我正在开发一个以flask框架为后端的webapp,我需要提供身份验证。
由于这是在我们的本地域上使用的内部应用程序,因此我选择使用他们已经存在的域凭据对用户进行身份验证。
我使用的方法是win32security.LogonUser从中pywin32返回成功登录的句柄。
我试图了解烧瓶登录的工作原理,但@login_manager.user_loader回调让我感到困惑。
它说我应该提供一个可用于重新加载用户的 id,但是我没有数据库或持久存储来提供此映射,因为我只对检查用户是否通过身份验证感兴趣。
我的用户类如下所示:
class User(flask_login.UserMixin):
def __init__(self,username):
self.username = username
self.id = ???
使用什么id,以及这个 id 如何映射回这个实例?
您可以使用 LDAP 模块在 python 中执行此操作:
LDAP_SERVER = "yourldapserver"
LDAP_PORT = 390033 # your port
import ldap
def login(email, password):
ld = ldap.open(LDAP_SERVER, port=LDAP_PORT)
try:
ld.simple_bind_s(email, password)
except ldap.INVALID_CREDENTIALS:
return False
return True
Flask-login 不依赖或不需要任何特定的用户后端。您必须表示用户对象并返回一个 id。例如看这篇文章
使用 ldap3 进行烧瓶登录的简单示例。
from flask_ldap3_login.forms import LDAPLoginForm
from flask_ldap3_login import LDAP3LoginManager, AuthenticationResponse
from flask_login import LoginManager, login_user, UserMixin, current_user
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret'
app.config['DEBUG'] = 'True'
# Setup LDAP Configuration Variables. Change these to your own settings.
# Hostname of your LDAP Server
app.config['LDAP_PORT'] = 636
# Hostname of your LDAP Server
app.config['LDAP_HOST'] = 'ldap-name.com'
app.config['LDAP_USE_SSL'] = True
# Base DN of your directory
app.config['LDAP_BASE_DN'] = 'dc=Hostname,dc=com'
# Users DN to be prepended to the Base DN
app.config['LDAP_USER_DN'] = 'ou=people'
# Groups DN to be prepended to the Base DN
app.config['LDAP_GROUP_DN'] = 'cn=ldap-groupname,ou=groups'
# The RDN attribute for your user schema on LDAP
app.config['LDAP_USER_RDN_ATTR'] = 'uid'
# The Attribute you want users to authenticate to LDAP with.
app.config['LDAP_USER_LOGIN_ATTR'] = 'uid'
# The Username to bind to LDAP with
app.config['LDAP_BIND_USER_DN'] = 'uid'
# The Password to bind to LDAP with
app.config['LDAP_BIND_USER_PASSWORD'] = 'pwd'
login_manager = LoginManager(app) # Setup a Flask-Login Manager
ldap_manager = LDAP3LoginManager(app) # Setup a LDAP3 Login Manager.
# Create a dictionary to store the users in when they authenticate
# This example stores users in memory.
users = {}
# Declare an Object Model for the user, and make it comply with the
# flask-login UserMixin mixin.
class User(UserMixin):
def __init__(self, dn, username, data):
self.dn = dn
self.username = username
self.data = data
def __repr__(self):
return self.dn
def get_id(self):
return self.dn
# Declare a User Loader for Flask-Login.
# Simply returns the User if it exists in our 'database', otherwise
# returns None.
@login_manager.user_loader
def load_user(id):
if id in users:
return users[id]
return None
# Declare The User Saver for Flask-Ldap3-Login
# This method is called whenever a LDAPLoginForm() successfully validates.
# Here you have to save the user, and return it so it can be used in the
# login controller.
@ldap_manager.save_user
def save_user(dn, username, data, memberships):
user = User(dn, username, data)
users[dn] = user
return user,username
@app.route('/', methods=['GET', 'POST'])
def login():
# exists in LDAP.
form = LDAPLoginForm()
if form.validate_on_submit():
# Successfully logged in, We can now access the saved user object
# via form.user.
a = login
return redirect(url_for('mainpage'))
return render_template('login.html',form=form)
else:
return render_template('error.html')
self.id 应该是一个唯一的字符串。它可以是以下之一:
明智地选择一个。对于我自己的工作,我更喜欢 sAMAcountName。它要求您在 ldap_bind 之后执行 LDAPSearch。
第一次没有身份验证的绑定(查找 DN)应由应用用户进行,以避免信息泄露(以防您被黑客入侵)。
Ldap 连接是资源 => 使用上下文管理器
with ldap.open(LDAP_SERVER, port=LDAP_PORT) as ld:
# do the search/bind/search here