Support SSO authentication via django-auth-ldap

Other changes: * Bugfix Redis cache backend * remove "virtualenv" and use "python3 -m venv"
2024-09-03 20:16:09 +02:00 · 2020-12-12 12:23:07 +01:00 · 2020-12-12 12:23:07 +01:00 · 12739d04d7
commit 12739d04d7
parent 6283c9e673
6 changed files with 53 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -31,9 +31,9 @@ You can edit the file `$final_path/local_settings.py` to enable or disable featu

 # Miscellaneous

-## LDAP connexion
+## LDAP connection

-TODO: https://github.com/django-auth-ldap/django-auth-ldap
+Supported by https://github.com/django-auth-ldap/django-auth-ldap

 ## Links

--- a/conf/ynh_pyinventory_settings.py
+++ b/conf/ynh_pyinventory_settings.py
@ -11,6 +11,8 @@

 from pathlib import Path as __Path

+import ldap
+from django_auth_ldap.config import LDAPSearch
 from inventory_project.settings.base import *  # noqa

 DEBUG = False
@ -34,6 +36,45 @@ PATH_URL = PATH_URL.strip('/')
 ROOT_URLCONF = 'ynh_urls'  # /opt/yunohost/pyinventory/ynh_urls.py

 # -----------------------------------------------------------------------------
+# https://github.com/django-auth-ldap/django-auth-ldap
+
+LDAP_SERVER_URI = 'ldap://localhost:389'
+LDAP_START_TLS = True
+
+# enable anonymous searches
+# https://django-auth-ldap.readthedocs.io/en/latest/authentication.html?highlight=anonymous#search-bind
+LDAP_BIND_DN = ''
+LDAP_BIND_PASSWORD = ''
+
+LDAP_ROOT_DN = 'ou=users,dc=yunohost,dc=org'
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(LDAP_ROOT_DN, ldap.SCOPE_SUBTREE, '(uid=%(user)s)')
+
+# Populate the Django user from the LDAP directory.
+AUTH_LDAP_USER_ATTR_MAP = {
+    'username': 'uid',
+    'first_name': 'givenName',
+    'last_name': 'sn',
+    'email': 'mail',
+}
+
+# This is the default, but I like to be explicit.
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+
+# Use LDAP group membership to calculate group permissions.
+AUTH_LDAP_FIND_GROUP_PERMS = True
+
+# Cache distinguished names and group memberships for an hour to minimize LDAP traffic
+AUTH_LDAP_CACHE_TIMEOUT = 3600
+
+# Keep ModelBackend around for per-user permissions and superuser
+AUTHENTICATION_BACKENDS = (
+    'django_auth_ldap.backend.LDAPBackend',
+    'django.contrib.auth.backends.ModelBackend',
+)
+
+# -----------------------------------------------------------------------------
+

 ADMINS = (
    ('__ADMIN__', '__ADMINMAIL__'),
@ -84,9 +125,6 @@ CACHES = {
        # 'LOCATION': 'unix:///var/run/redis/redis.sock?db=1',
        'OPTIONS': {
            'CLIENT_CLASS': 'django_redis.client.DefaultClient',
-            'PARSER_CLASS': 'redis.connection.HiredisParser',
-            'PASSWORD': None,
-            'CONNECTION_POOL_KWARGS': {},
        },
        'KEY_PREFIX': '__APP__',
    },
@ -137,6 +175,7 @@ LOGGING = {
        'django': {'handlers': ['syslog', 'mail_admins'], 'level': 'INFO', 'propagate': False},
        'axes': {'handlers': ['syslog', 'mail_admins'], 'level': 'WARNING', 'propagate': False},
        'django_tools': {'handlers': ['syslog', 'mail_admins'], 'level': 'INFO', 'propagate': False},
+        'django_auth_ldap': {'handlers': ['syslog', 'mail_admins'], 'level': 'DEBUG', 'propagate': False},
        'inventory': {'handlers': ['syslog', 'mail_admins'], 'level': 'INFO', 'propagate': False},
    },
 }
--- a/manifest.json
+++ b/manifest.json
@ -5,7 +5,7 @@
 	"description": {
 		"en": "Web based management to catalog things including state and location etc."
 	},
-	"version": "0.8.1~ynh4",
+	"version": "0.8.1~ynh5",
 	"url": "https://github.com/jedie/PyInventory",
 	"license": "GPL-3.0",
 	"maintainer": {
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -24,12 +24,14 @@ log_file="${log_path}/pyinventory.log"
 #=================================================

 # dependencies used by the app
-pkg_dependencies="build-essential python3-dev python3-pip python3-virtualenv virtualenv git \
-	postgresql postgresql-contrib"
+pkg_dependencies="build-essential python3-dev python3-pip python3-virtualenv git \
+	postgresql postgresql-contrib python3-ldap libldap2-dev libsasl2-dev"

 # PyInventory's version for PIP and settings file
 pyinventory_version="0.8.1"

+# Extra python packages:
+pypi_extras="django-redis django-auth-ldap"

 #=================================================
 # Redis HELPERS
--- a/scripts/install
+++ b/scripts/install
@ -102,7 +102,7 @@ ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell
 #=================================================
 ynh_script_progression --message="Install PyInventory using PIP..." --weight=80

-virtualenv --python=python3 "${final_path}/venv"
+python3 -m venv "${final_path}/venv"
 chown -R "$app" "$final_path"

 #run source in a 'sub shell'
@ -113,6 +113,7 @@ chown -R "$app" "$final_path"
 	ynh_exec_as $app $final_path/venv/bin/pip install --upgrade pip
 	ynh_exec_as $app $final_path/venv/bin/pip install --upgrade setuptools wheel psycopg2-binary
 	ynh_exec_as $app $final_path/venv/bin/pip install --upgrade pyinventory=="$pyinventory_version"
+	ynh_exec_as $app $final_path/venv/bin/pip install --upgrade ${pypi_extras}
 )

 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -87,7 +87,7 @@ ynh_add_systemd_config --service="$app" --template="pyinventory.service"

 ynh_script_progression --message="Install pyinventory using PIP..." --weight=15

-virtualenv --python=python3 "${final_path}/venv"
+python3 -m venv "${final_path}/venv"
 chown -R "$app" "$final_path"

 #run source in a 'sub shell'
@ -98,6 +98,7 @@ chown -R "$app" "$final_path"
  ynh_exec_as $app $final_path/venv/bin/pip install --upgrade pip
  ynh_exec_as $app $final_path/venv/bin/pip install --upgrade setuptools wheel psycopg2-binary
  ynh_exec_as $app $final_path/venv/bin/pip install --upgrade pyinventory=="$pyinventory_version"
+	ynh_exec_as $app $final_path/venv/bin/pip install --upgrade ${pypi_extras}
 )

 #=================================================