Combine LDAP and classical authentication in django

by Florent Lebreton (fle)
in development

tagged django, ldap

Still in our CAMM project JOB at Makina Corpus, we needed to provide an authentication system through a LDAP server. The module django-auth-ldap does most of work itself but we decided to combine this LDAP authentication with the classical django authentication for two reasons:

  • keep possibility to create users only in django without having them in the LDAP directory (mainly for superusers);
  • be able to fallback on django authentication for all users in case of a LDAP server failure.

So to handle this, we have to:

  • differentiate LDAP directory users from django database users;
  • store password of LDAP users in django to be able to switch on classical authentication;
  • implement two custom authentication backends.

User model

We just implement a custom model user with a boolean from_ldap to diffentiate LDAP users from classical django users.

class MyUser(AbstractUser):
    from_ldap = models.BooleanField(
        _('LDAP user'),
        editable=False,
        default=False)

LDAP authentication backend

This LDAP backend has two goals :

  • Save user password in django database, thus he'll be able to log in django if LDAP authentication backend is disabled;
  • Force from_ldap field to True when a user is created by this way.
from django_auth_ldap.backend import LDAPBackend
from django.contrib.auth import get_user_model

class MyLDAPBackend(LDAPBackend):
    """ A custom LDAP authentication backend """

    def authenticate(self, username, password):
        """ Overrides LDAPBackend.authenticate to save user password in django """

        user = LDAPBackend.authenticate(self, username, password)

        # If user has successfully logged, save his password in django database
        if user:
            user.set_password(password)
            user.save()

        return user

    def get_or_create_user(self, username, ldap_user):
        """ Overrides LDAPBackend.get_or_create_user to force from_ldap to True """
        kwargs = {
            'username': username,
            'defaults': {'from_ldap': True}
        }
        user_model = get_user_model()
        return user_model.objects.get_or_create(**kwargs)

Classical authentication backend

We override django.contrib.auth.backends.ModelBackend to ensure LDAP users can't logged in with this one if MyLDAPBackend is available.

from django.contrib.auth import get_backends, get_user_model
from django.contrib.auth.backends import ModelBackend

class MyAuthBackend(ModelBackend):
    """ A custom authentication backend overriding django ModelBackend """

    @staticmethod
    def _is_ldap_backend_activated():
        """ Returns True if MyLDAPBackend is activated """
        return MyLDAPBackend in [b.__class__ for b in get_backends()]

    def authenticate(self, username, password):
        """ Overrides ModelBackend to refuse LDAP users if MyLDAPBackend is activated """

        if self._is_ldap_backend_activated():
            user_model = get_user_model()
            try:
                user_model.objects.get(username=username, from_ldap=False)
            except:
                return None

        user = ModelBackend.authenticate(self, username, password)

        return user

Django settings and fallback solution

Normally, we have our two backends activated :

  • LDAP users can only connect through MyLDAPBackend;
  • Django users can connect through MyAuthBackend.
AUTHENTICATION_BACKENDS = (
    'accounts.backends.MyLDAPBackend',
    'accounts.backends.MyAuthBackend',
)

In case of a LDAP directory failure, we just have to disable MyLDAPBackend and everybody can connect with MyAuthBackend.

AUTHENTICATION_BACKENDS = (
    #'accounts.backends.MyLDAPBackend',
    'accounts.backends.MyAuthBackend',
)

Thanks leplatrem for review!

[FR] Ce billet en français sur le blog de Makina Corpus !

Comments !