Skip to content

This guide explains how to implement LDAP authentication. User authentication will fall back to built-in Django users in the event of a failure.


Install Required Packages

# apt install -y python3-dev libldap2-dev libsasl2-dev libssl-dev

Install django-auth-ldap

# pip3 install -r requirements_ldap.txt


Create a file in the same directory as (typically peering_manager/) named Define everything in this file.

General Server Configuration

When using Windows Server 2012 you may need to specify a port on AUTH_LDAP_SERVER_URI.

import ldap

# Server URI

# May be needed if you are binding to Active Directory
    ldap.OPT_REFERRALS: 0

# Set the DN and password for the Peering service account
AUTH_LDAP_BIND_DN = "CN=Peering,OU=Service Accounts,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "thisisnotasecurepassword"

User Authentication

When using Windows Server 2012, AUTH_LDAP_USER_DN_TEMPLATE should be set to None.

from django_auth_ldap.config import LDAPSearch

# This search matches users with the sAMAccountName equal to the provided
# username. This is required if the user's username is not in their DN (Active
# Directory)
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",

# If a user's DN is producible from their username, we don't need to search
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"

# You can map user attributes to Django attributes with this
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"

User Groups for Permissions

When using Microsoft Active Directory, Support for nested Groups can be activated by using GroupOfNamesType() instead of NestedGroupOfNamesType() for AUTH_LDAP_GROUP_TYPE.

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# Return all groups to which the user belongs. django_auth_ldap uses this to
# determine group hierarchy
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,

# Define a group required to login
AUTH_LDAP_REQUIRE_GROUP = "CN=PeeringGurus,DC=example,DC=com"

# Assign user flags based on groups
    "is_active": "cn=active,ou=groups,dc=example,dc=com",
    "is_staff": "cn=staff,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"

# Map LDAP groups to Django groups

# Cache for an hour

Users must be at least mapped to the is_active group. Otherwise they will not be able to log in.

Users that need to access the administration tools must be mapped to the is_staff group.

Users that need superuser status must be mapped to the is_superuser group.