How to check a password in Django with LDAP?

Question

I have a django page when users have to type again his password to confirm an action. The user is already on (logged), but to do this action he must "sign" confirming his password.

Users are authenticating with LDAP (Active Directory). I tried to use something like that but it always return false, even when password is correct:

def check_password(request):
  """This method will compare logged user password with typed password"""
  password = request.POST.get('password', None)
  user = request.user.username

  result = request.user.check_password(password)

  if result:
      return JsonResponse({'status': 'true'})
  else:
      return JsonResponse({'status': 'false'})

Django Version: 2.0.2 Python: 3.6.x

Someone can help me? Thank you in advance.

---

Follow my settings.py

# Password validation
# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

# Active Directory Authentication
# Source: https://github.com/etianen/django-python3-ldap
# The URL of the LDAP server.
LDAP_AUTH_URL = "ldap://some-address.local:389"
AUTHENTICATION_BACKENDS = (
    "django_python3_ldap.auth.LDAPBackend",
)
# Initiate TLS on connection.
LDAP_AUTH_USE_TLS = False

# The LDAP search base for looking up users.
# LDAP_AUTH_SEARCH_BASE = "ou=****,ou=***,dc=***,dc=local"
LDAP_AUTH_SEARCH_BASE = "dc=***,dc=local"

# ,dc=example

# The LDAP class that represents a user.
LDAP_AUTH_OBJECT_CLASS = "User"

# User model fields mapped to the LDAP
# attributes that represent them.
LDAP_AUTH_USER_FIELDS = {
    "username": "sAMAccountName",
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
    "badge": "description",
}

# A tuple of django model fields used to uniquely identify a user.
LDAP_AUTH_USER_LOOKUP_FIELDS = ("username",)

# Path to a callable that takes a dict of {model_field_name: value},
# returning a dict of clean model data.
# Use this to customize how data loaded from LDAP is saved to the User model.
LDAP_AUTH_CLEAN_USER_DATA = "django_python3_ldap.utils.clean_user_data"

# Path to a callable that takes a user model and a dict of {ldap_field_name: [value]},
# and saves any additional user relationships based on the LDAP data.
# Use this to customize how data loaded from LDAP is saved to User model relations.
# For customizing non-related User model fields, use LDAP_AUTH_CLEAN_USER_DATA.
LDAP_AUTH_SYNC_USER_RELATIONS = "django_python3_ldap.utils.sync_user_relations"

# Path to a callable that takes a dict of {ldap_field_name: value},
# returning a list of [ldap_search_filter]. The search filters will then be AND'd
# together when creating the final search filter.
LDAP_AUTH_FORMAT_SEARCH_FILTERS = "django_python3_ldap.utils.format_search_filters"

# Path to a callable that takes a dict of {model_field_name: value}, and returns
# a string of the username to bind to the LDAP server.
# Use this to support different types of LDAP server.
LDAP_AUTH_FORMAT_USERNAME = "django_python3_ldap.utils.format_username_active_directory"

# Sets the login domain for Active Directory users.
LDAP_AUTH_ACTIVE_DIRECTORY_DOMAIN = "my_domain"

# The LDAP username and password of a user for querying the LDAP database for user
# details. If None, then the authenticated user will be used for querying, and
# the `ldap_sync_users` command will perform an anonymous query.
LDAP_AUTH_CONNECTION_USERNAME = "**********"
LDAP_AUTH_CONNECTION_PASSWORD = "*********"

# Set connection/receive timeouts (in seconds) on the underlying `ldap3` library.
LDAP_AUTH_CONNECT_TIMEOUT = 1000
LDAP_AUTH_RECEIVE_TIMEOUT = 1000

# Log Failed logins from Active Directory
LOGGING = {
    "version": 1,
    "disable_existing_loggers": False,
    "handlers": {
        "console": {
            "class": "logging.StreamHandler",
        },
    },
    "loggers": {
        "django_python3_ldap": {
            "handlers": ["console"],
            "level": "INFO",
        },
    },
}

Answer 1

I solved this problem today by use a diferent method - authenticate. I did this way and it works:

def ajax_check_password(request):
   """This method will compare logged user password with typed password"""
   password = str(request.POST.get('password', None))
   result = authenticate(username=request.user.username, password=password)

   if result:
      return JsonResponse({'status': 'true'})
   else:
      return JsonResponse({'status': 'false'})

Answer 2

LDAP user are not a Django user. So you need to check the password with your LDAP system and not Django one.

One good practice IMO is to create an django user for each LDAP user you have and set the password at first login, so when your LDAP is offline at least existing django user can login (and you can use check_password)