Commit de94d982 authored by frekk's avatar frekk

logger definition for memberdb, separate django loglevel, updated example config

parent e59454d3
......@@ -129,24 +129,28 @@ LOGGING = {
'django': {
'handlers':['logfile', 'console'],
'propagate': True,
'level': LOG_LEVEL,
'level': LOG_LEVEL_DJANGO,
},
'django.db.backends': {
'handlers': ['logfile', 'console'],
'level': LOG_LEVEL,
'level': LOG_LEVEL_DJANGO,
'propagate': False,
},
'django.contrib.auth': {
'handlers': ['logfile', 'console'],
'level': LOG_LEVEL,
'level': LOG_LEVEL_DJANGO,
},
'django_auth_ldap': {
'level': LOG_LEVEL,
'level': LOG_LEVEL_DJANGO,
'handlers': ['logfile', 'console'],
},
'squarepay': {
'level': LOG_LEVEL,
'handlers': ['logfile', 'console'],
},
'memberdb': {
'level': LOG_LEVEL,
'handlers': ['logfile', 'console'],
}
},
}
......@@ -16,7 +16,7 @@ ADMINS = (
### Database connection options ###
DATABASES = {
'default': {
'ENGINE': '${DB_ENGINE}', # Add 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
'ENGINE': '${DB_ENGINE}', # django.db.backends.XXX where XXX is 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
# this should end up in uccportal/.db/members.db
'NAME': '${DB_NAME}', # Or path to database file if using sqlite3.
'USER': '${DB_USER}', # Not used with sqlite3.
......@@ -41,17 +41,12 @@ SECRET_KEY = '${APP_SECRET}'
ALLOWED_HOSTS = ['${DEPLOY_HOST}']
LOG_LEVEL = 'DEBUG'
LOG_LEVEL_DJANGO = 'WARNING'
LOG_FILENAME = os.path.join(ROOT_DIR, "django.log")
import ldap
from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType, LDAPGroupQuery
# LDAP admin settings
LDAP_BASE_DN = 'DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
LDAP_USER_SEARCH_DN = 'CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
LDAP_BIND_DN = 'CN=uccportal,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
LDAP_BIND_SECRET = "${LDAP_SECRET}"
# this could be ad.ucc.gu.uwa.edu.au but that doesn't resolve externally -
# useful for testing, but should be changed in production so failover works
AUTH_LDAP_SERVER_URI = 'ldaps://ad.ucc.gu.uwa.edu.au'
......@@ -61,15 +56,30 @@ AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
}
# directly attempt to authenticate users to bind to LDAP
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
# LDAP admin settings - NOT for django_auth_ldap
LDAP_BASE_DN = "DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au"
LDAP_USER_SEARCH_DN = 'CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
# settings used by memberdb LDAP backend and django_auth_ldap
AUTH_LDAP_BIND_DN = "CN=uccportal,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au"
AUTH_LDAP_BIND_PASSWORD = "${LDAP_SECRET}"
# just for django_auth_ldap
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = False
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_MIRROR_GROUPS = False
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_FIND_GROUP_PERMS = False
# give user permissions from Django groups corresponding to names of AD groups
AUTH_LDAP_FIND_GROUP_PERMS = True
# speed it up by not having to search for the username, we can predict the DN
AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
# include the search thing anyway, just in case it's needed somewhere...
AUTH_LDAP_USER_SEARCH = LDAPSearch('CN=%(user)s,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au',
ldap.SCOPE_BASE, "(objectClass=user)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au",
ldap.SCOPE_SUBTREE, "(objectClass=group)")
......@@ -81,19 +91,24 @@ AUTH_LDAP_USER_ATTR_MAP = {
"email": "email",
}
ADMIN_ACCESS_QUERY = \
LDAPGroupQuery("CN=committee,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au") | \
LDAPGroupQuery("CN=door,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au") | \
LDAPGroupQuery("CN=wheel,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
DOOR_GROUP_QUERY = LDAPGroupQuery("CN=door,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
COMMITTEE_GROUP_QUERY = LDAPGroupQuery("CN=committee,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
WHEEL_GROUP_QUERY = LDAPGroupQuery("CN=wheel,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
ADMIN_ACCESS_QUERY = COMMITTEE_GROUP_QUERY | DOOR_GROUP_QUERY | WHEEL_GROUP_QUERY
# assign user object flags based on group memberships (independent from permissions)
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# staff can login to the admin site
"is_staff": ADMIN_ACCESS_QUERY,
# superusers have all permissions (but also need staff to login to admin site)
"is_superuser": ADMIN_ACCESS_QUERY,
"is_superuser": COMMITTEE_GROUP_QUERY | WHEEL_GROUP_QUERY,
}
# cache group memberships for 5 minutes
AUTH_LDAP_CACHE_TIMEOUT = 300
# the Square app and location data (set to sandbox unless you want it to charge people)
SQUARE_APP_ID = '${SQUARE_APP_ID}'
SQUARE_LOCATION = '${SQUARE_LOCATION}'
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment