The latest articles on DEV Community by Lars Quentin (@lquenti). https://dev.to/lquenti https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3680%2F21225159.jpeg https://dev.to/lquenti en Lars Quentin Fri, 06 Dec 2024 16:02:58 +0000 https://dev.to/lquenti/use-xquery-for-processing-html-web-crawling-2plb https://dev.to/lquenti/use-xquery-for-processing-html-web-crawling-2plb <p><strong>This is a very very niche post. If you don't know why this is a pain point, don't waste your time reading this.</strong></p> <p>XQuery is a great language for high level XML processing, providing a fully turing complete declarative language leveraging XPath. Unfortunately, it is not used often.</p> <p>My personal take is that this is the case because most HTML out there is not XML compliant, mostly because of tags that are never closed (such as <code>&lt;link ...&gt;</code> instead of <code>&lt;link .../&gt;</code>). Thus your Saxon/BaseX parser will fail.</p> <p>The solution is <a href="http://vrici.lojban.org/~cowan/tagsoup/" rel="noopener noreferrer">TagSoup</a>, which provides a SAX-compliant HTML parser, pretending that it just parses XML. </p> <ul> <li>BaseX <a href="https://docs.basex.org/main/Parsers#html_parser" rel="noopener noreferrer">just uses it for you if you have it in Path!</a> </li> <li>Saxon provides <a href="https://www.saxonica.com/html/documentation9.4/extensions/functions/parse-html.html" rel="noopener noreferrer"><code>saxon:parse-html</code> if TagSoup is in the classpath</a>, which can be used after fetching with <a href="https://www.saxonica.com/html/documentation12/functions/fn/unparsed-text.html" rel="noopener noreferrer"><code>fn:unparsed-text</code></a> </li> </ul> <p>With that, you can now do actual web crawling! The rest is just plain XQuery.</p> Lars Quentin Fri, 09 Apr 2021 16:50:58 +0000 https://dev.to/lquenti/forcing-puppet-to-apt-update-2lb3 https://dev.to/lquenti/forcing-puppet-to-apt-update-2lb3 <p>Short hack: As seen in <a href="https://github.com/docker-library/postgres/blob/master/Dockerfile-debian.template#L11" rel="noopener noreferrer">m</a> <a href="https://github.com/docker-library/httpd/blob/master/2.4/Dockerfile#L19" rel="noopener noreferrer">a</a> <a href="https://github.com/nginxinc/docker-nginx/blob/master/Dockerfile-debian.template#L28" rel="noopener noreferrer">n</a> <a href="https://github.com/docker-library/redis/blob/master/Dockerfile.template#L13" rel="noopener noreferrer">y</a> Dockerfiles, the <code>apt</code> cache is located at <code>/var/lib/apt/lists</code>.</p> <p>Therefore, we can use it's existence to create an <a href="https://puppet.com/docs/pe/2019.2/understanding_idempotency.html" rel="noopener noreferrer">idempotent</a> <code>exec</code>-Ressouce!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>exec { 'apt update': # Only if the update files dont exist unless =&gt; '[ "$(ls -A /var/lib/apt/lists)" ]', # /bin is needed for bash # /usr/bin is needed for [ path =&gt; '/bin:/usr/bin', } </code></pre> </div> <p>Now whenever you need to have the <code>apt</code> cache first, just do something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>package { 'your-package': ensure =&gt; 'present', require =&gt; Exec['apt update'] } </code></pre> </div> <p>Easy as 🥧</p> puppet Lars Quentin Fri, 21 Aug 2020 20:50:50 +0000 https://dev.to/lquenti/using-grub-without-linux-for-windows-7-10-dual-boot-configuration-45pf https://dev.to/lquenti/using-grub-without-linux-for-windows-7-10-dual-boot-configuration-45pf <blockquote> <p>I throw together things until it works<br> -- Rasmus Lerdorf, Creator of PHP</p> </blockquote> <p>TL;DR at the bottom</p> <p>This is part 1 on a 2 part series about manual grub configuration</p> <ul> <li>Installing Standalone Grub for Windows 7/10 Dual Boot Configuration</li> <li>The Absolute Minimum Every Linux User Absolutely, Positively Must Know About grub.cfg (No Excuses!) (coming soon®)</li> </ul> <h2> The Problem </h2> <ul> <li>Create a dual boot with <ul> <li>A hard drive with Windows 7</li> <li>A SSD with Windows 10</li> </ul> </li> <li>I am not allowed to edit the <a href="https://en.wikipedia.org/wiki/EasyBCD" rel="noopener noreferrer">BCD</a> </li> <li>I am not allowed to install any other OS</li> </ul> <p>The Idea: Installing Grub with 2 Windows bootloader entries.</p> <h2> Preparation is Half the Battle </h2> <h3> Making Space for the boot Partition </h3> <p>Since we shrink NTFS, we use Windows for that.