Django

t2core basiert auf einem Webframework namens Django.

User Authentication

There are two ways to handle user logins: The built-in User Auth. Backend of Django or an LDAP based User Auth. Backend.

Both can be active at the same time.

Users logged in via LDAP are created without setting a password. Users who log in via Django must create a password in Django Admin.

There are three levels of user access rights. Users can be:

  • Users: normal ‚‘User‘‘ is able to login

  • Admins: user permissions plus login to the Admin Backend, in Django terms ‚‘Staff User‘‘

  • Superuser: all permissions, or Superuser

User Auth. Backend

This is the Django Auth. Backend which is enabled by default.

It uses a postgres database that comes with t2core.

At the first start a root user root is created with a random initial password. The password can be changed after the user has logged in http://127.0.0.1/accounts/password_change/

New users can be added in the Users / Admin Portal <http://127.0.0.1/admin/auth/user/>.

LDAP based User Auth. Backend

This backend allows users of an external LDAP Server to login.

The configuration of this backend is made with ENV Vars in .env:

To enable this backend set:

# Enable the LDAP Login Backend
AUTH_LDAP_ENABLED=true

Then configure the connection to the external LDAP Server or AD:

# LDAP server URI
AUTH_LDAP_SERVER_URI=ldap://192.168.28.30

# LDAP Bind DN
AUTH_LDAP_BIND_DN=example\Administrator

# LDAP Bind Passowrd
AUTH_LDAP_BIND_PASSWORD=9s8d7f9s87dkf9s8d7f

To search users by loginname or username, we need to search for them:

#LDAP USER Search
AUTH_LDAP_USER_SEARCH=DC=berlin,DC=example,DC=de
AUTH_LDAP_USER_SEARCH_FILTER=sAMAccountName=%(user)s

Search users in this group:

# LDAP Group Search
AUTH_LDAP_GROUP_SEARCH=CN=Person,CN=Schema,CN=Configuration,DC=berlin,DC=example,DC=de
AUTH_LDAP_GROUP_SEARCH_FILTER=(objectClass=*)

When users are in these groups at the external LDAP tree, the users are set to be Stuff or Superusers:

# set is_superuser based on group membership
AUTH_LDAP_USER_FLAGS_BY_GROUP_ISSUPERUSER=CN=Domänen-Admins,CN=Users,DC=berlin,DC=example,DC=de

# set is_stuff based on group membership
AUTH_LDAP_USER_FLAGS_BY_GROUP_ISSTAFF=CN=Domänen-Admins,CN=Users,DC=berlin,DC=example,DC=de

Match fields between Django model fields and fields at the external LDAP tree:

# match fields between django model fields and ldap fields
AUTH_LDAP_USER_ATTR_MAP_USERNAME=sAMAccountName
AUTH_LDAP_USER_ATTR_MAP_FIRSTNAME=givenName
AUTH_LDAP_USER_ATTR_MAP_LASTNAME=sn
AUTH_LDAP_USER_ATTR_MAP_EMAIL=mail

Bemerkung

Users are created in the database without a set password. Before these accounts can be logged in to/searched via LDAP this has to be set in Django Admin.

Django manage.py

Ausgabe aller Django Module:

root@cfebe6e5493a:/t2# python3 manage.py
Type 'manage.py help <subcommand>' for help on a specific subcommand.

Available subcommands:

[auth]
    changepassword
    createsuperuser

[background_task]
    process_tasks

[contenttypes]
    remove_stale_contenttypes

[django]
    check
    compilemessages
    createcachetable
    dbshell
    diffsettings
    dumpdata
    flush
    inspectdb
    loaddata
    makemessages
    makemigrations
    migrate
    sendtestemail
    shell
    showmigrations
    sqlflush
    sqlmigrate
    sqlsequencereset
    squashmigrations
    startapp
    startproject
    test
    testserver

[rest_framework]
    generateschema

[sessions]
    clearsessions

[staticfiles]
    collectstatic
    findstatic
    runserver

[t2ldap]
    load
    make_compose
    sync