userena breaks ldap authentication

[trbs]

Because userena and localshop use a different set of login parameters then the default this breaks thirdparty backends like django_auth_ldap.

The workaround is some additional code like this:

from django_auth_ldap.backend import LDAPBackend as Orig

class LDAPBackend(Orig):
    def authenticate(self, username=None, password=None, identification=None):
        if identification and not username:
            username = identification
        return super(LDAPBackend, self).authenticate(username, password)

But it's kind of silly that users have to jump through all these hoops for a django app that should just-work(tm).

[cocoy]

Hi @trbs I've tried adding your code see #102 it work, but other pages are now now forbidden when accessed. Any tips to solve this? Thanks in advance.

[trbs]

Hi @cocoy I'm using a very similar setup to your #102

Differences are:

In settings.py:

AUTHENTICATION_BACKENDS = (
    'ldap_workaround.LDAPBackend',
    'userena.backends.UserenaAuthenticationBackend',
    'guardian.backends.ObjectPermissionBackend',
    'localshop.apps.permissions.backend.CredentialBackend',
    'django.contrib.auth.backends.ModelBackend',
)

I have LDAP as the first AUTHENTICATION_BACKENDS

And I'm using in ldap_workaround.py:

# {{ ansible_managed }}

from django_auth_ldap.backend import LDAPBackend as Orig

class LDAPBackend(Orig):
    def authenticate(self, username=None, password=None, identification=None):
        if identification and not username:
            username = identification
        return super(LDAPBackend, self).authenticate(username, password)

from django.db.models.signals import post_save
from django.contrib.auth.models import User
from localshop.apps.permissions.models import AuthProfile

def create_auth_profile(sender, **kwargs):
    user = kwargs['instance']
    if kwargs['created']:
        AuthProfile(user=user).save()

post_save.connect(create_auth_profile, sender=User, dispatch_uid="create_auth_profile")

Maybe be that the order of the AUTHENTICATION_BACKENDS is causing problems for you ?

[cocoy]

@trbs Seems I missed the lines below to create profiles, I assume this is required.
Thanks, will try it out.

[cocoy]

LDAP login works fine, can login without problem. But clicking on other pages like says Forbidden
http://mylocalserver/packages/

[sposs]

For the forbidden thing, make sure you have

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
        "is_active": "cn=group,cn=groups,dc=company,dc=com",
        "is_staff": ["cn=group,cn=groups,dc=company,dc=com"],
        "is_superuser": "cn=group,cn=groups,dc=company,dc=com"
    }

Seems the is_superuser is what is required to be able to browse the other pages...

[cocoy]

Seems my issue on Forbidden pages, because the group in LDAP has no access on the packages.

I have to allow package | packages | can View Packages on the admin page i.e http://localhost:8000/admin/auth/group/

Maybe this one fixes the same config at localshop.conf.py

[cocoy]

Indeed @sposs it works!

[cocoy]

ah, problem is the other permissions on admin pages were granted to the ldap user when set to is_superuser

[mvantellingen]

Just a FYI, i've just removed django-userena in the develop branch so i'm hoping to get ldap support built-in by default now. Let me know if you have any tips or can even help me with a PR