</p> <p>First, press <code>&lt;Win-r&gt;</code> and run <code>compmgmt.msc</code> and use the "Disk Management" utility.</p> <p>Right click on the partition you want to shrink and make at least 200MB space for grub.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fpr311bda8cwpwahzesbd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fpr311bda8cwpwahzesbd.png" alt="Shink that f*cker" width="440" height="335"></a></p> <p>After you made some free space, right click the free space and create a new partition using "New Simple Volume". Which settings you select doesn't matter since we will overwrite it later.</p> <p>After that, the last preparation step is to</p> <h3> Create a neat Ubuntu Stick </h3> <p><a href="http://rufus.ie/" rel="noopener noreferrer">Just use rufus.</a></p> <h2> Installing Grub </h2> <p>After you booted up, grab a root shell, and find out which the new partition is (for example by listing all partitions via <code>fdisk -l</code> and comparing size. <a href="https://en.wikipedia.org/wiki/Loop_device" rel="noopener noreferrer">You can ignore all <code>/dev/loopXX</code>.</a>)</p> <p>Now we format it with a grub compatible file system. From now on, the new partiton is <code>/dev/sda2</code>.</p> <p>(for simplicity, I assume bios/mbr from now on)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mkfs.ext4 /dev/sda2 </code></pre> </div> <p>Afterwards, we mount it, create a boot directory and try to install grub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mount /dev/sda2 /mnt &amp;&amp; mkdir /mnt/boot # The --boot-directory is needed since we don't manipulate # our own bootloader, therefore we don't have the default # location /boot grub-install --boot-directory=/mnt/boot /dev/sda1 </code></pre> </div> <p>If that didn't work, just force it, we have to configure it manually anyways:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>grub-install --force --boot-directory=/mnt/boot /dev/sda1 </code></pre> </div> <p>It can't be that easy! And it isn't!!!! When you try to generate the config with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>grub-mkconfig -o /mnt/boot/grub/grub.cfg </code></pre> </div> <p>it should cry about something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/usr/sbin/grub-probe:error:failed to get canonical path of /cow. </code></pre> </div> <p>This happens because <code>grub-probe</code>, the tool called by the <code>grub-mkconfig</code> script, can't handle ubuntu's live system root.</p> <h2> Improvise, Adapt, Overcome </h2> <p>But that's no problem! Writing one's own minimal <code>grub.cfg</code> is easier than you'd expect! </p> <p>First, find out which UUID's your <code>C:\</code> partitions have. Again, just compare the size and file system with <code>fdisk -l</code> and throw the <code>/dev/sdxx</code> into <code>blkid</code>.</p> <p>Now, let's start writing a <code>grub.cfg</code> by opening your favorite editor<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nano -w /mnt/boot/grub/grub.cfg </code></pre> </div> <p>We just have to do 2 things. First, we set some sane defaults:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Set first as default set default="0" # Set timeout for 10 seconds that we have enough time set timeout=10 # sane IO terminal_input console terminal_output gfxterm # minimalistic color sheme set menu_color_normal=white/black set menu_color_highlight=black/light-gray </code></pre> </div> <p>Now, we have to create the entries. I'll comment as I go<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Here, the "Windows 10" is just the representative name # it can be chosen as you want to menuentry "Windows 10" --class windows --class os { # insmod ntfs loads ntfs support insmod ntfs # finds the right partition by the UUID you found earlier search --no-floppy --set=root --fs-uuid &lt;YOUR UUID&gt; # Starts the windows NT loader ntldr /bootmgr } # Analogous for your other windows menuentry "Windows 7" --class windows --class os { insmod ntfs search --no-floppy --set=root --fs-uuid &lt;YOUR UUID&gt; ntldr /bootmgr } </code></pre> </div> <p>Afterwards, just unmount everything, change the boot order if necessary and et voila, you solved the problem!