From dd25fbab879107682aec9a7f42c8f4561fc2ac83 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Tue, 10 Apr 2018 18:00:11 +0200 Subject: [PATCH 1/9] TG-281 setup docker ldap service --- ldap/docker-compose.yml | 11 +++++++++++ ldap/tests.ldif | 27 +++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 ldap/docker-compose.yml create mode 100644 ldap/tests.ldif diff --git a/ldap/docker-compose.yml b/ldap/docker-compose.yml new file mode 100644 index 000000000..ba6eb1950 --- /dev/null +++ b/ldap/docker-compose.yml @@ -0,0 +1,11 @@ +version: '2' + +services: + ldap: + container_name: ldap + image: osixia/openldap + ports: + - "389:389" + command: [--copy-service] + volumes: + - ./tests.ldif:/container/service/slapd/assets/config/bootstrap/ldif/data.ldif diff --git a/ldap/tests.ldif b/ldap/tests.ldif new file mode 100644 index 000000000..58c45645c --- /dev/null +++ b/ldap/tests.ldif @@ -0,0 +1,27 @@ +dn: cn=alice,dc=example,dc=org +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: posixAccount +cn: alice +uid: alice +userPassword: password +uidNumber: 1000 +gidNumber: 1000 +givenName: Alice +sn: Adams +homeDirectory: /home/alice + +dn: cn=bob,dc=example,dc=org +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: posixAccount +cn: bob +uid: bob +userPassword: password +uidNumber: 1001 +gidNumber: 50 +givenName: Robert +sn: Barker +homeDirectory: /home/bob -- GitLab From f2511c7e1b0d59f998262e2de22114729231a320 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Tue, 10 Apr 2018 18:00:47 +0200 Subject: [PATCH 2/9] TG-280 settings: use ldap auth --- .../castellum_core/castellum_core/settings.py | 13 +++++++++++++ castellum_core/setup.py | 1 + 2 files changed, 14 insertions(+) diff --git a/castellum_core/castellum_core/castellum_core/settings.py b/castellum_core/castellum_core/castellum_core/settings.py index 476033b0a..cdfc5b2c6 100644 --- a/castellum_core/castellum_core/castellum_core/settings.py +++ b/castellum_core/castellum_core/castellum_core/settings.py @@ -79,6 +79,19 @@ AUTH_PASSWORD_VALIDATORS = [ }, ] +AUTHENTICATION_BACKENDS = [ + 'django_auth_ldap.backend.LDAPBackend', + 'django.contrib.auth.backends.ModelBackend', +] + +import ldap +from django_auth_ldap.config import LDAPSearch + +AUTH_LDAP_SERVER_URI = 'ldap://localhost' +AUTH_LDAP_BIND_DN = 'cn=admin,dc=example,dc=org' +AUTH_LDAP_BIND_PASSWORD = 'admin' +AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=org', ldap.SCOPE_SUBTREE, '(uid=%(user)s)') + # Internationalization diff --git a/castellum_core/setup.py b/castellum_core/setup.py index f2259415a..4f3fe1897 100644 --- a/castellum_core/setup.py +++ b/castellum_core/setup.py @@ -11,5 +11,6 @@ setup( install_requires=[ "Django==2.0.4", + "django-auth-ldap==1.4.0", ], ) -- GitLab From 942745c52c6d10db0e0a9678e96f00c5f1a1ef05 Mon Sep 17 00:00:00 2001 From: Stefan Bunde Date: Fri, 20 Apr 2018 15:09:21 +0200 Subject: [PATCH 3/9] move docker-compose file one directory level upwards --- ldap/docker-compose.yml => docker-compose.yml | 2 +- ldap/{tests.ldif => dummy_data.ldif} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename ldap/docker-compose.yml => docker-compose.yml (62%) rename ldap/{tests.ldif => dummy_data.ldif} (100%) diff --git a/ldap/docker-compose.yml b/docker-compose.yml similarity index 62% rename from ldap/docker-compose.yml rename to