Tutorial Django - LDAP Authentication on Active Directory [ Step by Step ]

Would you like to learn how to configure Django LDAP authentication on Active directory? In this tutorial, we are going to show you how to authenticate Django users using the Active directory database from Microsoft Windows and the LDAP protocol.

• Ubuntu 18
• Ubuntu 19
• Django 2.2.6
• Windows 2012 R2

Hardware List:

The following section presents the list of equipment used to create this Django tutorial.

Every piece of hardware listed above can be found at Amazon website.

Django Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Django installation.

List of Tutorials – Django

Tutorial – Windows Domain Controller Firewall

First, we need to create a Firewall rule on the Windows domain controller.

This firewall rule will allow the Django server to query the Active directory database.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound firewall rule.

Select the PORT option.

Select the TCP option.

Select the Specific local ports option.

Enter the TCP port 389.

Select the Allow the connection option.

zabbix windows firewall allow connection

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the firewall rule.

Congratulations, you have created the required firewall rule.

This rule will allow Django to query the Active directory database.

Tutorial – Windows Domain Account Creation

Next, we need to create at least 2 accounts on the Active directory database.

The ADMIN account will be used to login on the Django web interface.

The BIND account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate as admin on the Django web interface.

zabbix active directory admin properties

Create a new account named: bind

Password configured to the BIND user: kamisama123@

This account will be used to query the passwords stored on the Active Directory database.

zabbix active directory ldap bind properties

Congratulations, you have created the required Active Directory accounts.

Tutorial – Windows Domain Group Creation

Next, we need to create at least 1 group on the Active directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.

Create a new group named: django-admin

Members of this group will have the Admin permission on the Django web interface.

Important! Add the admin user as a member of the django-admins group.

Congratulations, you have created the required Active Directory group.

Tutorial – Django Installation on Ubuntu Linux

Upgrade your Ubuntu installation.

If required, reboot your computer.

Copy to Clipboard

Use apt-get to install the required packages.

Copy to Clipboard

Verify the default Python version installed on your system.

Copy to Clipboard

Verify the latest Python version installed on your system.

Copy to Clipboard

Change the default Python version to the Latest edition detected.

Copy to Clipboard

Verify the default Python version installed on your system.

Copy to Clipboard

Install Django.

Copy to Clipboard

Here is the Django installation output.

Copy to Clipboard

Create your first Django project.

Copy to Clipboard

Edit the settings.py file

Copy to Clipboard

Locate the ALLOWED_HOSTS entry and configure your Django server IP address.

Copy to Clipboard

In our example, the Djando server is running on a computer using the IP address 192.168.15.11.

Start the Django server.

Copy to Clipboard

Open a browser software, enter the IP address of your Django server firewall plus :8000 and access web interface.

In our example, the following URL was entered in the Browser:

• https://192.168.15.11:8000

The Django web interface should be presented

On the Linux command-line, press CTRL+C to stop the Djando server.

Create the Django SQLite database schema.

Copy to Clipboard

Here is the Django migration output:

Copy to Clipboard

Create a local Administrative user account.

Copy to Clipboard

In our example, we create a local user account named root with the password kamisama123.

Start the Django server.

Copy to Clipboard

Open your browser and enter the IP address of your web server plus :8000/admin

In our example, the following URL was entered in the Browser:

• http://192.168.15.11:8000/admin

On the login screen, use the Django username and password created before.

• Default Username: root
• Default Password: kamisama123

After a successful login, you will be sent to the Django Dashboard.

Congratulations! You have finished the Django Installation on Ubuntu Linux.

Tutorial Django – LDAP Authentication on Active Directory

On the Linux command-line, press CTRL+C to stop the Djando server.

Install the required packages to allow the django-auth-ldap installation.

Copy to Clipboard

Install the django-auth-ldap package using PIP.

Copy to Clipboard

Here is the django-auth-ldap installation output.

Copy to Clipboard

Collecting django-auth-ldap
  Downloading https://files.pythonhosted.org/packages/69/cc/968f35bf4012ab99a55b646f90266853255ef937d14353a97e4fe7f885f0/django_auth_ldap-2.0.0-py3-none-any.whl
Collecting python-ldap>=3.1 (from django-auth-ldap)
  Downloading https://files.pythonhosted.org/packages/ea/93/596f875e003c770447f4b99267820a0c769dd2dc3ae3ed19afe460fcbad0/python-ldap-3.2.0.tar.gz (367kB)
    100% |████████████████████████████████| 368kB 2.2MB/s
Requirement already satisfied: Django>=1.11 in /usr/local/lib/python3.7/dist-packages (from django-auth-ldap) (2.2.6)
Requirement already satisfied: pyasn1>=0.3.7 in /usr/lib/python3/dist-packages (from python-ldap>=3.1->django-auth-ldap) (0.4.2)
Requirement already satisfied: pyasn1_modules>=0.1.5 in /usr/lib/python3/dist-packages (from python-ldap>=3.1->django-auth-ldap) (0.2.1)
Requirement already satisfied: pytz in /usr/local/lib/python3.7/dist-packages (from Django>=1.11->django-auth-ldap) (2019.2)
Requirement already satisfied: sqlparse in /usr/local/lib/python3.7/dist-packages (from Django>=1.11->django-auth-ldap) (0.3.0)
Building wheels for collected packages: python-ldap
  Running setup.py bdist_wheel for python-ldap ... done
  Stored in directory: /root/.cache/pip/wheels/48/dd/0b/a06d1baf6575ad4520fc1fcf5bd96b493cd89670fdf6ade224
Successfully built python-ldap
Installing collected packages: python-ldap, django-auth-ldap
Successfully installed django-auth-ldap-2.0.0 python-ldap-3.2.0

Edit your Django project settings.py file.

