Don't define LDAP variables if not enabled (#65)

* Don't define LDAP variables if not enabled

* Updates readme

README.md

@@ -72,10 +72,10 @@ Improperly configuring these settings can introduce dangerous vulnerabilities an
 Administrators should adhere to the following general guidelines:
 
 - Ensure your deployment is isolated behind a web proxy with proper HTTPS handling
-- Always define the `ALLOWED_HOSTS` list using a restrictive collection of domain patterns
-- Avoid issuing session/CSRF tokens over unsecured connections by enabling `SESSION_TOKENS_ONLY`
+- Always define the `SECURE_ALLOWED_HOSTS` list using a restrictive collection of domain patterns
+- Avoid issuing session/CSRF tokens over unsecured connections by enabling `SECURE_SESSION_TOKENS`
 - HTTP Strict Transport Security (HSTS) should be used to enforce the use of HTTPS
-- Use a fixed (and secure) `SECRET_KEY` value to ensure consistent request signing across application instances/restarts
+- Use a fixed (and secure) `SECURE_SECRET_KEY` value to ensure consistent request signing across application instances/restarts
 
 | Setting Name              | Default Value            | Description                                                   |
 |---------------------------|--------------------------|---------------------------------------------------------------|

keystone_api/main/settings.py

@@ -5,9 +5,7 @@
 from pathlib import Path
 
 import environ
-import ldap
 from django.core.management.utils import get_random_secret_key
-from django_auth_ldap.config import LDAPSearch
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 sys.path.insert(0, str(BASE_DIR))
@@ -30,23 +28,6 @@
 SECURE_HSTS_SECONDS = env.int("SECURE_HSTS_SECONDS", default=0)
 SECURE_HSTS_INCLUDE_SUBDOMAINS = env.bool("SECURE_HSTS_SUBDOMAINS", default=False)
 
-# LDAP Settings
-
-AUTH_LDAP_MIRROR_GROUPS = True
-AUTH_LDAP_ALWAYS_UPDATE_USER = True
-AUTH_LDAP_START_TLS = env.bool("AUTH_LDAP_START_TLS", True)
-AUTH_LDAP_SERVER_URI = env.url("AUTH_LDAP_SERVER_URI", "").geturl()
-AUTH_LDAP_BIND_DN = env.str("AUTH_LDAP_BIND_DN", "")
-AUTH_LDAP_BIND_PASSWORD = env.str("AUTH_LDAP_BIND_PASSWORD", "")
-AUTH_LDAP_USER_SEARCH = LDAPSearch(
-    env.str("AUTH_LDAP_USER_SEARCH", ""),
-    ldap.SCOPE_SUBTREE,
-    "(uid=%(user)s)"
-)
-
-if env.bool('AUTH_LDAP_REQUIRE_CERT', True):
-    AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER}
-
 # App Configuration
 
 ROOT_URLCONF = 'main.urls'
@@ -149,7 +130,6 @@
 if DEBUG:  # Disable the API GUI if not in debug mode
     REST_FRAMEWORK['DEFAULT_RENDERER_CLASSES'].append('rest_framework.renderers.BrowsableAPIRenderer')
 
-
 # Celery scheduler
 
 CELERY_BROKER_URL = env.url('CELERY_BROKER_URL', "redis://127.0.0.1:6379/0").geturl()
@@ -167,9 +147,27 @@
 # Authentication
 
 AUTHENTICATION_BACKENDS = ["django.contrib.auth.backends.ModelBackend"]
-if AUTH_LDAP_SERVER_URI:
+
+if AUTH_LDAP_SERVER_URI := env.url("AUTH_LDAP_SERVER_URI", "").geturl():
+    import ldap
+    from django_auth_ldap.config import LDAPSearch
+
     AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
 
+    AUTH_LDAP_MIRROR_GROUPS = True
+    AUTH_LDAP_ALWAYS_UPDATE_USER = True
+    AUTH_LDAP_START_TLS = env.bool("AUTH_LDAP_START_TLS", True)
+    AUTH_LDAP_BIND_DN = env.str("AUTH_LDAP_BIND_DN", "")
+    AUTH_LDAP_BIND_PASSWORD = env.str("AUTH_LDAP_BIND_PASSWORD", "")
+    AUTH_LDAP_USER_SEARCH = LDAPSearch(
+        env.str("AUTH_LDAP_USER_SEARCH", ""),
+        ldap.SCOPE_SUBTREE,
+        "(uid=%(user)s)"
+    )
+
+    if env.bool('AUTH_LDAP_REQUIRE_CERT', True):
+        AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER}
+
 AUTH_PASSWORD_VALIDATORS = [
     {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
     {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator'},