День добрый!
Делал все по данной статье Django Single Sign-On и Microsoft Active Directory- хочется “плюшек”. А именно в каких группах состоит пользователь. Предполагал “дергать” через AUTH_LDAP_PROFILE_FLAGS_BY_GROUP но я так понял не поддерживается для Django 1.7 и выше. Вариант с AUTH_LDAP_MIRROR_GROUPS не совсем подходит. Вообщем каким образом на уровне создания/обновления пользователя можно “выдернуть” принадлежность к определенной группе в AD.


Django 1.10

 AUTH_LDAP_SERVER_URI = "ldap://192.168.0.6:3268"
AUTH_LDAP_AUTHORIZE_ALL_USERS = True
AUTH_LDAP_PERMIT_EMPTY_PASSWORD = True
AUTH_LDAP_BIND_DN = "cn=dossier_ldap_find,ou=Services,ou=Technical,dc=XXX,dc=ru"
AUTH_LDAP_BIND_PASSWORD = "PASSWORD"
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
     LDAPSearch("dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
     LDAPSearch("dc=YYY,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
     LDAPSearch("dc=ZZZ,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
    LDAPSearch("ou=Services,ou=Technical,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
AUTH_LDAP_REQUIRE_GROUP = (
    (
        LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    )
    &
    ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=XXX,dc=ru") &
    ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") &
    ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
)
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}
AUTH_LDAP_PROFILE_ATTR_MAP = {
    "ipphone": "ipphone",
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active":
    (
        LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
       LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    ),
    "is_staff":
    (
        LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    ),
    "is_superuser":
    (
        LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    ),
    "is_writer":
    (
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    ),
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {
    "is_writer":
    (
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") |
        LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru")
    ),
}
#AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = False
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

 from django.db import models
from django.contrib.auth.models import User
from django.db.models.signals import post_save
from django.dispatch import receiver
from django_auth_ldap.backend import LDAPBackend
class Profile(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    ipphone = models.CharField(max_length=10, blank=True, null=True)
    is_writer = models.BooleanField(default=False)
    @receiver(post_save, sender=User)
    def create_user_profile(sender, instance, created, **kwargs):
        if created:
            new_profile = Profile.objects.create(user=instance)
            user = LDAPBackend().populate_user(instance.username)
            if user:
                ipphone = user.ldap_user.attrs.get("ipphone", [])[0]
                new_profile.ipphone = ipphone
    @receiver(post_save, sender=User)
    def save_user_profile(sender, instance, **kwargs):
        instance.profile.save()