</p> <h2> TLDR Code </h2> <p>Minimal <code>grub.cfg</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>set default="0" set timeout=10 terminal_input console terminal_output gfxterm set menu_color_normal=white/black set menu_color_highlight=black/light-gray menuentry "Windows 10" --class windows --class os { insmod ntfs search --no-floppy --set=root --fs-uuid &lt;YOUR UUID&gt; ntldr /bootmgr } menuentry "Windows 7" --class windows --class os { insmod ntfs search --no-floppy --set=root --fs-uuid &lt;YOUR UUID&gt; ntldr /bootmgr } </code></pre> </div> <h2> Thanks </h2> <p>Thanks for reading and <a href="http://atagunov.blogspot.com/2012/04/installing-grub2-without-linux.html" rel="noopener noreferrer">thanks to Anton Tagunov for his blog post on the topic</a>.</p> grub linux windows ubuntu Lars Quentin Sun, 01 Mar 2020 20:11:22 +0000 https://dev.to/lquenti/dynamic-group-based-ldap-authentication-with-django-and-regex-1h4p https://dev.to/lquenti/dynamic-group-based-ldap-authentication-with-django-and-regex-1h4p <p>I had the following problem:</p> <ul> <li>Authentication over Active Directory through LDAP</li> <li>just certain groups with a specific suffix were allowed to login</li> <li>There was no way to know how many of those groups exist</li> <li>Later views depended on those groups, therefore they had to be mapped to django groups</li> </ul> <p><strong>tl;dr</strong>: If you just want the full code, feel free to jump to the end, but at least leave a upvote. :D</p> <h2> Prerequisites (You already know them) </h2> <p>Besides <code>django</code>, you need <code>django-auth-ldap</code> as well<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip3 install django-auth-ldap </code></pre> </div> <p>with that installed, we are ready to go!</p> <h2> Writing our own basic LDAP Backend </h2> <p>At first, let's create our own Backend, by extending the default LDAPBackend from <code>django-auth-ldap</code>. <br> For the official documentation, see <a href="https://django-auth-ldap.readthedocs.io/en/latest/custombehavior.html" rel="noopener noreferrer">here</a>.</p> <p><code>&lt;name_of_main_application&gt;/ldap.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="k">pass</span> </code></pre> </div> <p>Now before we do further customisation, let's just fill it with our parameters for the <a href="https://django-auth-ldap.readthedocs.io/en/latest/authentication.html" rel="noopener noreferrer">Search/Bind</a> authentication:</p> <p><code>&lt;name_of_main_application&gt;/ldap.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">ldap</span> <span class="kn">from</span> <span class="n">django_auth_ldap.backend</span> <span class="kn">import</span> <span class="n">LDAPBackend</span> <span class="kn">from</span> <span class="n">django_auth_ldap.config</span> <span class="kn">import</span> <span class="n">LDAPSearch</span> <span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="n">default_settings</span> <span class="o">=</span> <span class="p">{</span> <span class="c1"># All those settings are overwriting base class values </span> <span class="sh">"</span><span class="s">SERVER_URI</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ldaps://url.to.our.dc.domain.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">CACHE_TIMEOUT</span><span class="sh">"</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="c1"># Those settings should probably be overwritten by the settings.py </span> <span class="sh">"</span><span class="s">BIND_DN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">BIND_PASSWORD</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_SEARCH</span><span class="sh">"</span><span class="p">:</span> <span class="nc">LDAPSearch</span><span class="p">(</span> <span class="sh">"</span><span class="s">OU=&lt;OU_OF_USER_LOGGING_IN&gt;, OU=..., DC=..., DC=domain, DC=com</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># If you know, that all your users logging in are on that </span> <span class="c1"># exact ou depth specified above, you can get better performance </span> <span class="c1"># by using ldap.SCOPE_BASE or for that depth and its direct </span> <span class="c1"># children ldap.SCOPE_ONELEVEL, see python-ldap documentation for </span> <span class="c1"># more. </span> <span class="n">ldap</span><span class="p">.</span><span class="n">SCOPE_SUBTREE</span><span class="p">,</span> <span class="sh">"</span><span class="s">(uid=%(user)s)</span><span class="sh">"</span> <span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>Those settings are the same as outside of the class with the <code>AUTH_LDAP</code> Prefix.