Add LDAP auth support

Author: Daniel Berteaud

docs/setup.rst

@@ -281,12 +281,13 @@ writing. Windows is not and will never be supported.
     *   ``libpq-dev`` for PostgreSQL
     *   ``libmagic-dev`` for mime type detection
     *   ``mime-support`` for mime type detection
+    *   ``libldap2-dev`` for LDAP auth support
 
     Use this list for your preferred package management:
 
     .. code::
 
-        python3 python3-pip python3-dev imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support
+        python3 python3-pip python3-dev imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support libldap2-dev
 
     These dependencies are required for OCRmyPDF, which is used for text recognition.
 

paperless.conf.example

@@ -34,6 +34,17 @@
 #PAPERLESS_COOKIE_PREFIX=
 #PAPERLESS_ENABLE_HTTP_REMOTE_USER=false
 
+# LDAP Auth settings
+#PAPERLESS_ENABLE_LDAP_AUTH=True
+#PAPERLESS_LDAP_URI=ldap://ldap.example.com
+#PAPERLESS_LDAP_BIND_DN=CN=Paperless NG,OU=Apps,DC=domain,DC=com
+#PAPERLESS_LDAP_BIND_PASSWORD=p@ssw0rd
+#PAPERLESS_LDAP_USER_BASE=OU=People,DC=example,DC=com
+#PAPERLESS_LDAP_USER_FILTER=(sAMAccountName=%(user)s)
+#PAPERLESS_LDAP_FIRSTNAME_ATTR=givenName
+#PAPERLESS_LDAP_LASTNAME_ATTR=sn
+#PAPERLESS_LDAP_EMAIL_ATTR=mail
+
 # OCR settings
 
 #PAPERLESS_OCR_LANGUAGE=eng

requirements.txt

@@ -32,6 +32,7 @@ dateparser==1.0.0
 django-cors-headers==3.8.0
 django-extensions==3.1.3
 django-filter==2.4.0
+django-auth-ldap
 django-picklefield==3.0.1; python_version >= '3'
 django-q==1.3.9
 django==3.2.6

src/paperless/settings.py

@@ -183,6 +183,8 @@ def __get_boolean(key, default="NO"):
 # Security                                                                    #
 ###############################################################################
 
+AUTHENTICATION_BACKENDS = []
+
 AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")
 
 if AUTO_LOGIN_USERNAME:
@@ -198,14 +200,39 @@ def __get_boolean(key, default="NO"):
     MIDDLEWARE.append(
         'paperless.auth.HttpRemoteUserMiddleware'
     )
-    AUTHENTICATION_BACKENDS = [
-        'django.contrib.auth.backends.RemoteUserBackend',
-        'django.contrib.auth.backends.ModelBackend'
-    ]
+    AUTHENTICATION_BACKENDS.append(
+        'django.contrib.auth.backends.RemoteUserBackend'
+    )
     REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
         'rest_framework.authentication.RemoteUserAuthentication'
     )
 
+ENABLE_LDAP_AUTH = __get_boolean("PAPERLESS_ENABLE_LDAP_AUTH")
+
+if ENABLE_LDAP_AUTH:
+    import ldap
+    from django_auth_ldap.config import LDAPSearch
+    AUTHENTICATION_BACKENDS.append(
+        'django_auth_ldap.backend.LDAPBackend'
+    )
+    AUTH_LDAP_SERVER_URI = os.getenv("PAPERLESS_LDAP_URI", "ldap://localhost")
+    AUTH_LDAP_BIND_DN = os.getenv("PAPERLESS_LDAP_BIND_DN", "")
+    AUTH_LDAP_BIND_PASSWORD = os.getenv("PAPERLESS_LDAP_BIND_PASSWORD", "")
+    AUTH_LDAP_USER_SEARCH = LDAPSearch(
+        os.getenv("PAPERLESS_LDAP_USER_BASE", "ou=users,dc=example,dc=com"),
+        ldap.SCOPE_SUBTREE, os.getenv("PAPERLESS_LDAP_USER_FILTER", "(uid=%(user)s)")
+    )
+    AUTH_LDAP_START_TLS = os.getenv("PAPERLESS_LDAP_START_TLS", True)
+    AUTH_LDAP_USER_ATTR_MAP = {
+        "first_name": os.getenv("PAPERLESS_LDAP_FIRSTNAME_ATTR", "givenName"),
+        "last_name": os.getenv("PAPERLESS_LDAP_LASTNAME_ATTR", "sn"),
+        "email": os.getenv("PAPERLESS_LDAP_EMAIL_ATTR", "mail")
+    }
+
+AUTHENTICATION_BACKENDS.append(
+    'django.contrib.auth.backends.ModelBackend'
+)
+
 # X-Frame options for embedded PDF display:
 if DEBUG:
     X_FRAME_OPTIONS = 'ANY'