make ldap authentication work

authorization is still missing -> people can login but can't really
do anything. It seems like we should add a group for members to ldap
and authorize the matching django group to be allowed to edit news,
projects, and so on.

Maybe there is a better solution, which I did not see?
Also, there is probably a better code for the populate_user handler
I placed in accounts/models.py

1 files changed, 11 insertions, 10 deletions

diff --git a/sublab_project/settings.py b/sublab_project/settings.py
index e52008a..7138e93 100644
--- a/sublab_project/settings.py
+++ b/sublab_project/settings.py
@@ -2,7 +2,7 @@
 import os
 
 # from django_auth_ldap.config import LDAPSearch
-# import ldap
+import ldap
 
 
 SITE_ROOT = os.path.realpath(os.path.dirname(__file__))
@@ -135,6 +135,7 @@ INSTALLED_APPS = (
     'projects',
     'djcelery',
     'calendarium',
+    'accounts',
 )
 
 # A sample logging configuration. The only tangible logging
@@ -172,19 +173,19 @@ LOGGING = {
     }
 }
 
-# AUTH_LDAP_SERVER_URI = 'ldap://taifun.local.sublab.org'
-# AUTH_LDAP_BIND_DN = 'cn=djangotest,ou=users,dc=sublab,dc=org'
-# AUTH_LDAP_BIND_PASSWORD = 'djangotest'
-# AUTH_LDAP_USER_SEARCH = LDAPSearch('ou=users,dc=sublab,dc=org',
-#     ldap.SCOPE_SUBTREE, '(uid=%(user)s)')
-AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=sublab,dc=org'
+AUTH_PROFILE_MODULE = 'accounts.UserProfile'
+
+AUTH_LDAP_SERVER_URI = 'ldap://oberon.local.sublab.org'
+AUTH_LDAP_START_TLS = True
+AUTH_LDAP_GLOBAL_OPTIONS = {
+    ldap.OPT_X_TLS_CACERTFILE: os.path.join(SITE_ROOT, 'cacert.pem'),
+}
+AUTH_LDAP_USER_DN_TEMPLATE = 'cn=%(user)s,ou=people,dc=sublab,dc=org'
 AUTH_LDAP_USER_ATTR_MAP = {
-    'first_name': 'givenName',
     'last_name': 'sn',
-    'email': 'mail'
 }
 AUTH_LDAP_ALWAYS_UPDATE_USER = True
-AUTH_LDAP_START_TLS = True
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
 
 AUTHENTICATION_BACKENDS = (
     'django_auth_ldap.backend.LDAPBackend',