# coding:utf-8 # import abc import ldap from django.conf import settings from django.core.cache import cache from django.core.exceptions import ImproperlyConfigured, ObjectDoesNotExist from django_auth_ldap.backend import _LDAPUser, LDAPBackend, valid_cache_key from django_auth_ldap.config import _LDAPConfig, LDAPSearch, LDAPSearchUnion from users.utils import construct_user_email from common.const import LDAP_AD_ACCOUNT_DISABLE from common.utils.http import is_true from .base import JMSBaseAuthBackend logger = _LDAPConfig.get_logger() class LDAPBaseBackend(LDAPBackend): @abc.abstractmethod def is_enabled(self): raise NotImplementedError('is_enabled') @property @abc.abstractmethod def is_user_login_only_in_users(self): raise NotImplementedError('is_authenticated') def get_or_build_user(self, username, ldap_user): """ This must return a (User, built) 2-tuple for the given LDAP user. username is the Django-friendly username of the user. ldap_user.dn is the user's DN and ldap_user.attrs contains all of their LDAP attributes. The returned User object may be an unsaved model instance. """ model = self.get_user_model() if self.settings.USER_QUERY_FIELD: query_field = self.settings.USER_QUERY_FIELD query_value = ldap_user.attrs[self.settings.USER_ATTR_MAP[query_field]][0] query_value = query_value.strip() lookup = query_field else: query_field = model.USERNAME_FIELD query_value = username.lower() lookup = "{}__iexact".format(query_field) try: user = model.objects.get(**{lookup: query_value}) except model.DoesNotExist: user = model(**{query_field: query_value}) built = True else: built = False return user, built def get_user(self, user_id): user = None try: user = self.get_user_model().objects.get(pk=user_id) LDAPUser(self, user=user) # This sets user.ldap_user except ObjectDoesNotExist: pass return user def get_group_permissions(self, user, obj=None): if not hasattr(user, 'ldap_user') and self.settings.AUTHORIZE_ALL_USERS: LDAPUser(self, user=user) # This sets user.ldap_user if hasattr(user, 'ldap_user'): permissions = user.ldap_user.get_group_permissions() else: permissions = set() return permissions def populate_user(self, username): ldap_user = LDAPUser(self, username=username) user = ldap_user.populate_user() return user def authenticate(self, request=None, username=None, password=None, **kwargs): logger.info('Authentication LDAP backend') if username is None or password is None: logger.info('No username or password') return None match, msg = self.pre_check(username, password) if not match: logger.info('Authenticate failed: {}'.format(msg)) return None ldap_user = LDAPUser(self, username=username.strip(), request=request) user = self.authenticate_ldap_user(ldap_user, password) logger.info('Authenticate user: {}'.format(user)) return user if self.user_can_authenticate(user) else None def pre_check(self, username, password): if not self.is_enabled(): error = 'Not enabled auth ldap' return False, error if not username: error = 'Username is None' return False, error if not password: error = 'Password is None' return False, error if self.is_user_login_only_in_users: user_model = self.get_user_model() exist = user_model.objects.filter(username=username).exists() if not exist: error = 'user ({}) is not in the user list'.format(username) return False, error return True, '' class LDAPAuthorizationBackend(JMSBaseAuthBackend, LDAPBaseBackend): """ Override this class to override _LDAPUser to LDAPUser """ @staticmethod def is_enabled(): return settings.AUTH_LDAP @property def is_user_login_only_in_users(self): return settings.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS class LDAPHAAuthorizationBackend(JMSBaseAuthBackend, LDAPBaseBackend): """ Override this class to override _LDAPUser to LDAPUser """ settings_prefix = "AUTH_LDAP_HA_" @staticmethod def is_enabled(): return settings.AUTH_LDAP_HA @property def is_user_login_only_in_users(self): return settings.AUTH_LDAP_HA_USER_LOGIN_ONLY_IN_USERS class LDAPUser(_LDAPUser): def __init__(self, backend, username=None, user=None, request=None): super().__init__(backend=backend, username=username, user=user, request=request) config_prefix = "" if isinstance(self.backend, LDAPAuthorizationBackend) else "_ha" self.user_dn_cache_key = valid_cache_key( f"django_auth_ldap{config_prefix}.user_dn.{self._username}" ) self.category = f"ldap{config_prefix}" self.search_filter = getattr(settings, f"AUTH_LDAP{config_prefix.upper()}_SEARCH_FILTER", None) self.search_ou = getattr(settings, f"AUTH_LDAP{config_prefix.upper()}_SEARCH_OU", None) def _search_for_user_dn_from_ldap_util(self): from settings.utils import LDAPServerUtil util = LDAPServerUtil(category=self.category) user_dn = util.search_for_user_dn(self._username) return user_dn def _load_user_dn(self): """ Populates self._user_dn with the distinguished name of our user. This will either construct the DN from a template in AUTH_LDAP_USER_DN_TEMPLATE or connect to the server and search for it. If we have to search, we'll cache the DN. """ if self._using_simple_bind_mode(): self._user_dn = self._construct_simple_user_dn() else: if self.settings.CACHE_TIMEOUT > 0: self._user_dn = cache.get_or_set( self.user_dn_cache_key, self._search_for_user_dn, self.settings.CACHE_TIMEOUT ) else: self._user_dn = self._search_for_user_dn() def _search_for_user_dn(self): """ This method was overridden because the AUTH_LDAP_USER_SEARCH configuration in the settings.py file is configured with a `lambda` problem value """ user_search_union = [ LDAPSearch( USER_SEARCH, ldap.SCOPE_SUBTREE, self.search_filter ) for USER_SEARCH in str(self.search_ou).split("|") ] search = LDAPSearchUnion(*user_search_union) if search is None: raise ImproperlyConfigured( 'AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.' ) results = search.execute(self.connection, {'user': self._username}) if results is not None and len(results) == 1: (user_dn, self._user_attrs) = next(iter(results)) else: # 解决直接配置DC域,用户认证失败的问题(库不能从整棵树中搜索) user_dn = self._search_for_user_dn_from_ldap_util() if user_dn is None: self._user_dn = None self._user_attrs = None else: self._user_dn = user_dn self._user_attrs = self._load_user_attrs() return user_dn def _populate_user_from_attributes(self): for field, attr in self.settings.USER_ATTR_MAP.items(): if field in ['groups']: continue try: value = self.attrs[attr][0] value = value.strip() if field == 'is_active': if attr.lower() == 'useraccountcontrol' and value: value = int(value) & LDAP_AD_ACCOUNT_DISABLE != LDAP_AD_ACCOUNT_DISABLE else: value = is_true(value) except LookupError: logger.warning( "{} does not have a value for the attribute {}".format(self.dn, attr)) else: if not hasattr(self._user, field): continue if isinstance(getattr(self._user, field), bool): if isinstance(value, str): value = value.lower() value = value in ['true', '1', True] setattr(self._user, field, value) email = getattr(self._user, 'email', '') email = construct_user_email(self._user.username, email) setattr(self._user, 'email', email)