|
|
@@ -1,5 +1,4 @@
|
|
|
-This guide explains how to implement LDAP authentication using an external server. User authentication will fall back to
|
|
|
-built-in Django users in the event of a failure.
|
|
|
+This guide explains how to implement LDAP authentication using an external server. User authentication will fall back to built-in Django users in the event of a failure.
|
|
|
|
|
|
# Requirements
|
|
|
|
|
|
@@ -49,6 +48,7 @@ AUTH_LDAP_BIND_PASSWORD = "demo"
|
|
|
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
|
|
LDAP_IGNORE_CERT_ERRORS = True
|
|
|
```
|
|
|
+
|
|
|
!!! info
|
|
|
When using Windows Server 2012 you may need to specify a port on AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure.
|
|
|
|
|
|
@@ -72,6 +72,7 @@ AUTH_LDAP_USER_ATTR_MAP = {
|
|
|
"last_name": "sn"
|
|
|
}
|
|
|
```
|
|
|
+
|
|
|
!!! info
|
|
|
When using Windows Server 2012 AUTH_LDAP_USER_DN_TEMPLATE should be set to None.
|
|
|
|
|
|
@@ -104,19 +105,16 @@ AUTH_LDAP_CACHE_GROUPS = True
|
|
|
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
|
|
|
```
|
|
|
|
|
|
-!!! info
|
|
|
-"is_active" - You must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in.
|
|
|
-
|
|
|
-"is_staff" - Users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis.
|
|
|
-
|
|
|
-"is_superuser" - Users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions.
|
|
|
+* `is_active` - All users must be mapped to at least this group to enable authentication. Without this, users cannot log in.
|
|
|
+* `is_staff` - Users mapped to this group are enabled for access to the administration tools; this is the equivalent of checking the "staff status" box on a manually created user. This doesn't grant any specific permissions.
|
|
|
+* `is_superuser` - Users mapped to this group will be granted superuser status. Superusers are implicitly granted all permissions.
|
|
|
|
|
|
!!! info
|
|
|
-It is also possible map user attributes to Django attributes:
|
|
|
-
|
|
|
-```no-highlight
|
|
|
-AUTH_LDAP_USER_ATTR_MAP = {
|
|
|
-"first_name": "givenName",
|
|
|
-"last_name": "sn"
|
|
|
-}
|
|
|
-```
|
|
|
+ It is also possible map user attributes to Django attributes:
|
|
|
+
|
|
|
+ ```no-highlight
|
|
|
+ AUTH_LDAP_USER_ATTR_MAP = {
|
|
|
+ "first_name": "givenName",
|
|
|
+ "last_name": "sn"
|
|
|
+ }
|
|
|
+ ```
|
Jeremy Stretch