Copy to Clipboard

Locate this area on the top of your settings.py file.

Copy to Clipboard

Add the LDAP user authentication configuration below this line.

Copy to Clipboard

import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = 'ldap://192.168.15.10'
AUTH_LDAP_BIND_DN = "CN=bind,CN=Users,DC=tech,DC=local"
AUTH_LDAP_BIND_PASSWORD = "kamisama123@"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
            "dc=tech,dc=local", ldap.SCOPE_SUBTREE, "sAMAccountName=%(user)s"
            )

AUTH_LDAP_USER_ATTR_MAP = {
            "username": "sAMAccountName",
                "first_name": "givenName",
                    "last_name": "sn",
                        "email": "mail",
}
from django_auth_ldap.config import ActiveDirectoryGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            "dc=tech,dc=local", ldap.SCOPE_SUBTREE, "(objectCategory=Group)"
            )
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
            "is_superuser": "CN=django-admins,CN=Users,DC=TECH,DC=LOCAL",
            "is_staff": "CN=django-admins,CN=Users,DC=TECH,DC=LOCAL",
            }
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1  # 1 hour cache

AUTHENTICATION_BACKENDS = [
            'django_auth_ldap.backend.LDAPBackend',
                'django.contrib.auth.backends.ModelBackend',
]

In our example, we used the following configuration for user authentication:

• Domian controller IP – 192.168.15.10
• Active directory domain – dc=tech,dc=local
• Authentication containers – DC=tech,DC=local
• Bind user – CN=bind,CN=Users,DC=tech,DC=local
• Bind user password – kamisama123@
• Group permission – Members of the django-admin group will have total access to the web interface

Keep in mind that you need to change this to reflect your network environment.

Start the Django server.

Copy to Clipboard

As an example, here is the content of our settings.py file.

Copy to Clipboard

"""
Django settings for myproject project.

Generated by 'django-admin startproject' using Django 2.2.6.

For more information on this file, see
https://docs.djangoproject.com/en/2.2/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.2/ref/settings/
"""

import os
import ldap
from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_SERVER_URI = 'ldap://192.168.15.10'
AUTH_LDAP_BIND_DN = "CN=bind,CN=Users,DC=tech,DC=local"
AUTH_LDAP_BIND_PASSWORD = "kamisama123@"
AUTH_LDAP_USER_SEARCH = LDAPSearch(
                    "dc=tech,dc=local", ldap.SCOPE_SUBTREE, "sAMAccountName=%(user)s"
                                )

AUTH_LDAP_USER_ATTR_MAP = {
    "username": "sAMAccountName",
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}
from django_auth_ldap.config import ActiveDirectoryGroupType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "dc=tech,dc=local", ldap.SCOPE_SUBTREE, "(objectCategory=Group)"
                                )
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_superuser": "CN=django-admins,CN=Users,DC=TECH,DC=LOCAL",
    "is_staff": "CN=django-admins,CN=Users,DC=TECH,DC=LOCAL",
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1  # 1 hour cache

AUTHENTICATION_BACKENDS = [
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
]
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'k7gi3=%q&d12qkx_#onn)4c)e-4myaum1wn9o0g8poq1--7oyv'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = ['192.168.15.13']

# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'myproject.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'myproject.wsgi.application'

# Database
# https://docs.djangoproject.com/en/2.2/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
    }
}

# Password validation
# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

# Internationalization
# https://docs.djangoproject.com/en/2.2/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_L10N = True

USE_TZ = True

# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/2.2/howto/static-files/

STATIC_URL = '/static/'

Open your browser and enter the IP address of your web server plus :8000/admin

In our example, the following URL was entered in the Browser:

• http://192.168.15.11:8000/admin

On the login screen, use the Django username and password created before.

• Default Username: admin
• Default Password: Enter the Active directory password

After a successful login, you will be sent to the Django Dashboard.

Access the users menu and verify if the Active directory user is listed.

Congratulations! You have finished the Django ldap authentication using Active Directory on Ubuntu Linux.

Django – LDAP Authentication on Active Directory

Django – LDAP Authentication on Active Directory

Hardware List:

Django Related Tutorial:

Tutorial – Windows Domain Controller Firewall

Tutorial – Windows Domain Account Creation

Tutorial – Windows Domain Group Creation

Tutorial – Django Installation on Ubuntu Linux

Tutorial Django – LDAP Authentication on Active Directory

Related Posts

Django – Installation on Ubuntu Linux