Django
======

``t2core`` basiert auf einem Webframework namens ``Django``.


User Authentication
===================

There are two ways to handle user logins: The built-in ``User Auth. Backend`` of Django or an ``LDAP based User Auth. Backend``. 

Both can be active at the same time.

Users logged in via LDAP are created without setting a password. Users who log in via Django must create a password in Django Admin.

There are three levels of user access rights. Users can be:

   - Users: normal ''User'' is able to login
   - Admins: user permissions plus login to the Admin Backend, in Django terms ''Staff User''
   - Superuser: all permissions, or ``Superuser``


User Auth. Backend
^^^^^^^^^^^^^^^^^^

This is the Django Auth. Backend which is enabled by default.

It uses a postgres database that comes with t2core.

At the first start a root user ``root`` is created with a random initial password.
The password can be changed after the user has logged in `http://127.0.0.1/accounts/password_change/`

New users can be added in the `Users / Admin Portal <http://127.0.0.1/admin/auth/user/>`.


LDAP based User Auth. Backend
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This backend allows users of an external LDAP Server to login.

The configuration of this backend is made with ENV Vars in ``.env``::

To enable this backend set::

    # Enable the LDAP Login Backend
    AUTH_LDAP_ENABLED=true

Then configure the connection to the external LDAP Server or AD::

    # LDAP server URI
    AUTH_LDAP_SERVER_URI=ldap://192.168.28.30

    # LDAP Bind DN
    AUTH_LDAP_BIND_DN=example\Administrator

    # LDAP Bind Passowrd
    AUTH_LDAP_BIND_PASSWORD=9s8d7f9s87dkf9s8d7f

To search users by loginname or username, we need to search for them::

    #LDAP USER Search
    AUTH_LDAP_USER_SEARCH=DC=berlin,DC=example,DC=de
    AUTH_LDAP_USER_SEARCH_FILTER=sAMAccountName=%(user)s

Search users in this group::

    # LDAP Group Search
    AUTH_LDAP_GROUP_SEARCH=CN=Person,CN=Schema,CN=Configuration,DC=berlin,DC=example,DC=de
    AUTH_LDAP_GROUP_SEARCH_FILTER=(objectClass=*)

When users are in these groups at the external LDAP tree, the users are set to be Stuff or Superusers::

    # set is_superuser based on group membership
    AUTH_LDAP_USER_FLAGS_BY_GROUP_ISSUPERUSER=CN=Domänen-Admins,CN=Users,DC=berlin,DC=example,DC=de

    # set is_stuff based on group membership
    AUTH_LDAP_USER_FLAGS_BY_GROUP_ISSTAFF=CN=Domänen-Admins,CN=Users,DC=berlin,DC=example,DC=de

Match fields between Django model fields and fields at the external LDAP tree::

    # match fields between django model fields and ldap fields
    AUTH_LDAP_USER_ATTR_MAP_USERNAME=sAMAccountName
    AUTH_LDAP_USER_ATTR_MAP_FIRSTNAME=givenName
    AUTH_LDAP_USER_ATTR_MAP_LASTNAME=sn
    AUTH_LDAP_USER_ATTR_MAP_EMAIL=mail

.. note:: Users are created in the database without a set password. Before these accounts can be logged in to/searched via LDAP this has to be set in Django Admin.


Django manage.py
^^^^^^^^^^^^^^^^

Ausgabe aller Django Module::

    root@cfebe6e5493a:/t2# python3 manage.py
    Type 'manage.py help <subcommand>' for help on a specific subcommand.

    Available subcommands:

    [auth]
        changepassword
        createsuperuser

    [background_task]
        process_tasks

    [contenttypes]
        remove_stale_contenttypes

    [django]
        check
        compilemessages
        createcachetable
        dbshell
        diffsettings
        dumpdata
        flush
        inspectdb
        loaddata
        makemessages
        makemigrations
        migrate
        sendtestemail
        shell
        showmigrations
        sqlflush
        sqlmigrate
        sqlsequencereset
        squashmigrations
        startapp
        startproject
        test
        testserver

    [rest_framework]
        generateschema

    [sessions]
        clearsessions

    [staticfiles]
        collectstatic
        findstatic
        runserver

    [t2ldap]
        load
        make_compose
        sync