docker-compose.yml index ba6eb1950..99ab7e8f0 100644 --- a/ldap/docker-compose.yml +++ b/docker-compose.yml @@ -8,4 +8,4 @@ services: - "389:389" command: [--copy-service] volumes: - - ./tests.ldif:/container/service/slapd/assets/config/bootstrap/ldif/data.ldif + - ./ldap/dummy_data.ldif:/container/service/slapd/assets/config/bootstrap/ldif/data.ldif diff --git a/ldap/tests.ldif b/ldap/dummy_data.ldif similarity index 100% rename from ldap/tests.ldif rename to ldap/dummy_data.ldif -- GitLab From 300812ba16b6886aec6a82afa1437d6c5af9c7b9 Mon Sep 17 00:00:00 2001 From: Stefan Bunde Date: Fri, 20 Apr 2018 16:22:42 +0200 Subject: [PATCH 4/9] TG-258 TG-280 move ldap settings in separate file and pass default settings To activate ldap settings, you have to set LDAP_ENABLED to true. Unless you set the environment variables to configure ldap, the defaults are used. --- .../castellum_core/settings/default.py | 22 ++++++++++++------- .../castellum_core/settings/ldap.py | 15 +++++++++++++ 2 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 castellum_core/castellum_core/castellum_core/settings/ldap.py diff --git a/castellum_core/castellum_core/castellum_core/settings/default.py b/castellum_core/castellum_core/castellum_core/settings/default.py index 6e9a6bfe2..3bc9ad7e9 100644 --- a/castellum_core/castellum_core/castellum_core/settings/default.py +++ b/castellum_core/castellum_core/castellum_core/settings/default.py @@ -70,18 +70,24 @@ AUTH_PASSWORD_VALIDATORS = [ }, ] + AUTHENTICATION_BACKENDS = [ - 'django_auth_ldap.backend.LDAPBackend', - 'django.contrib.auth.backends.ModelBackend', + "django.contrib.auth.backends.ModelBackend", ] -import ldap -from django_auth_ldap.config import LDAPSearch -AUTH_LDAP_SERVER_URI = 'ldap://localhost' -AUTH_LDAP_BIND_DN = 'cn=admin,dc=example,dc=org' -AUTH_LDAP_BIND_PASSWORD = 'admin' -AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=org', ldap.SCOPE_SUBTREE, '(uid=%(user)s)') +LDAP_ENABLED = True + +if LDAP_ENABLED: + try: + from .ldap import * + except ImportError: + raise ImportError( + "Failed to load LDAP settings. Either you disable LDAP by setting " + "'LDAP_ENABLED = False' or you create a ldap.py file in the settings directory!" + ) + AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend") + AUTH_USER_MODEL = 'castellum_auth.User' diff --git a/castellum_core/castellum_core/castellum_core/settings/ldap.py b/castellum_core/castellum_core/castellum_core/settings/ldap.py new file mode 100644 index 000000000..b0e5f1a6a --- /dev/null +++ b/castellum_core/castellum_core/castellum_core/settings/ldap.py @@ -0,0 +1,15 @@ +import ldap +import os + +from django_auth_ldap.config import LDAPSearch + + +host = os.environ.get("LDAP_HOST", "ldap://localhost") +distinguised_name = os.environ.get("LDAP_DISTINGUISHED_NAME", "dc=example,dc=org") +username = os.environ.get("LDAP_USERNAME", "cn=admin," + distinguised_name) +password = os.environ.get("LDAP_PASSWORD", "admin") + +AUTH_LDAP_SERVER_URI = host +AUTH_LDAP_BIND_DN = username +AUTH_LDAP_BIND_PASSWORD = password +AUTH_LDAP_USER_SEARCH = LDAPSearch(distinguised_name, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') -- GitLab From 5be360e565ac18edb21a4b9556b8702cf5c868b7 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Wed, 25 Apr 2018 10:35:33 +0200 Subject: [PATCH 5/9] add basic stage settings --- .../castellum_core/settings/stage.