Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 518 Commits
.github		.github
django_auth_ldap		django_auth_ldap
docs		docs
tests		tests
.editorconfig		.editorconfig
.gitignore		.gitignore
.readthedocs.yml		.readthedocs.yml
LICENSE		LICENSE
MANIFEST.in		MANIFEST.in
README.rst		README.rst
pyproject.toml		pyproject.toml
tox.ini		tox.ini

Repository files navigation

Django Authentication Using LDAP

https://readthedocs.org/projects/django-auth-ldap/badge/?version=latest

This is a Django authentication backend that authenticates against an LDAPservice. Configuration can be as simple as a single distinguished nametemplate, but there are many rich configuration options for working with users,groups, and permissions.

Documentation:https://django-auth-ldap.readthedocs.io/
PyPI:https://pypi.org/project/django-auth-ldap/
Repository:https://github.com/django-auth-ldap/django-auth-ldap
License: BSD 2-Clause

Installation

Install the package with pip:

$ pip install django-auth-ldap

It requirespython-ldap >= 3.1. You'll need theOpenLDAP libraries andheaders available on your system.

To use the auth backend in a Django project, add'django_auth_ldap.backend.LDAPBackend' toAUTHENTICATION_BACKENDS. Donot add anything toINSTALLED_APPS.

AUTHENTICATION_BACKENDS= ['django_auth_ldap.backend.LDAPBackend',]

LDAPBackend should work with custom user models, but it does assume that adatabase is present.

Note

LDAPBackend does not inherit fromModelBackend. It is possible touseLDAPBackend exclusively by configuring it to draw group membershipfrom the LDAP server. However, if you would like to assign permissions toindividual users or add users to groups within Django, you'll need to haveboth backends installed:

AUTHENTICATION_BACKENDS= ['django_auth_ldap.backend.LDAPBackend','django.contrib.auth.backends.ModelBackend',]

Example Configuration

Here is a complete example configuration fromsettings.py that exercisesnearly all of the features. In this example, we're authenticating against aglobal pool of users in the directory, but we have a special area set aside forDjango groups (ou=django,ou=groups,dc=example,dc=com). Remember that mostof this is optional if you just need simple authentication. Some defaultsettings and arguments are included for completeness.

importldapfromdjango_auth_ldap.configimportLDAPSearch,GroupOfNamesType# Baseline configuration.AUTH_LDAP_SERVER_URI='ldap://ldap.example.com'AUTH_LDAP_BIND_DN='cn=django-agent,dc=example,dc=com'AUTH_LDAP_BIND_PASSWORD='phlebotinum'AUTH_LDAP_USER_SEARCH=LDAPSearch('ou=users,dc=example,dc=com',ldap.SCOPE_SUBTREE,'(uid=%(user)s)',)# Or:# AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=example,dc=com'# Set up the basic group parameters.AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=django,ou=groups,dc=example,dc=com',ldap.SCOPE_SUBTREE,'(objectClass=groupOfNames)',)AUTH_LDAP_GROUP_TYPE=GroupOfNamesType(name_attr='cn')# Simple group restrictionsAUTH_LDAP_REQUIRE_GROUP='cn=enabled,ou=django,ou=groups,dc=example,dc=com'AUTH_LDAP_DENY_GROUP='cn=disabled,ou=django,ou=groups,dc=example,dc=com'# Populate the Django user from the LDAP directory.AUTH_LDAP_USER_ATTR_MAP= {'first_name':'givenName','last_name':'sn','email':'mail',}AUTH_LDAP_USER_FLAGS_BY_GROUP= {'is_active':'cn=active,ou=django,ou=groups,dc=example,dc=com','is_staff':'cn=staff,ou=django,ou=groups,dc=example,dc=com','is_superuser':'cn=superuser,ou=django,ou=groups,dc=example,dc=com',}# This is the default, but I like to be explicit.AUTH_LDAP_ALWAYS_UPDATE_USER=True# Use LDAP group membership to calculate group permissions.AUTH_LDAP_FIND_GROUP_PERMS=True# Cache distinguished names and group memberships for an hour to minimize# LDAP traffic.AUTH_LDAP_CACHE_TIMEOUT=3600# Keep ModelBackend around for per-user permissions and maybe a local# superuser.AUTHENTICATION_BACKENDS= ('django_auth_ldap.backend.LDAPBackend','django.contrib.auth.backends.ModelBackend',)

Contributing

If you'd like to contribute, the best approach is to send a well-formed pullrequest, complete with tests and documentation. Pull requests should befocused: trying to do more than one thing in a single request will make it moredifficult to process.

If you have a bug or feature request you can trylogging an issue.

There's no harm in creating an issue and then submitting a pull request toresolve it. This can be a good way to start a conversation and can serve as ananchor point.