Active Directory authentication backend.
Authenticate a user against an Active Directory server.
This is controlled by the following Django settings:
The domain controller (or controllers) to connect to. This must be a string, but multiple controllers can be specified by separating each with a space.
auth_ad_domain_controllerin the site configuration.
The Active Directory domain name. This must be a string.
auth_ad_domain_namein the site configuration.
Whether domain controllers should be found by using DNS. This must be a boolean.
auth_ad_find_dc_from_dnsin the site configuration.
The optional name of the group to restrict available users to. This must be a string.
auth_ad_group_namein the site configuration.
The optional name of the Organizational Unit to restrict available users to. This must be a string.
auth_ad_ou_namein the site configuration.
Maximum depth to recurse when checking group membership. A value of -1 means infinite depth is supported. A value of 0 turns off recursive checks.
auth_ad_recursion_depthin the site configuration.
A custom search root for entries in Active Directory. This must be a string.
auth_ad_search_rootin the site configuration.
Whether to use TLS when communicating over LDAP. This must be a boolean.
auth_ad_use_tlsin the site configuration.
name= u'Active Directory'¶
login_instructions= u'Use your standard Active Directory username and password.'¶
Return the current Active Directory domain name.
This returns the domain name as set in
Returns: The Active Directory domain name. Return type: unicode
Return the search root(s) for users in the LDAP server.
AD_SEARCH_ROOTis set, then it will be used. Otherwise, a suitable search root will be computed based on the domain name (either the provided
user_domainor the result of
get_domain_name()) and any configured Organizational Unit name (
Parameters: user_domain (unicode, optional) – An explicit Active Directory domain to use for the search root. Returns: The search root used to locate users. Return type: unicode
search_ad(con, filterstr, user_domain=None)¶
Search the given LDAP server based on the provided filter.
- con (ldap.LDAPObject) – The LDAP connection to search.
- filterstr (unicode) – The filter string used to locate objects in Active Directory.
- user_domain (unicode, optional) – An explicit domain used for the search. If not provided,
get_domain_name()will be used.
The list of search results. Each tuple in the list is in the form of
(dn, attrs), where
dnis the Distinguished Name of the entry and
attrsis a dictionary of attributes for that entry.
list of tuple
Find and return the active domain controllers using DNS.
Parameters: user_domain (unicode, optional) – An explicit domain used for the search. If not provided,
get_domain_name()will be used.
Returns: The list of domain controllers. Return type: list of unicode
Return whether the given recursion depth is too deep.
Parameters: depth (int) – The current depth to check. Returns:
Trueif the provided depth can be recursed into.
Falseif it’s too deep.
Return type: bool
get_member_of(con, search_results, seen=None, depth=0)¶
Return the LDAP groups for the given users.
This iterates over the users specified in
search_resultsand returns a set of groups of which those users are members.
- con (ldap.LDAPObject) – The LDAP connection used for checking groups memberships.
- search_results (list of tuple) – The list of search results to check. This expects a result
- seen (set, optional) – The set of groups that have already been seen when recursing. This is used internally by this method and should not be provided by the caller.
- depth (int, optional) – The current recursion depth. This is used internally by this method and should not be provided by the caller.
The group memberships found for the given users.
Return all LDAP connections used for Active Directory.
This returns an iterable of connections to the LDAP servers specified in
- user_domain (unicode, optional) – The domain for the user.
- request (django.http.HttpRequest, optional) – The HTTP request from the client. This is used only for logging purposes.
tuple of (unicode, ldap.LDAPObject) – The connections to the configured LDAP servers.
authenticate(request, username, password, **kwargs)¶
Authenticate a user against Active Directory.
This will attempt to authenticate the user against Active Directory. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.
Changed in version 4.0: The
requestargument is now mandatory as the first positional argument, as per requirements in Django.
The authenticated user, or
Noneif the user could not be authenticated for any reason.
get_or_create_user(username, request=None, ad_user_data=None)¶
Return an existing user or create one if it doesn’t exist.
This does not authenticate the user.
If the user does not exist in the database, but does in Active Directory, its information will be stored in the database for later lookup. However, this will only happen if
The resulting user, or
Noneif one could not be found.