Skip to content

Commit 30ab1d3

Browse files
author
Matthew Fisher
authored
fix(settings): disable LDAP by default (#1191)
1 parent d0979d1 commit 30ab1d3

2 files changed

Lines changed: 39 additions & 29 deletions

File tree

rootfs/api/settings/production.py

Lines changed: 30 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,6 @@
109109
)
110110

111111
AUTHENTICATION_BACKENDS = (
112-
"django_auth_ldap.backend.LDAPBackend",
113112
"django.contrib.auth.backends.ModelBackend",
114113
"guardian.backends.ObjectPermissionBackend",
115114
)
@@ -367,31 +366,33 @@
367366
# verbose logging from auth-ldap plugin:
368367
# https://pythonhosted.org/django-auth-ldap/logging.html
369368

370-
AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
371-
AUTH_LDAP_BIND_DN = LDAP_BIND_DN
372-
AUTH_LDAP_BIND_PASSWORD = LDAP_BIND_PASSWORD
373-
AUTH_LDAP_USER_SEARCH = LDAPSearch(
374-
base_dn=LDAP_USER_BASEDN,
375-
scope=ldap.SCOPE_SUBTREE,
376-
filterstr="(%s=%%(user)s)" % LDAP_USER_FILTER
377-
)
378-
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
379-
base_dn=LDAP_GROUP_BASEDN,
380-
scope=ldap.SCOPE_SUBTREE,
381-
filterstr="(%s)" % LDAP_GROUP_FILTER
382-
)
383-
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
384-
AUTH_LDAP_USER_ATTR_MAP = {
385-
"first_name": "givenName",
386-
"last_name": "sn",
387-
"email": "mail",
388-
"username": LDAP_USER_FILTER,
389-
}
390-
AUTH_LDAP_GLOBAL_OPTIONS = {
391-
ldap.OPT_X_TLS_REQUIRE_CERT: False,
392-
ldap.OPT_REFERRALS: False
393-
}
394-
AUTH_LDAP_ALWAYS_UPDATE_USER = True
395-
AUTH_LDAP_MIRROR_GROUPS = True
396-
AUTH_LDAP_FIND_GROUP_PERMS = True
397-
AUTH_LDAP_CACHE_GROUPS = False
369+
if LDAP_ENDPOINT:
370+
AUTHENTICATION_BACKENDS = ("django_auth_ldap.backend.LDAPBackend",) + AUTHENTICATION_BACKENDS
371+
AUTH_LDAP_SERVER_URI = LDAP_ENDPOINT
372+
AUTH_LDAP_BIND_DN = LDAP_BIND_DN
373+
AUTH_LDAP_BIND_PASSWORD = LDAP_BIND_PASSWORD
374+
AUTH_LDAP_USER_SEARCH = LDAPSearch(
375+
base_dn=LDAP_USER_BASEDN,
376+
scope=ldap.SCOPE_SUBTREE,
377+
filterstr="(%s=%%(user)s)" % LDAP_USER_FILTER
378+
)
379+
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
380+
base_dn=LDAP_GROUP_BASEDN,
381+
scope=ldap.SCOPE_SUBTREE,
382+
filterstr="(%s)" % LDAP_GROUP_FILTER
383+
)
384+
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
385+
AUTH_LDAP_USER_ATTR_MAP = {
386+
"first_name": "givenName",
387+
"last_name": "sn",
388+
"email": "mail",
389+
"username": LDAP_USER_FILTER,
390+
}
391+
AUTH_LDAP_GLOBAL_OPTIONS = {
392+
ldap.OPT_X_TLS_REQUIRE_CERT: False,
393+
ldap.OPT_REFERRALS: False
394+
}
395+
AUTH_LDAP_ALWAYS_UPDATE_USER = True
396+
AUTH_LDAP_MIRROR_GROUPS = True
397+
AUTH_LDAP_FIND_GROUP_PERMS = True
398+
AUTH_LDAP_CACHE_GROUPS = False

rootfs/api/tests/test_auth.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@
66
from django.contrib.auth.models import User
77
from django.test.utils import override_settings
88
from rest_framework.authtoken.models import Token
9+
from unittest import mock
10+
911
from api.tests import TEST_ROOT, DeisTestCase
1012
from api.models import Certificate
1113

@@ -371,3 +373,10 @@ def test_regenerate(self):
371373

372374
response = self.client.post(url, {})
373375
self.assertEqual(response.status_code, 401, response.data)
376+
377+
@mock.patch('django_auth_ldap.backend.logger')
378+
def test_auth_no_ldap_by_default(self, mock_logger):
379+
"""Ensure that LDAP authentication is disabled by default."""
380+
self.test_auth()
381+
# NOTE(bacongobbler): Using https://github.com/deis/controller/issues/1189 as a test case
382+
mock_logger.warning.assert_not_called()

0 commit comments

Comments
 (0)