Делал все по данной статье Django Single Sign-On и Microsoft Active Directory- хочется “плюшек”. А именно в каких группах состоит пользователь. Предполагал “дергать” через AUTH_LDAP_PROFILE_FLAGS_BY_GROUP но я так понял не поддерживается для Django 1.7 и выше. Вариант с AUTH_LDAP_MIRROR_GROUPS не совсем подходит. Вообщем каким образом на уровне создания/обновления пользователя можно “выдернуть” принадлежность к определенной группе в AD.
Django 1.10
AUTH_LDAP_SERVER_URI = "ldap://192.168.0.6:3268" AUTH_LDAP_AUTHORIZE_ALL_USERS = True AUTH_LDAP_PERMIT_EMPTY_PASSWORD = True AUTH_LDAP_BIND_DN = "cn=dossier_ldap_find,ou=Services,ou=Technical,dc=XXX,dc=ru" AUTH_LDAP_BIND_PASSWORD = "PASSWORD" AUTH_LDAP_USER_SEARCH = LDAPSearchUnion( LDAPSearch("dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"), LDAPSearch("dc=YYY,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"), LDAPSearch("dc=ZZZ,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"), ) AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( LDAPSearch("ou=Services,ou=Technical,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"), LDAPSearch("ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"), LDAPSearch("ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)"), ) AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn") AUTH_LDAP_REQUIRE_GROUP = ( ( LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ) & ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=XXX,dc=ru") & ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") & ~LDAPGroupQuery("cn=DOSSIER_BLOCKED,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ) AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn", "email": "mail" } AUTH_LDAP_PROFILE_ATTR_MAP = { "ipphone": "ipphone", } AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": ( LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_ACTIVE,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ), "is_staff": ( LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_STAFF,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ), "is_superuser": ( LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_SUPPERUSER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ), "is_writer": ( LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ), } AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = { "is_writer": ( LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=YYY,dc=XXX,dc=ru") | LDAPGroupQuery("cn=DOSSIER_WRITER,ou=Services,ou=Technical,dc=ZZZ,dc=XXX,dc=ru") ), } #AUTH_LDAP_MIRROR_GROUPS = True AUTH_LDAP_ALWAYS_UPDATE_USER = True AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_GROUPS = False AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
from django.db import models from django.contrib.auth.models import User from django.db.models.signals import post_save from django.dispatch import receiver from django_auth_ldap.backend import LDAPBackend class Profile(models.Model): user = models.OneToOneField(User, on_delete=models.CASCADE) ipphone = models.CharField(max_length=10, blank=True, null=True) is_writer = models.BooleanField(default=False) @receiver(post_save, sender=User) def create_user_profile(sender, instance, created, **kwargs): if created: new_profile = Profile.objects.create(user=instance) user = LDAPBackend().populate_user(instance.username) if user: ipphone = user.ldap_user.attrs.get("ipphone", [])[0] new_profile.ipphone = ipphone @receiver(post_save, sender=User) def save_user_profile(sender, instance, **kwargs): instance.profile.save()