Reputation: 302
django-auth-ldap AUTH_LDAP_FIND_GROUPS_PERMS not working
I'm running Django 1.8.18 and django-auth-ldap 1.2.11 authenticating against Active Directory.
My current configuration authenticates properly against the AD, however, when I enabled AUTH_LDAP_FIND_GROUPS_PERMS it doesn't seem to do anything. I've previously tried AUTH_LDAP_MIRROR_GROUPS (which works without any problem), and found all of the user's groups created. The only slight issue is that it also remove any local group memberships the user had.
In any case, after having the groups auto-created by AUTH_LDAP_MIRROR_GROUPS I would expect AUTH_LDAP_FIND_GROUPS_PERMS would auto-add the user to that same group on the next login. However, this did not happen. The only change in configuration was those two lines. The AUTH_LDAP_GROUP_TYPE is set to NestedActiveDirectoryGroupType()
Any ideas why users aren't being added to the groups with matching names?
Upvotes: 1
Views: 1931
Answers (2)
Reputation: 302
Turns out that AUTH_LDAP_FIND_GROUPS_PERMS doesn't actually add users to a group, but virtually adds them to it making sure their permissions respond as if they are in the groups that match names.
Upvotes: 3
Reputation: 5819
I suspect that it's the AUTH_LDAP_GROUP_TYPE you're using. I am also using this library, and have it syncing groups/memberships. This is a full dump of my settings for the library:
AUTH_LDAP_START_TLS = True
AUTH_LDAP_SERVER_URI = 'xxxx'
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
}
AUTH_LDAP_BIND_DN = 'yyyy'
AUTH_LDAP_BIND_PASSWORD = 'zzzz'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch(
'OU=OurCorp,DC=foo,DC=bar,DC=com',
ldap.SCOPE_SUBTREE,
filterstr='(uid=%(user)s)'
),
)
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com',
ldap.SCOPE_SUBTREE,
'(objectClass=group)'
)
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
'is_staff': [ # Allow login to the Django admin site
'CN=Our-Staff-Group,OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com',
],
'is_superuser': [ # Implicitly grant ALL permissions to members of these groups
'CN=Our-Superuser-Group,OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com'
],
}
As I mentioned, I think the AUTH_LDAP_GROUP_TYPE is likely your issue, but that could depend on your own AD setup.
Upvotes: 2
Related Questions
- Getting groups from LDAP to django
- Django auth groups not finding groups and does not give permission to users, regardless of the group in which they are
- Find users of security group with django-python3-ldap
- django-auth-ldap members groups not woking
- Django AUTH_LDAP_MIRROR_GROUPS Not working
- Django: Unable to get user's groups from LDAP user
- Django-python3-ldap - only certain active directory user groups can login?
- django-auth-ldap AUTH_LDAP_FIND_GROUP_PERMS not working
- django-auth-ldap - find if user belongs to a ldap group
- django_auth_ldap raises OPERATIONS_ERROR