LDAP (Light Directory Access Portocol) is a lightweight directory access protocol based on the X.500 standard, supports TCP / IP.
LDAP directory tree hierarchy to store data. Each directory record has a distinguished name (Distinguished Name, referred to as the DN), for reading a single record, usually this:
cn=username,ou=people,dc=test,dc=com
Meaning a few keywords as follows:
- base dn: the very top of the LDAP directory tree, which is the root of the tree, is above dc = test, dc = com part, the general use of the company's domain name, can also be written as o = test.com, the former is more flexible.
- dc :: Domain Component, part of the domain name.
- ou: Organization Unit, organizational units, for separating the data area.
- cn: Common Name, generally use the user name.
- uid: user id, and the effect is similar to cn.
- sn:Surname, 姓。
- rdn: Relative dn, dn-independent moieties in the directory tree, or uid cn normally present in this property.
So the above dn on behalf of a record, representing a username in the User test.com company people department.
-ldap
general use python-ldap python library operations ldap, the document: https://www.python-ldap.org/en/latest/index.html .
download:
apt-get install build-essential python3-dev python2.7-dev \
libldap2-dev libsasl2-dev slapd ldap-utils python-tox \
lcov valgrind
yum groupinstall "Development tools"
yum install openldap-devel python-devel
To establish a connection with the acquisition LDAP LDAP Address:
import ldap
ldapconn = ldap.initialize('ldap://192.168.1.111:389')
Bind user, can be used for user authentication, the user name must be a dn:
ldapconn.simple_bind_s('cn=username,ou=people,dc=test,dc=com', pwd)
It returns a tuple upon successful authentication:
Validation failure will be reported abnormal ldap.INVALID_CREDENTIALS:
{'desc': u'Invalid credentials'}
Note that pass verification by verification is also null, the attention should be checked for dn and pwd.
LDAP query user information, you need to log RootDN administrator account:
ldapconn.simple_bind_s('cn=admin,dc=test,dc=com', 'adminpwd')
searchScope = ldap.SCOPE_SUBTREE
searchFilter = 'cn=username'
base_dn = 'ou=people,dc=test,dc=com'
print ldapconn.search_s(base_dn, searchScope, searchFilter, None)
Add User add_s (dn, modlist ), dn dn is the entry to be added, modlist to store information:
dn = 'cn=test,ou=people,dc=test,dc=com'
modlist = [
('objectclass', ['person', 'organizationalperson'],
( 'C', [ 'test']);
( 'Uid', [ '' testuid]),
('userpassword', ['pwd']),
]
result = ldapconn.add_s(dn, modlist)
Added successfully returns a tuple:
Failure will be reported abnormal ldap.LDAPError
Django uses LDAP authentication
A very simple LDAP Authentication Backend:
import ldap
class LDAPBackend(object):
"""
Authenticates with ldap.
"""
_connection = None
_connection_bound = False
def authenticate(self, username=None, passwd=None, **kwargs):
if not username or not passwd:
return None
if self._authenticate_user_dn(username, passwd):
user = self._get_or_create_user(username, passwd)
return user
else:
return None
@property
def connection(self):
if not self._connection_bound:
self._bind()
return self._get_connection()
def _bind(self):
self._bind_as(
LDAP_CONFIG['USERNAME'], LDAP_CONFIG['PASSWORD'], True
)
def _bind_as(self, bind_dn, bind_password, sticky=False):
self._get_connection().simple_bind_s(
bind_dn, bind_password
)
self._connection_bound = sticky
def _get_connection(self):
if not self._connection:
self._connection = ldap.initialize(LDAP_CONFIG['HOST'])
return self._connection
def _authenticate_user_dn(self, username, passwd):
bind_dn = 'cn=%s,%s' % (username, LDAP_CONFIG['BASE_DN'])
try:
self._bind_as(bind_dn, passwd, False)
return True
except ldap.INVALID_CREDENTIALS:
return False
def _get_or_create_user(self, username, passwd):
# Get or New User
return user