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 castellum_core/castellum_core/castellum_core/settings/stage.py diff --git a/castellum_core/castellum_core/castellum_core/settings/stage.py b/castellum_core/castellum_core/castellum_core/settings/stage.py new file mode 100644 index 000000000..2d8c830b4 --- /dev/null +++ b/castellum_core/castellum_core/castellum_core/settings/stage.py @@ -0,0 +1,17 @@ +from .default import * + + +# FIXME: These values need to be changed +SECRET_KEY = 'i#$kwk(s24ysn+l%+c!*z9u4+45)oex!-s#!bux#wf2pv2cc0d' + +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.sqlite3', + 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), + } +} + +ALLOWED_HOSTS = [ + 'localhost', +] + -- GitLab From ca8c4bf5c22b0b25036f7ece30f08eece73a7b5a Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Wed, 25 Apr 2018 10:36:41 +0200 Subject: [PATCH 6/9] activate ldap config only for stage --- .../castellum_core/settings/default.py | 14 -------------- .../castellum_core/settings/ldap.py | 15 --------------- .../castellum_core/settings/stage.py | 16 ++++++++++++++++ 3 files changed, 16 insertions(+), 29 deletions(-) delete mode 100644 castellum_core/castellum_core/castellum_core/settings/ldap.py diff --git a/castellum_core/castellum_core/castellum_core/settings/default.py b/castellum_core/castellum_core/castellum_core/settings/default.py index 3bc9ad7e9..01e024c41 100644 --- a/castellum_core/castellum_core/castellum_core/settings/default.py +++ b/castellum_core/castellum_core/castellum_core/settings/default.py @@ -75,20 +75,6 @@ AUTHENTICATION_BACKENDS = [ "django.contrib.auth.backends.ModelBackend", ] - -LDAP_ENABLED = True - -if LDAP_ENABLED: - try: - from .ldap import * - except ImportError: - raise ImportError( - "Failed to load LDAP settings. Either you disable LDAP by setting " - "'LDAP_ENABLED = False' or you create a ldap.py file in the settings directory!" - ) - AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend") - - AUTH_USER_MODEL = 'castellum_auth.User' LOGIN_REDIRECT_URL = '/' diff --git a/castellum_core/castellum_core/castellum_core/settings/ldap.py b/castellum_core/castellum_core/castellum_core/settings/ldap.py deleted file mode 100644 index b0e5f1a6a..000000000 --- a/castellum_core/castellum_core/castellum_core/settings/ldap.py +++ /dev/null @@ -1,15 +0,0 @@ -import ldap -import os - -from django_auth_ldap.config import LDAPSearch - - -host = os.environ.get("LDAP_HOST", "ldap://localhost") -distinguised_name = os.environ.get("LDAP_DISTINGUISHED_NAME", "dc=example,dc=org") -username = os.environ.get("LDAP_USERNAME", "cn=admin," + distinguised_name) -password = os.environ.get("LDAP_PASSWORD", "admin") - -AUTH_LDAP_SERVER_URI = host -AUTH_LDAP_BIND_DN = username -AUTH_LDAP_BIND_PASSWORD = password -AUTH_LDAP_USER_SEARCH = LDAPSearch(distinguised_name, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') diff --git a/castellum_core/castellum_core/castellum_core/settings/stage.py b/castellum_core/castellum_core/castellum_core/settings/stage.py index 2d8c830b4..e64d69ef1 100644 --- a/castellum_core/castellum_core/castellum_core/settings/stage.py +++ b/castellum_core/castellum_core/castellum_core/settings/stage.py @@ -1,3 +1,7 @@ +import ldap +import os +from django_auth_ldap.config import LDAPSearch + from .default import * @@ -15,3 +19,15 @@ ALLOWED_HOSTS = [ 'localhost', ] +# LDAP +AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend") + +host = os.environ.get("LDAP_HOST", "ldap://localhost") +distinguised_name = os.environ.get("LDAP_DISTINGUISHED_NAME", "dc=example,dc=org") +username = os.environ.get("LDAP_USERNAME", "cn=admin," + distinguised_name) +password = os.environ.get("LDAP_PASSWORD", "admin") + +AUTH_LDAP_SERVER_URI = host +AUTH_LDAP_BIND_DN = username +AUTH_LDAP_BIND_PASSWORD = password +AUTH_LDAP_USER_SEARCH = LDAPSearch(distinguised_name, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') -- GitLab From fcd6cb5968c8272e6a66f86bd05e0f9fa04edb4a Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Wed, 25 Apr 2018 10:39:26 +0200 Subject: [PATCH 7/9] restore concrete LDAP config for stage We expect heterogenous LDAP setups. Using just a few environment variables might not be enough. So for now we stick with the simple example. --- .../castellum_core/settings/stage.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/castellum_core/castellum_core/castellum_core/settings/stage.py b/castellum_core/castellum_core/castellum_core/settings/stage.py index e64d69ef1..9b20f5aa0 100644 --- a/castellum_core/castellum_core/castellum_core/settings/stage.py +++ b/castellum_core/castellum_core/castellum_core/settings/stage.py @@ -20,14 +20,10 @@ ALLOWED_HOSTS = [ ] # LDAP +# See https://django-auth-ldap.readthedocs.io/ AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend") -host = os.environ.get("LDAP_HOST", "ldap://localhost") -distinguised_name = os.environ.get("LDAP_DISTINGUISHED_NAME", "dc=example,dc=org") -username = os.environ.get("LDAP_USERNAME", "cn=admin," + distinguised_name) -password = os.environ.get("LDAP_PASSWORD", "admin") - -AUTH_LDAP_SERVER_URI = host -AUTH_LDAP_BIND_DN = username -AUTH_LDAP_BIND_PASSWORD = password -AUTH_LDAP_USER_SEARCH = LDAPSearch(distinguised_name, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') +AUTH_LDAP_SERVER_URI = 'ldap://localhost' +AUTH_LDAP_BIND_DN = 'cn=admin,dc=example,dc=org' +AUTH_LDAP_BIND_PASSWORD = 'admin' +AUTH_LDAP_USER_SEARCH = LDAPSearch('dc=example,dc=org', ldap.SCOPE_SUBTREE, '(uid=%(user)s)') -- GitLab From df9ebde5a9529d1e35c6a3688667b4fc25a7d879 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Wed, 25 Apr 2018 10:42:09 +0200 Subject: [PATCH 8/9] ignore settings in flake8 --- tox.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/tox.ini b/tox.ini index 0a977a42d..6f0afe7fe 100644 --- a/tox.ini +++ b/tox.ini @@ -5,4 +5,5 @@ exclude= node_modules, wsgi.py, migrations, + settings, max-line-length=100 -- GitLab From 6a080606ec2530f7f831a42bc6f99523034327ab Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Wed, 25 Apr 2018 10:47:02 +0200 Subject: [PATCH 9/9] Gardening --- castellum_core/castellum_core/castellum_core/settings/default.py | 1 - 1 file changed, 1 deletion(-) diff --git a/castellum_core/castellum_core/castellum_core/settings/default.py b/castellum_core/castellum_core/castellum_core/settings/default.py index 01e024c41..44a1c3162 100644 --- a/castellum_core/castellum_core/castellum_core/settings/default.py +++ b/castellum_core/castellum_core/castellum_core/settings/default.py @@ -70,7 +70,6 @@ AUTH_PASSWORD_VALIDATORS = [ }, ] - AUTHENTICATION_BACKENDS = [ "django.contrib.auth.backends.ModelBackend", ] -- GitLab