Django LDAP (Open Directory) integration

LDAP

LDAP (Lightweight Directory Access Protocol) is an open,  industry standard protocol for accessing and maintaining directory. A directory contains objects like users, groups, computers, printers, company structure (or basically whatever you like), on which you can perform queries to add, update or delete content. LDAP works over an Internet Protocol (IP). Directory services play an important role in developing intranet and Internet applications.

There are multiple LDAP implementations on the market such as Microsoft Active Directory, Apple Open Directory, OpenLDAP and  much more. In this article I will focus on integration between Django and Apple Open Directory. More specifically on authentication in Django with users defined in Open Directory.

Setting up Open Directory

To set up Apple Open Directory you will need an OS X Server instance. You can install it from an apple App Store.

  1. Launch App Store and search for “OS X server” to purchase and download the Server App. If you are enrolled with Apple Developer Program you can get the Server for free from https://developer.apple.com/osx/download/.
  2. Open server app and chose the Mac to manage.
    Chose a Mac to manage with Server
  3. You will see the screen indicating installation progress.
    OS X installation process
  4. When the installation is finished you should see the screen with general options for your server.OS X Server first screen
  5. Now click on the Open Directory tab in left menu and activate the service by clicking the button in right upper corner of the window.
    Screen Shot 2016-01-02 at 19.20.47
  6. You will be asked to create a new Open Directory instance, or join an existing domain. Choose to create a new domain.Screen Shot 2016-01-02 at 19.22.15
  7. Choose the name, account name and password for directory administrator and click next. On the next screen fill the organization name and administrator’s email address.
    Screen Shot 2016-01-02 at 19.22.36
    Screen Shot 2016-01-02 at 19.23.06
  8. On the next confirmation screen click “Set Up”. After a while your open directory server should be up and running. The last thing to do is to create a user that we will use in Django App.
    Screen Shot 2016-01-02 at 19.24.19
  9. Go to the Users tab and click the plus button in the bottom to add new user. Select “Local Network Directory” as directory and fill the rest of the fields as you like. Click “Create”.Screen Shot 2016-01-02 at 19.25.13

Adding LDAP support in Django

I assume that you are already familiar with at least basics of Django. You should know how to setup a virtualenv and how to install packages with PIP.

There is no need to write LDAP authentication backend as such package already exists and it is called django-auth-ldap. Under Python 2, it requires python-ldap 2.0 and under Python 3, it uses pyldap.

To install django-auth-ldap activate your virtualenv in a terminal and type:

In case you don’t have an existing Django project yet, please start a new project by typing:

Switch to newly created directory and then app directory. Open settings.py file and add the following lines:

This will setup LDAP as authentication backend. To use Django built-in permission system we also add ModelBackend which comes with default Django auth module.The line with AUTH_LDAP_SERVER_URI will tell the script which server it should connect to perform authentication. AUTH_LDAP_USER_DN_TEMPLATE defines the query used to search for users in LDAP server. The part with dc=os-x,dc=shared should contain your server hostname splitted by a dot. In my case this is os-x.shared, default hostname when installing Apple Open Directory.

We would also like to map user attributes and groups from Open Directory server to our Django application. To do this we have define the proper mappings. The code fragment below shows how to map user first name, last name and email address. The keys in the dictionary are Django user model fields, and the values represent keys from the LDAP server.

To use groups we have to define a query that will be used to look up for groups in LDAP server. We do it similarly to users query.

Additionally we set the group mirroring to True and define the group type as posix. With other LDAP implementations such as Active Directory, different group type should be used. As the last thing we map the groups from LDAP to user model flags in Django. The below setup will give all the users from LDAP server administrators privileges in our application. Workgroup is the default group for users in Open Directory.

If everything went right you should be able to log in to Django admin with the user credentials from LDAP server. Feel free to play around with the config if you want to customise it. Please also check the django-auth-ldap website for detailed documentation. It isn’t great but still covers a lot more topics than this article.

If you want deeper look into a code please check the this Github repository. I have put there the sample project using LDAP authentication.

One thought on “Django LDAP (Open Directory) integration

  1. G’day Kacper! Just wanted to say thanks for making this info about LDAP integration with Django. I have just got your example working in my webapp running on Mac OS X 0.11.

    Time to read up on LDAP! Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *