1 files changed, 39 insertions, 0 deletions

diff --git a/okupy/common/auth.py b/okupy/common/auth.py
index aa238fc..9dcf554 100644
--- a/okupy/common/auth.py
+++ b/okupy/common/auth.py
@@ -5,14 +5,53 @@ from django.contrib.auth.backends import ModelBackend
 from django.db import IntegrityError
 
 from okupy.accounts.models import LDAPUser
+from okupy.common.ldap_helpers import get_bound_ldapuser
 
 from OpenSSL.crypto import load_certificate, FILETYPE_PEM
 
+import ldap
 import paramiko
 
 import base64
 
 
+class LDAPAuthBackend(ModelBackend):
+    """
+    Authentication backend that authenticates against LDAP password.
+    If authentication succeeds, it sets up secondary password
+    for the session.
+    """
+
+    def authenticate(self, request, username, password):
+        # LDAP is case- and whitespace-insensitive
+        # we do normalization to avoid duplicate django db entries
+        # and help mockldap
+        username = username.lower().strip()
+
+        try:
+            bound_ldapuser = get_bound_ldapuser(
+                request=request,
+                username=username,
+                password=password)
+
+            with bound_ldapuser as u:
+                UserModel = get_user_model()
+                attr_dict = {
+                    UserModel.USERNAME_FIELD: u.username
+                }
+
+                user = UserModel(**attr_dict)
+                try:
+                    user.save()
+                except IntegrityError:
+                    user = UserModel.objects.get(**attr_dict)
+                return user
+        except ldap.INVALID_CREDENTIALS:
+            return None
+        except ldap.STRONG_AUTH_REQUIRED:
+            return None
+
+
 class SSLCertAuthBackend(ModelBackend):
     """
     Authentication backend taht uses client certificate information.