authentication Django on LDAP server - django

I would like my web application authenticate users on an ldap server (only for username and password), but that the permissions reside on django.
Not all ldap users must have access to the web application.
In particular, I would like to allow users to see only a few records (for example, suppose there is a model with a city field: some users should only be able to see records whose city field is london, others whose city is milano, etc.).
How can i define django permissions if users are defined on ldap?
How can I define the user's application admin if users are defined on ldap?
Do I need to implement a double authentication? Do I have to define ldap users who can access the web application even on django?
What is the best way to proceed?
Do you have any suggestions?
Examples?
Thanks
pacopyc

Not all LDAP users must have access to the web application.
Create a separate branch in LDAP tree for your application
What is the best way to proceed? Do you have any suggestions?
Take a look at the django-python3-ldap extension:
Define your settings in Django settings.py, then do a LDAP sync users to your local database
python manage.py ldap_sync_users

Related

Django - how to set user permissions after login via LDAP?

I'm starting a project in Django and I've already managed to get ldap authentication working, with django-auth-ldap.
Now, I want that after the user logs in, django checks if this user exists in certain tables of my models, and if it does, give these users permission to access certain apps.
For example, I have an app called 'alimentacao'. Only users registered in my model 'alimentacao.alunos' will be able to access "http://meu-projeto/alimentacao"
As the user is created automatically if it doesn't already exist in the user model, I believe I would have to create a custom ldap authentication backend and check, after successful login, if the user exists in the table, and then set the permission to user.
Neither the Django nor the django-auth-ldap documentation clearly explains how to create an authentication backend: in which folders the files need to be created, or how the application will call my custom method, or if I need to change any settings. I'm completely lost.

Django : Use decorator 'user_passes_test' using LDAP group witout django DB

I want to use LDAP AUTH for django.
For the moment I have also a django Model Backend where are all my users and theirs groups.
In my code, an user passes a test in order to access to application. This operation check if the group to allow is in the user information.
But now I wanted to stop using Model Authentication and use only LDAP AUTH...
How can I manage to use the same function to allow access, with LDAP groups without creating an user in the Model?
I don't know much about LDAP is general, but you can follow this tutorial on how to login to LDAP using Python : http://blog.emfeld.com/2013/03/ldap-login-authentication-using-python.html
Once you understand the basics, you can implement login in Django.
Hint : You will have to update the code of the login view. After getting the username and the password from the form, it will now search in LDAP instead of models

Multi-tenant Centralized Authentication Server

I am trying to create a centralized authentication server for multiple Django apps (APIs). I've seen posts/recommendations but none fit exactly what I am looking for.
Overview:
Users can be associated to one or multiple projects
Users have same credentials to all projects they are associated to
Use JSON Web Tokens - use payload to add user data, sub-domain (project) to route to, role, etc
Sub-domain will not be used for login. All users will login to same site and will be routed to project they are associated to (or given list if there are multiple). SSO is optional.
Questions/uncertainties:
Q: Should the authentication tokens be created on the authentication server or on each project? ie) Each user having one auth token for all projects or have one auth token for each project?
Q: Roles will be stored in each app. I would like to send the roles along with the authentication token in the JWT. Should this data be redundantly stored on the authentication server? Another other way would be for the authentication server to access the project databases. What is the best way to handle this? Users will have different roles for each project.
Q: Auth server will have basic user information (email/username, password, first/last name, etc). Since foreign keys can't be used between databases I can use a user proxy based on usernames to create the user on each project. Do the app servers need to have access to which authentication tokens are valid?
Taking advantage of pre-existing software:
Another approach I had in mind was to use django-tenant-schemas which takes advantage of Postgres schemas where each one of my projects would be a schema (currently using MYSQL databases). Does it make sense to take advantage of this?
Can I take advantage of an IdP service to offload some of the authentication? Does this easily tie into the Django auth layer?
Your question seems to be multiple so I would split the answer too:
ABOUT THE USERS
Since your users are not part of your "mutitencancy model" you have two options here:
Replicate your user data among the different tenant databases (via triggers and what not).
Write your own authentication middleware that verifies users in the right database (lets call it root database since now on). You can use user ids to from the root database and verify manually that they match, which is a bad idea.
That means your database schema will be something like this:
root database (all common data here)
project 1 database (with it's own user data or referencing root)
project 2 database (with it's own user data or referencing root)
Now for authentication tokens
You have the same options as above:
Keep them in the root database and write your own middleware.
Replicate them.
How to implement the whole thing
Since your use case is pretty particular, you may encounter some resistance from existing software. But creating your own multitenant solution is not that hard

Django User Model questions

I'm new to Django so I have some questions that might seem basic to you. I'm looking to create a platform that is open to both individuals and companies and I'm trying to design the user auth for an API that runs on DRF. I need to provide mobile platform access so I'm thinking of using OAuth via django-oauth-toolkit. Having difficulty understanding:
Should I separate the login flow into a separate app? How do I know when I should spin up a separate app?
Do I manage the profiles via the built in admin area? Is this secure for production environments?
Should I separate individual profiles and company profiles into separate apps or just models extending the Base User?
How do I allow the individual profiles to link their logins to social media accounts with django-allauth while storing extra information like birthday/name etc regardless of which mode of login?
Thanks!
This is my point of view.
No need to separate the app. You can manage all the profiles from
Django admin.
It is secure for production environments, django not allow to see
its credentials or password to anyone, its encrypted.
You can create UserProfile model and use django user as Foreignkey
in this. You can able to add extra field like in this way. OR you
can extends the User model of Django admin.
Its just a suggest, you do whatever you feel reliable or easy way.

Admin on GAE and django

Im developing a google app engine and django based site and i'm tring to figure out what's
the best approach to solve the problem, the site requirments are as follows:
There must be a super administrator who's only task is to create second level administrators and assign them to a group.
Second level administrators can create regular users and those users are assigded to the same group from the admin that created them.
Regular users don't do much besides login and logout.
I've been reading and i think i can solve 1 with the (login: admin) GAE feature for app.yaml.
I don't want to use google accounts neigther openid because second level admins are
the only allowed to create users.
For 3. Is it possible to use django session utility to handle regular users ?
I'd appreciate suggestion for a particular point or the whole thing.
For 1:
login:admin in app.yaml will prevent users that are not associated with your GAE project from visiting that URL or set of URLs. Any user associated with your GAE production project is an admin. You can create additional filtering inside the application by confirming the username that they are currently logged in with.
from google.appengine.api import users
user = users.get_current_user()
email = user.email()
For 3:
I am not sure, we ended up rolling our own.