[Update] authentication 添加自定义 LDAPBackends (#2081)

apps/authentication/ldap/backends.py

@@ -0,0 +1,95 @@
+# coding:utf-8
+#
+
+import ldap
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured, ObjectDoesNotExist
+from django_auth_ldap.backend import _LDAPUser, LDAPBackend
+from django_auth_ldap.config import _LDAPConfig, LDAPSearch, LDAPSearchUnion
+
+logger = _LDAPConfig.get_logger()
+
+
+class LDAPAuthorizationBackend(LDAPBackend):
+    """
+    Override this class to override _LDAPUser to LDAPUser
+    """
+
+    def authenticate(self, request=None, username=None, password=None, **kwargs):
+        if password or self.settings.PERMIT_EMPTY_PASSWORD:
+            ldap_user = LDAPUser(self, username=username.strip(), request=request)
+            user = self.authenticate_ldap_user(ldap_user, password)
+        else:
+            logger.debug('Rejecting empty password for {}'.format(username))
+            user = None
+
+        return user
+
+    def get_user(self, user_id):
+        user = None
+
+        try:
+            user = self.get_user_model().objects.get(pk=user_id)
+            LDAPUser(self, user=user)  # This sets user.ldap_user
+        except ObjectDoesNotExist:
+            pass
+
+        return user
+
+    def get_group_permissions(self, user, obj=None):
+        if not hasattr(user, 'ldap_user') and self.settings.AUTHORIZE_ALL_USERS:
+            LDAPUser(self, user=user)  # This sets user.ldap_user
+
+        if hasattr(user, 'ldap_user'):
+            permissions = user.ldap_user.get_group_permissions()
+        else:
+            permissions = set()
+
+        return permissions
+
+    def populate_user(self, username):
+        ldap_user = LDAPUser(self, username=username)
+        user = ldap_user.populate_user()
+
+        return user
+
+
+class LDAPUser(_LDAPUser):
+
+    def _search_for_user_dn(self):
+        """
+        This method was overridden because the AUTH_LDAP_USER_SEARCH
+        configuration in the settings.py file
+        is configured with a `lambda` problem value
+        """
+
+        user_search_union = [
+            LDAPSearch(
+                USER_SEARCH, ldap.SCOPE_SUBTREE,
+                settings.AUTH_LDAP_SEARCH_FILTER
+            )
+            for USER_SEARCH in str(settings.AUTH_LDAP_SEARCH_OU).split("|")
+        ]
+
+        search = LDAPSearchUnion(*user_search_union)
+        if search is None:
+            raise ImproperlyConfigured(
+                'AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.'
+            )
+
+        results = search.execute(self.connection, {'user': self._username})
+        if results is not None and len(results) == 1:
+            (user_dn, self._user_attrs) = next(iter(results))
+        else:
+            user_dn = None
+
+        return user_dn
+
+    def _populate_user_from_attributes(self):
+        super()._populate_user_from_attributes()
+        if not hasattr(self._user, 'email') or '@' not in self._user.email:
+            email = '{}@{}'.format(self._user.username, settings.EMAIL_SUFFIX)
+            setattr(self._user, 'email', email)
+
+
+

apps/jumpserver/conf.py

@@ -311,6 +311,7 @@ defaults = {
     'CSRF_COOKIE_DOMAIN': None,
     'SESSION_COOKIE_AGE': 3600 * 24,
     'AUTH_OPENID': False,
+    'EMAIL_SUFFIX': 'jumpserver.org'
 }
 
 

apps/jumpserver/settings.py

@@ -362,11 +362,6 @@ AUTH_LDAP_SEARCH_OU = 'ou=tech,dc=jumpserver,dc=org'
 AUTH_LDAP_SEARCH_FILTER = '(cn=%(user)s)'
 AUTH_LDAP_START_TLS = False
 AUTH_LDAP_USER_ATTR_MAP = {"username": "cn", "name": "sn", "email": "mail"}
-AUTH_LDAP_USER_SEARCH_UNION = lambda: [
-    LDAPSearch(USER_SEARCH, ldap.SCOPE_SUBTREE, AUTH_LDAP_SEARCH_FILTER)
-    for USER_SEARCH in str(AUTH_LDAP_SEARCH_OU).split("|")
-]
-AUTH_LDAP_USER_SEARCH = lambda: LDAPSearchUnion(*AUTH_LDAP_USER_SEARCH_UNION())
 AUTH_LDAP_GROUP_SEARCH_OU = CONFIG.AUTH_LDAP_GROUP_SEARCH_OU
 AUTH_LDAP_GROUP_SEARCH_FILTER = CONFIG.AUTH_LDAP_GROUP_SEARCH_FILTER
 AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
@@ -377,7 +372,7 @@ AUTH_LDAP_CONNECTION_OPTIONS = {
 }
 AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1
 AUTH_LDAP_ALWAYS_UPDATE_USER = True
-AUTH_LDAP_BACKEND = 'django_auth_ldap.backend.LDAPBackend'
+AUTH_LDAP_BACKEND = 'authentication.ldap.backends.LDAPAuthorizationBackend'
 
 if AUTH_LDAP:
     AUTHENTICATION_BACKENDS.insert(0, AUTH_LDAP_BACKEND)
@@ -510,3 +505,5 @@ SWAGGER_SETTINGS = {
     },
 }
 
+# Default email suffix
+EMAIL_SUFFIX = CONFIG.EMAIL_SUFFIX

requirements/requirements.txt

@@ -15,7 +15,7 @@ coreschema==0.0.4
 cryptography==2.3.1
 decorator==4.1.2
 Django==2.1
-django-auth-ldap==1.3.0
+django-auth-ldap==1.7.0
 django-bootstrap3==9.1.0
 django-celery-beat==1.1.1
 django-filter==2.0.0
@@ -76,4 +76,5 @@ aliyun-python-sdk-core-v3==2.9.1
 aliyun-python-sdk-ecs==4.10.1   
 python-keycloak==0.13.3
 python-keycloak-client==0.1.3
+python-ldap==3.1.0
 rest_condition==1.0.3