diff --git a/python/nav/etc/webfront/webfront.conf b/python/nav/etc/webfront/webfront.conf index aa32fba9ca..cd95ba143b 100644 --- a/python/nav/etc/webfront/webfront.conf +++ b/python/nav/etc/webfront/webfront.conf @@ -44,13 +44,13 @@ server = ldap.example.com # basedn = ou=people,dc=example,dc=com -# How to lookup a user object from LDAP. +# How to lookup a user object from LDAP. # 'direct' binds to =, # 'search' searches for = using basedn as searchbase. #lookupmethod=direct # Choose to bind to LDAP as the user with 'suffix' for Active Directory support. -# lookupmethod should be set to search for this option to function. +# lookupmethod should be set to search for this option to function. #suffix = @ad.example.com # If the LDAP directory requires an authenticated user to search for a user @@ -110,6 +110,10 @@ enabled = no # authenticated user? #varname = REMOTE_USER +# Whether usernames set in REMOTE_USER should automatically be created in the +# database if they do not already exist. +# autocreate = off + # If the supplied remote username value needs modification to become more # "username-like", specify which workaround to use here. Only `feide-oidc` is # supported, at the moment. diff --git a/python/nav/web/auth/remote_user.py b/python/nav/web/auth/remote_user.py index 5b6dac3100..fe853503da 100644 --- a/python/nav/web/auth/remote_user.py +++ b/python/nav/web/auth/remote_user.py @@ -52,6 +52,7 @@ class RemoteUserConfigParser(NAVConfigParser): logout-url= varname=REMOTE_USER workaround=none +autocreate=off """ @@ -78,16 +79,11 @@ def authenticate(request): try: account = Account.objects.get(login=username) except Account.DoesNotExist: - # Store the remote user in the database and return the new account - account = Account(login=username, name=username, ext_sync='REMOTE_USER') - account.set_password(fake_password(32)) - account.save() - _logger.info("Created user %s from header REMOTE_USER", account.login) - template = 'Account "{actor}" created due to REMOTE_USER HTTP header' - LogEntry.add_log_entry( - account, 'create-account', template=template, subsystem='auth' - ) - return account + if _config.getboolean('remote-user', 'autocreate', fallback=False): + return autocreate_remote_user(username) + # Bail out! + _logger.info('User creation turned off, did not create "%s"', username) + return False # Bail out! Potentially evil user if account.locked: @@ -101,6 +97,19 @@ def authenticate(request): return account +def autocreate_remote_user(username): + # Store the remote user in the database and return the new account + account = Account(login=username, name=username, ext_sync='REMOTE_USER') + account.set_password(fake_password(32)) + account.save() + _logger.info("Created user %s from header REMOTE_USER", account.login) + template = 'Account "{actor}" created due to REMOTE_USER HTTP header' + LogEntry.add_log_entry( + account, 'create-account', template=template, subsystem='auth' + ) + return account + + def login(request): """Log in the user in REMOTE_USER, if any and enabled