sal-ldap's People
sal-ldap's Issues
Integrating SAL with AD and UPN
Hi
As said previously I try to integrate SAL login to AD and use UPN instead of SAM to login.
We've a PCI DSS compatible setup with two accounts per IT people (standard one for regular service and personal admin one for IT specific task on server, network devices, etc.).
This mean login with following format:
We use the ext tag to specify that the user in not an employee but a contractor.
Due to the length of all username we can't use SAM account name. It will end up to username impossible to memorize. So we must use UPN for all services.
SAL use Django LDAP backend and get related limitations related to username length. I've managed to find a solution who should work, looking for login with UPN and mapping username to SAM.
AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Members,DC=corp,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(userPrincipalName=%(user)s)")
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
"username": sAMAccountName
}
The first time I log on, it work. I get authenticated and my username in the DB is the SAM one. So perfect.
But at the second login I get an error saying that the username already exist. Here the sal.log content:
[30/May/2016 08:26:01] ERROR [django.request:256] Internal Server Error: /login
Traceback (most recent call last):
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/core/handlers/base.py", line 132, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/views/decorators/debug.py", line 76, in sensitive_post_parameters_wrapper
return view(request, *args, **kwargs)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/utils/decorators.py", line 110, in _wrapped_view
response = view_func(request, *args, **kwargs)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/views.py", line 44, in login
if form.is_valid():
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 184, in is_valid
return self.is_bound and not self.errors
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 176, in errors
self.full_clean()
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 393, in full_clean
self._clean_form()
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/forms/forms.py", line 417, in _clean_form
cleaned_data = self.clean()
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/forms.py", line 157, in clean
password=password)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 74, in authenticate
user = backend.authenticate(**credentials)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 167, in authenticate
user = ldap_user.authenticate(password)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 339, in authenticate
self._get_or_create_user()
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django_auth_ldap/backend.py", line 575, in _get_or_create_user
self._user.save()
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 734, in save
force_update=force_update, update_fields=update_fields)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 762, in save_base
updated = self._save_table(raw, cls, force_insert, force_update, using, update_fields)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 827, in _save_table
forced_update)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/base.py", line 877, in _do_update
return filtered._update(values) > 0
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/query.py", line 580, in _update
return query.get_compiler(self.db).execute_sql(CURSOR)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/sql/compiler.py", line 1062, in execute_sql
cursor = super(SQLUpdateCompiler, self).execute_sql(result_type)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/models/sql/compiler.py", line 840, in execute_sql
cursor.execute(sql, params)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/utils.py", line 97, in __exit__
six.reraise(dj_exc_type, dj_exc_value, traceback)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)
File "/mnt/data/www/sal_env/lib/python2.7/site-packages/django/db/backends/mysql/base.py", line 124, in execute
return self.cursor.execute(query, args)
File "/usr/lib64/python2.7/site-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib64/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
IntegrityError: (1062, "Duplicate entry 'yoann.gini-ext-adm' for key 'username'")
Automatically give user permission
I got LDAP working but in order to actually give the account permission I have to log in with the account then log out and back in with the admin user in order to grant the user access to sal? is there any way to automatically do this based on group membership?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.