</p> <p>Here a short explaination of all those parameters:</p> <ul> <li> <a href="https://django-auth-ldap.readthedocs.io/en/latest/reference.html#auth-ldap-server-uri" rel="noopener noreferrer">SERVER_URI</a>: The URL to the domain controller</li> <li> <a href="https://django-auth-ldap.readthedocs.io/en/latest/reference.html#auth-ldap-cache-timeout" rel="noopener noreferrer">CACHE_TIMEOUT</a>: How long the data from the LDAP Server is cached. Here set to one hour.</li> <li> <a href="https://django-auth-ldap.readthedocs.io/en/latest/reference.html#auth-ldap-bind-dn" rel="noopener noreferrer">BIND_DN</a>: The <a href="https://ldapwiki.com/wiki/Distinguished%20Names" rel="noopener noreferrer">fully qualified Distinguished Name</a>, which means that dc's/ou's cant be before the cn logging in mustn't be omitted. You'll see an example later.</li> <li> <a href="https://django-auth-ldap.readthedocs.io/en/latest/authentication.html#search-bind" rel="noopener noreferrer">USER_SEARCH</a>: The search, which will be performed on in the authentication process</li> </ul> <p>Now we can add the ldap authentication in the <code>settings.py</code>, together with the other settings.</p> <p><code>&lt;name_of_main_application&gt;/settings.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="bp">...</span> <span class="n">AUTH_LDAP_BIND_DN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">CN=&lt;user_which_handles_all_binds&gt;, OU=its_ou, ..., DC=domain, DC=com</span><span class="sh">"</span> <span class="n">AUTH_LDAP_BIND_PASSWORD</span> <span class="o">=</span> <span class="sh">"</span><span class="s">password_for_that_account</span><span class="sh">"</span> <span class="bp">...</span> <span class="n">AUTHENTICATION_BACKENDS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">&lt;name_of_main_application&gt;.ldap.GroupLDAPBackend</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># And if wanted, the django one as well </span> <span class="sh">"</span><span class="s">django.contrib.auth.backends.ModelBackend</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>In production, instead of hard coding (and even worse, committing) the credentials please export them into your linux environment and use <code>os.getenv(KEY)</code>. This way, you don't save any critical information in your repository.</p> <p>Also, if you have any problems finding the credentials, you can enable logging as well with</p> <p><code>&lt;name_of_main_application&gt;/settings.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">LOGGING</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">disable_existing_loggers</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">handlers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">console</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">logging.StreamHandler</span><span class="sh">"</span><span class="p">}},</span> <span class="sh">"</span><span class="s">loggers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">django_auth_ldap</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">handlers</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">console</span><span class="sh">"</span><span class="p">]}},</span> <span class="p">}</span> </code></pre> </div> <p>This should already be enough to get the normal authentication working!<br> Now we just have to implement the group-based authentication.<br> Let's get right into the "fun"!</p> <h2> Extending our badass Backend with Group Authentication </h2> <p>Let's say, we want to allow any user, which has a group with the suffix <strong>"django"</strong>.</p> <ul> <li> <em>"some_group_django"</em>: ✔️</li> <li> <em>"admindjango"</em>: ✔️</li> <li> <em>"djangogrp"</em>: ❌</li> </ul> <p>For educational purposes, they all groups are located in<br> <code>OU=Groups, DC=domain, DC=com</code><br> and its sub organisational units.