So after we instantiate auth=Auth(db=db), when the user logs in, Auth will create a subclass of type <class 'gluon.dal.Row'> which stores the fields from auth_user table:
| first_name |
| id |
| last_name |
| registration_id |
| registration_key |
| reset_password_key |
| username |
default.py to be locked down to require a user to always be authenticated to access any of the functions in that controller.
user():, which calls auth() to supply the default login form handler is in default.py so if use the typical method to force auth checking on the controller itself (as explained in https://groups.google.com/d/msg/web2py/ReznbEX0Mh0/CfyEF70TrG0J)
auth.requires_login()(lambda: None)()
def index():
return dict()
def user():
return dict(form=auth())
This will result in a redirection loop because the initial un-logged-in access to /app/(default/index) will result in a redirect (due to requires_login()) to /app/default/user/login and on every call to default will result in a redirect to default/user/login etc.
user() out of the way.
Auth where to find user(). By default it looks in default controller, but this can be modified in the Auth instantiation in the model (models/db.py):
#original auth instance #auth = Auth(db) #redirected auth instance auth = Auth(db=db, controller='login')This tells
Auth instance auth to look in controller login for the user() instead of default. We use keyword db for telling it which DAL instance to use now, since we have switched to kwargs.
In controllers/login.py:
# coding: utf8
#here is the default action, redirect back to the default controller
def index():
redirect(URL(c='default'))
def user():
return dict(form=auth())
And don't forget to move views/default/user.html to views/login/user.html!
models/db.py, adapted from the example one from welcome:
#using the default DAL db. You can use pg if you want
db = DAL('sqlite://storage.sqlite',pool_size=1,check_reserved=['all'])
#store sessions in the db not on the filesystem
session.connect(request, response, db=db)
#default boilerplate from welcome
response.generic_patterns = ['*'] if request.is_local else []
#default boilerplate from welcome
from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
auth = Auth(db)
crud, service, plugins = Crud(db), Service(), PluginManager()
#use username as the primary id, not email address
auth.define_tables(username=True, signature=False)
#do not create a default user group (=user) for every user that gets imported
auth.settings.create_user_groups=False
#default config from welcome
mail = auth.settings.mailer
mail.settings.server = 'logging' or 'smtp.gmail.com:587'
mail.settings.sender = 'you@gmail.com'
mail.settings.login = 'username:password'
#comment these from the default
#auth.settings.registration_requires_verification = False
#auth.settings.registration_requires_approval = False
#auth.settings.reset_password_requires_verification = True
#LDAP is always the system of record, so disable manual registration or the changing of the user in the app
auth.settings.actions_disabled=['register','change_password','request_reset_password','retrieve_username','profile']
#this is just good security
auth.settings.remember_me_form = False
#import ldap_auth method
from gluon.contrib.login_methods.ldap_auth import ldap_auth
#override all/any default auth settings, users can *only* auth against Active Directory
auth.settings.login_methods=[ldap_auth(mode='ad',
manage_user=True,
user_firstname_attrib = 'givenName',
user_lastname_attrib = 'sn',
user_mail_attrib = 'mail',
server='corp.contoso.com',
base_dn='dc=contoso,dc=com',
secure=True,
db=db)]
#disable janrain
#from gluon.contrib.login_methods.rpx_account import use_janrain
#use_janrain(auth, filename='private/janrain.key')
Usage: The Login dialog will cause this web2py app to autocreate a user based on the attributes in LDAP. The actual auth is the return of a successful LDAP bind. You can also pre-create users using appadmin. When manually creating users this way, you will need to set a dummy password in the db since it is set to be a required field (but will remain empty when the user is autocreated...). You may want to manually add users when you are setting up app-specific groups.
Caveats: To get LDAP secure=True working with a self-signed cert on the webserver, I had to hack gluon/contrib/login_methods/ldap_auth.py: In ldap_auth().init_ldap(), I had to add the following after if secure:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)See also: http://www.web2pyslices.com/slice/show/1715/authentication-and-group-control-with-active-directory-ldap if you want to base RBAC off AD groups.
<script src="https://c328740.ssl.cf1.rackcdn.com/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"> </script> <script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js?lang=tex&skin=sunburst"> </script>
import cow
mycow = cow.create(name='cowbert')
output = []
for i in xrange(10):
output.append(mycow.emit('moo'))
print ' '.join(output)
UPDATE 2016-08-03: