openldap ，phpldapadmin配置django,wagtail自定义后台LDAP认证

import logging
#  #  #  #  #  #  #  #  #  #  #  #  #  #  #
# - - - - LDAP CONFIGURATION - - - - #
#
# Importing ldap libraries and applications
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, PosixGroupType

# ...connecting to ldap server (local environment uses IP)
# AUTH_LDAP_GLOBAL_OPTIONS = {
#     ldap.OPT_X_TLS_REQUIRE_CERT: False,
#     ldap.OPT_REFERRALS: False
# }
AUTH_LDAP_SERVER_URI = "ldap://127.0.0.1:389"

# ...account to enter into ldap server (anonymous is not always allowed)
AUTH_LDAP_BIND_DN = "cn=admin,dc=hylaa,dc=com"
AUTH_LDAP_BIND_PASSWORD = "wilf66"

# ...node where to start to search users
AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=users,cn=accounts,dc=hylaa,dc=com",
                                   ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                   "(uid=%(user)s)"
                                   #"(objectClass=posixAccount)"
                                   #"(objectClass=simpleSecurityObject)"
)
# AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=hylaa,dc=com"

# ...path where to start to search groups
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=hylaa,dc=com",
                                    ldap.SCOPE_SUBTREE,  # allow searching from current node to all nodes below
                                    "(objectClass=posixGroup)"  # type of object
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr="cn")  # a posixGroup is identified by the keyword "cn" into ldap server

# ...simple group restrictions
AUTH_LDAP_REQUIRE_GROUP = "cn=users,cn=accounts,dc=hylaa,dc=com"
# AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=hylaa,dc=com"

# ...populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
    "username": "uid",
    "password": "userPassword",
}

# AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn"}
# AUTH_LDAP_PROFILE_ATTR_MAP = {"home_directory": "homeDirectory"}


AUTH_LDAP_PROFILE_ATTR_MAP = {
    "home_directory": "homeDirectory"
}


AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    # "is_active": "cn=active,ou=groups,dc=hylaa,dc=com",
    # "is_staff": "cn=staff,ou=groups,dc=hylaa,dc=com",
    "is_superuser": "cn=users,cn=accounts,dc=hylaa,dc=com"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUPS = {
    "is_awesome": ["cn=awesome,ou=groups,dc=hylaa,dc=com"]
}

# ...use LDAP group membership to calculate permission

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_MIRROR_GROUPS = True

AUTH_LDAP_ALWAYS_UPDATE_USER = True
# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
     'django.contrib.auth.backends.ModelBackend',
)

# Enable debug for ldap server connection
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
# - - - - END  LDAP CONFIGURATION - - - - #
#  #  #  #  #  #  #  #  #  #  #  #  #  #  # 

自己配置的时候各种坑，资料虽很多，但基本都是给个配置信息了事，实际上真正跑起来还得做些工作， "is_superuser":决定让phpadminldap上哪个组的成员能进后台，记得pip安装相应组件。
主要是在phpldapadmin上创建的Account要记得在你所需要的组那里添

• memberUID增加你需要的用户，这点对于新手要了解
• AUTH_LDAP_MIRROR_GROUPS=True #注意 此为重点：当这个值为 True， LDAP的用户条目映射并创建 Django User 的时候，会自动映创建Group

附上docker 启动openldap ，phpldapadmin的脚本

#!/bin/bash -e
docker run --name ldap-service --hostname ldap-service --env LDAP_ORGANISATION="WILF" \
--env LDAP_DOMAIN="wilf.com" --env LDAP_ADMIN_PASSWORD="wilf66" \
-p 127.0.0.1:389:389 --detach osixia/openldap:1.1.8

docker run --name phpldapadmin-service --hostname phpldapadmin-service \
--link ldap-service:ldap-host --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host -p 127.0.0.1:443:443 \
 --detach osixia/phpldapadmin:0.6.12

PHPLDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" phpldapadmin-service)

echo "Go to: https://127.0.0.1:443"
echo "Login DN: cn=admin,dc=wilf,dc=com"
echo "Password: wilf66"