</p> <p>With that, we can extend our backend with our own <em>RegEx</em>-Setting as well as <a href="https://django-auth-ldap.readthedocs.io/en/latest/groups.html#finding-groups" rel="noopener noreferrer">GROUP_SEARCH and GROUP_TYPE</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">ldap</span> <span class="kn">from</span> <span class="n">django_auth_ldap.backend</span> <span class="kn">import</span> <span class="n">LDAPBackend</span> <span class="kn">from</span> <span class="n">django_auth_ldap.config</span> <span class="kn">import</span> <span class="n">LDAPSearch</span><span class="p">,</span> <span class="n">GroupOfNamesType</span> <span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="n">default_settings</span> <span class="o">=</span> <span class="p">{</span> <span class="c1"># Our new settings </span> <span class="c1"># Lets call the RegEx GROUP_REGEX for simplicity </span> <span class="sh">"</span><span class="s">GROUP_REGEX</span><span class="sh">"</span><span class="p">:</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">^*django$</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">GROUP_SEARCH</span><span class="sh">"</span><span class="p">:</span> <span class="nc">LDAPSearch</span><span class="p">(</span> <span class="sh">"</span><span class="s">OU=Groups, DC=domain, DC=com</span><span class="sh">"</span><span class="p">,</span> <span class="n">ldap</span><span class="p">.</span><span class="n">SCOPE_SUBTREE</span><span class="p">,</span> <span class="sh">"</span><span class="s">(cn=*django)</span><span class="sh">"</span> <span class="p">),</span> <span class="sh">"</span><span class="s">GROUP_TYPE</span><span class="sh">"</span><span class="p">:</span> <span class="nc">GroupOfNamesType</span><span class="p">(),</span> <span class="c1"># All those settings are overwriting base class values </span> <span class="sh">"</span><span class="s">SERVER_URI</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ldaps://url.to.our.dc.domain.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">CACHE_TIMEOUT</span><span class="sh">"</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="c1"># Those settings should probably be overwritten by the settings.py </span> <span class="sh">"</span><span class="s">BIND_DN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">BIND_PASSWORD</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_SEARCH</span><span class="sh">"</span><span class="p">:</span> <span class="nc">LDAPSearch</span><span class="p">(</span> <span class="sh">"</span><span class="s">OU=&lt;OU_OF_USER_LOGGING_IN&gt;, OU=..., DC=..., DC=domain, DC=com</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># If you know, that all your users logging in are on that </span> <span class="c1"># exact ou depth specified above, you can get better performance </span> <span class="c1"># by using ldap.SCOPE_BASE or for that depth and its direct </span> <span class="c1"># children ldap.SCOPE_ONELEVEL, see python-ldap documentation for </span> <span class="c1"># more. </span> <span class="n">ldap</span><span class="p">.</span><span class="n">SCOPE_SUBTREE</span><span class="p">,</span> <span class="sh">"</span><span class="s">(uid=%(user)s)</span><span class="sh">"</span> <span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>Finally, we can now override the <code>LDAPBackend.authenticate_ldap_user</code> with our own version! </p> <p>I'll use some <a href="https://docs.python.org/3/library/typing.html" rel="noopener noreferrer">type hinting</a> here, since the Documentation for <code>_LDAPUser</code> is more or less nonexisting so that you know where to find the source code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Just needed for type hinting lol </span><span class="kn">from</span> <span class="n">django_auth_ldap.backend</span> <span class="kn">import</span> <span class="n">_LDAPUser</span> <span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="n">default_settings</span> <span class="o">=</span> <span class="p">{</span> <span class="bp">...</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">authenticate_ldap_user</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ldap_user</span><span class="p">:</span> <span class="n">_LDAPUser</span><span class="p">,</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="c1"># This is the default implemented authentication </span> <span class="n">user</span> <span class="o">=</span> <span class="n">ldap_user</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="c1"># If the authentication was denied, we have to return None </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="n">ldap_groups</span> <span class="o">=</span> <span class="n">ldap_user</span><span class="p">.</span><span class="n">group_names</span> <span class="n">ldap_groups</span> <span class="o">=</span> <span class="p">{</span><span class="n">x</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">ldap_groups</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">settings</span><span class="p">.