LDAP
if config("USE_LDAP", default=False, cast=bool):
import ldap
from django_auth_ldap.config import LDAPSearch
from django_auth_ldap.config import ActiveDirectoryGroupType
LDAP_URI = config("LDAP_URI")
LDAP_DOMAIN = config("LDAP_DOMAIN")
INSTALLED_APPS.append("django_auth_ldap")
if LDAP_URI and LDAP_DOMAIN:
AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")
AUTH_LDAP_SERVER_URI = config("LDAP_URI")
AUTH_LDAP_BASE_DN = config("ldap-root-dn")
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_PROTOCOL_VERSION: 3,
ldap.OPT_REFERRALS: 0,
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_superuser": config("LDAP_GROUP_DJADMIN_AUTHORIZED"),
"is_staff": config("LDAP_GROUP_DJADMIN_AUTHORIZED"),
"is_active": config("LDAP_GROUP_DJADMIN_AUTHORIZED"),
}
AUTH_LDAP_BIND_DN = config("AUTH_LDAP_BIND_DN")
AUTH_LDAP_BIND_PASSWORD = config("AUTH_LDAP_BIND_PASSWORD")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
AUTH_LDAP_BASE_DN, ldap.SCOPE_SUBTREE, "(objectClass=group)"
)
AUTH_LDAP_USER_SEARCH = LDAPSearch(
AUTH_LDAP_BASE_DN, ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
if DEBUG:
LOGGING = {
"version": 1,
"disable_existing_loggers": False,
"handlers": {"console": {"class": "logging.StreamHandler"}},
"loggers": {"django_auth_ldap": {"level": "DEBUG", "handlers": ["console"]}},
}Environment Variables
You need to set the following environment variables in your .env file or in your kubernetes secrets/configmaps:
USE_LDAP=True
LDAP_URI=ldap://your-ldap-server
LDAP_DOMAIN=your-domain.com
LDAP_ROOT_DN=dc=your,dc=domain,dc=com
LDAP_GROUP_DJADMIN_AUTHORIZED=cn=DJAdmin,ou=Groups,dc=your,dc=domain,dc=com
AUTH_LDAP_BIND_DN=cn=binduser,ou=Users,dc=your,dc=domain,dc=com
AUTH_LDAP_BIND_PASSWORD=your-bind-passwordConfigmaps and Secrets
backend/secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: ldap-backend-secret
namespace: backend
data:
AUTH_LDAP_BIND_DN: <b64_encoded-bind-dn>
AUTH_LDAP_BIND_PASSWORD: <b64_encoded-bind-password>
AUTH_LDAP_SERVER_URI: <b64_encoded-ldap-uri>
ldap-root-dn: <b64_encoded-root-dn>backend/configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: ldap-backend-config
namespace: backend
data:
LDAP_DOMAIN: your-domain.com
LDAP_GROUP_DJADMIN_AUTHORIZED: cn=DJAdmin,ou=Groups,dc=your,dc=domain,dc=comConclusion
Now you should be able to authenticate users against your LDAP server using Django Admin (localhost:8000/admin).