Mapping LDAP users to Django users with Django Auth Ldap_问答_开发者

Mapping LDAP users to Django users with Django Auth Ldap

开发者 https://www.devze.com 2023-03-12 22:41 出处：网络

I\'m using Django 1.3 and Django Auth Ldap 1.0.6. and I\'m trying to have the users who have a special status on the LDAP Server (admins) have the same status in my Django application.

I'm using Django 1.3 and Django Auth Ldap 1.0.6. and I'm trying to have the users who have a special status on the LDAP Server (admins) have the same status in my Django application.

These are my current settings:

AUTH_LDAP_SERVER_URI = 'ldap://path.to.server'

AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
AUTH_LDAP_USER_DN_TEMPLA开发者_如何学编程TE = 'uid=%(user)s,cn=users,dc=server,dc=location,dc=lan'
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
                             'cn=groups,dc=server,dc=location,dc=lan',
                             ldap.SCOPE_SUBTREE,
                             '(objectClass=groupOfNames)',
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    #'is_active': 'cn=groups,dc=server,dc=location,dc=lan',
    #'is_staff': 'cn=admin,cn=groups,dc=server,dc=location,dc=lan',
    #'is_superuser': 'cn=admin,cn=groups,dc=server,dc=location,dc=lan',
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_FIND_GROUPS_PERMS = True

Permissions aren't updated. If I uncomment the values in FLAGS_BY_GROUP, I can't authenticate any more (the error message says that the user and password don't match). I tried without the last setting with the same results.

Any ideas are highly appreciated.

If you set AUTH_LDAP_GROUP_SEARCH, you also need to set AUTH_LDAP_GROUP_TYPE. Since you're apparently using groupOfNames for grouping, you need AUTH_LDAP_GROUP_TYPE = GroupOfNamesType().

Everything else looks okay, although it's unlikely that you need both AUTH_LDAP_MIRROR_GROUPS and AUTH_LDAP_FIND_GROUPS_PERMS. It's probably not hurting anything, but those are meant to be alternatives.

In general, logging is your friend in cases like this.

With the help of psagers' tips, I managed to find the answer to my issue. First, I'm using Open Directory, so I need to use AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn') instead of GroupOfNamesType(). Second, mapping the 'is_active' flag to the entire 'groups' container doesn't make sense, because I can't login when I use it, so I took it out.