</span><span class="n">GROUP_REGEX</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="n">x</span><span class="p">)}</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">ldap_groups</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="n">user</span> </code></pre> </div> <p>I mean, at least for me, that was way easier than expected.<br> Lastly, we just have to create the django groups from the ldap ones.</p> <h2> Creating Django Groups on the fly! </h2> <p>Luckily, django has the <code>get_or_create</code> pattern, which makes things a lot easier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">Group</span> <span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">create_groups_and_assign_user_to_it</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">ldap_groups</span><span class="p">):</span> <span class="k">for</span> <span class="n">group_name</span> <span class="ow">in</span> <span class="n">ldap_groups</span><span class="p">:</span> <span class="n">django_group</span><span class="p">,</span> <span class="n">was_created</span> <span class="o">=</span> <span class="n">Group</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get_or_create</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">group_name</span><span class="p">)</span> <span class="n">django_group</span><span class="p">.</span><span class="n">user_set</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> </code></pre> </div> <p>That's it! If it helped you or you have further questions, feel free to hook me up on twitter. <br> Also, if there is a even neater way to implement it, please tell me and I'll correct it.</p> <h2> The whole source code with some logging </h2> <p><code>&lt;name_of_main_application&gt;/settings.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="bp">...</span> <span class="n">AUTH_LDAP_BIND_DN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">CN=&lt;user_which_handles_all_binds&gt;, OU=its_ou, ..., DC=domain, DC=com</span><span class="sh">"</span> <span class="n">AUTH_LDAP_BIND_PASSWORD</span> <span class="o">=</span> <span class="sh">"</span><span class="s">password_for_that_account</span><span class="sh">"</span> <span class="n">AUTHENTICATION_BACKENDS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">&lt;name_of_main_application&gt;.ldap.GroupLDAPBackend</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># And if wanted, the django one as well </span> <span class="sh">"</span><span class="s">django.contrib.auth.backends.ModelBackend</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="n">LOGGING</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">disable_existing_loggers</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">handlers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">console</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">class</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">logging.StreamHandler</span><span class="sh">"</span><span class="p">}},</span> <span class="sh">"</span><span class="s">loggers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">django_auth_ldap</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">handlers</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">console</span><span class="sh">"</span><span class="p">]}},</span> <span class="p">}</span> </code></pre> </div> <p><code>&lt;name_of_main_application&gt;/ldap.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">ldap</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">django_auth_ldap.backend</span> <span class="kn">import</span> <span class="n">LDAPBackend</span><span class="p">,</span> <span class="n">_LDAPUser</span> <span class="kn">from</span> <span class="n">django_auth_ldap.config</span> <span class="kn">import</span> <span class="n">LDAPSearch</span><span class="p">,</span> <span class="n">GroupOfNamesType</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">Group</span> <span class="k">class</span> <span class="nc">GroupLDAPBackend</span><span class="p">(</span><span class="n">LDAPBackend</span><span class="p">):</span> <span class="n">default_settings</span> <span class="o">=</span> <span class="p">{</span> <span class="c1"># Our new settings </span> <span class="c1"># Lets call the RegEx GROUP_REGEX for simplicity </span> <span class="sh">"</span><span class="s">GROUP_REGEX</span><span class="sh">"</span><span class="p">:</span> <span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">^*django$</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">GROUP_SEARCH</span><span class="sh">"</span><span class="p">:</span> <span class="nc">LDAPSearch</span><span class="p">(</span> <span class="sh">"</span><span class="s">OU=Groups, DC=domain, DC=com</span><span class="sh">"</span><span class="p">,</span> <span class="n">ldap</span><span class="p">.