Merge pull request #960 from lostlont/ldap

LDAP support

.env.template

@@ -122,11 +122,17 @@ REVERSE_PROXY_AUTH=0
 # SESSION_COOKIE_DOMAIN=.example.com
 # SESSION_COOKIE_NAME=sessionid # use this only to not interfere with non unified django applications under the same top level domain
 
-
 # by default SORT_TREE_BY_NAME is disabled this will store all Keywords and Food in the order they are created
 # enabling this setting makes saving new keywords and foods very slow, which doesn't matter in most usecases.
 # however, when doing large imports of recipes that will create new objects, can increase total run time by 10-15x
 # Keywords and Food can be manually sorted by name in Admin
 # This value can also be temporarily changed in Admin, it will revert the next time the application is started
 # This will be fixed/changed in the future by changing the implementation or finding a better workaround for sorting
-# SORT_TREE_BY_NAME=0
+# SORT_TREE_BY_NAME=0
+# LDAP authentication
+# default 0 (false), when 1 (true) list of allowed users will be fetched from LDAP server
+#LDAP_AUTH=
+#AUTH_LDAP_SERVER_URI=
+#AUTH_LDAP_BIND_DN=
+#AUTH_LDAP_BIND_PASSWORD=
+#AUTH_LDAP_USER_SEARCH_BASE_DN=

Dockerfile

@@ -15,7 +15,7 @@ WORKDIR /opt/recipes
 
 COPY requirements.txt ./
 
-RUN apk add --no-cache --virtual .build-deps gcc musl-dev postgresql-dev zlib-dev jpeg-dev libressl-dev libffi-dev cargo && \
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev postgresql-dev zlib-dev jpeg-dev libressl-dev libffi-dev cargo openssl-dev openldap-dev && \
     python -m venv venv && \
     /opt/recipes/venv/bin/python -m pip install --upgrade pip && \
     venv/bin/pip install wheel==0.36.2 && \

recipes/settings.py

@@ -158,7 +158,31 @@ if ENABLE_METRICS:
     MIDDLEWARE += 'django_prometheus.middleware.PrometheusAfterMiddleware',
 
 # Auth related settings
-AUTHENTICATION_BACKENDS = [
+AUTHENTICATION_BACKENDS = []
+
+# LDAP
+LDAP_AUTH=bool(os.getenv('LDAP_AUTH', False))
+if LDAP_AUTH:
+    import ldap
+    from django_auth_ldap.config import LDAPSearch
+    AUTHENTICATION_BACKENDS.append('django_auth_ldap.backend.LDAPBackend')
+    AUTH_LDAP_SERVER_URI = os.getenv('AUTH_LDAP_SERVER_URI') 
+    AUTH_LDAP_BIND_DN = os.getenv('AUTH_LDAP_BIND_DN')
+    AUTH_LDAP_BIND_PASSWORD = os.getenv('AUTH_LDAP_BIND_PASSWORD')
+    AUTH_LDAP_USER_SEARCH = LDAPSearch(
+        os.getenv('AUTH_LDAP_USER_SEARCH_BASE_DN'),
+        ldap.SCOPE_SUBTREE,
+        os.getenv('AUTH_LDAP_USER_SEARCH_FILTER_STR', '(uid=%(user)s)'),
+    )
+    AUTH_LDAP_USER_ATTR_MAP = ast.literal_eval(os.getenv('AUTH_LDAP_USER_ATTR_MAP')) if os.getenv('AUTH_LDAP_USER_ATTR_MAP') else {
+        'first_name': 'givenName',
+        'last_name': 'sn',
+        'email': 'mail',
+    }
+    AUTH_LDAP_ALWAYS_UPDATE_USER = bool(int(os.getenv('AUTH_LDAP_ALWAYS_UPDATE_USER', True)))
+    AUTH_LDAP_CACHE_TIMEOUT = int(os.getenv('AUTH_LDAP_CACHE_TIMEOUT', 3600))
+
+AUTHENTICATION_BACKENDS += [
     'django.contrib.auth.backends.ModelBackend',
     'allauth.account.auth_backends.AuthenticationBackend',
 ]

requirements.txt

@@ -39,4 +39,5 @@ django-cors-headers==3.9.0
 django-storages==1.11.1
 boto3==1.18.52
 django-prometheus==2.1.0
-django-hCaptcha==0.1.0
+python-ldap==3.3.1
+django-auth-ldap==3.0.0