</span><span class="n">SCOPE_SUBTREE</span><span class="p">,</span> <span class="sh">"</span><span class="s">(cn=*django)</span><span class="sh">"</span> <span class="p">),</span> <span class="sh">"</span><span class="s">GROUP_TYPE</span><span class="sh">"</span><span class="p">:</span> <span class="nc">GroupOfNamesType</span><span class="p">(),</span> <span class="c1"># All those settings are overwriting base class values </span> <span class="sh">"</span><span class="s">SERVER_URI</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ldaps://url.to.our.dc.domain.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">CACHE_TIMEOUT</span><span class="sh">"</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="c1"># Those settings should probably be overwritten by the settings.py </span> <span class="sh">"</span><span class="s">BIND_DN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">BIND_PASSWORD</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_SEARCH</span><span class="sh">"</span><span class="p">:</span> <span class="nc">LDAPSearch</span><span class="p">(</span> <span class="sh">"</span><span class="s">OU=&lt;OU_OF_USER_LOGGING_IN&gt;, OU=..., DC=..., DC=domain, DC=com</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># If you know, that all your users logging in are on that </span> <span class="c1"># exact ou depth specified above, you can get better performance </span> <span class="c1"># by using ldap.SCOPE_BASE or for that depth and its direct </span> <span class="c1"># children ldap.SCOPE_ONELEVEL, see python-ldap documentation for </span> <span class="c1"># more. </span> <span class="n">ldap</span><span class="p">.</span><span class="n">SCOPE_SUBTREE</span><span class="p">,</span> <span class="sh">"</span><span class="s">(uid=%(user)s)</span><span class="sh">"</span> <span class="p">),</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">authenticate_ldap_user</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ldap_user</span><span class="p">:</span> <span class="n">_LDAPUser</span><span class="p">,</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="c1"># This is the default implemented authentication </span> <span class="n">user</span> <span class="o">=</span> <span class="n">ldap_user</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="c1"># If the authentication was denied, we have to return None </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="n">ldap_groups</span> <span class="o">=</span> <span class="n">ldap_user</span><span class="p">.</span><span class="n">group_names</span> <span class="n">ldap_groups</span> <span class="o">=</span> <span class="p">{</span><span class="n">x</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">ldap_groups</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">settings</span><span class="p">.</span><span class="n">GROUP_REGEX</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="n">x</span><span class="p">)}</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">ldap_groups</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="nf">create_groups_and_assign_user_to_it</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">ldap_groups</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="k">def</span> <span class="nf">create_groups_and_assign_user_to_it</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">ldap_groups</span><span class="p">):</span> <span class="k">for</span> <span class="n">group_name</span> <span class="ow">in</span> <span class="n">ldap_groups</span><span class="p">:</span> <span class="n">django_group</span><span class="p">,</span> <span class="n">was_created</span> <span class="o">=</span> <span class="n">Group</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">get_or_create</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">group_name</span><span class="p">)</span> <span class="n">django_group</span><span class="p">.</span><span class="n">user_set</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> </code></pre> </div> djangoauthldap ldap django activedirectory