Enable use of LDAP groupd to set account flags

2a310f07 · Nik | Klampfradler · 189aa83e · 2a310f07
Verified Commit 2a310f07 authored 5 years ago by Nik | Klampfradler
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -186,7 +186,7 @@ AUTHENTICATION_BACKENDS = []
 if _settings.get("ldap.uri", None):
    # LDAP dependencies are not necessarily installed, so import them here
    import ldap  # noqa
-    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType  # noqa
+    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, GroupOfUniqueNamesType, PosixGroupType  # noqa

    # Enable Django's integration to LDAP
    AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
@@ -212,6 +212,28 @@ if _settings.get("ldap.uri", None):
        "email": _settings.get("ldap.map.email", "mail"),
    }

+    # Discover flags by LDAP groups
+    if _settings.get("ldap.groups.base", None):
+        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+            _settings.get("ldap.groups.base"),
+            ldap.SCOPE_SUBTREE,
+            _settings.get("ldap.groups.filter", "(objectClass=%s)" % _settings.get("ldap.groups.type", "groupOfNams")),
+        )
+
+        if _settings.get("ldap.groups.type", "groupOfNames"):
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
+        elif _settings.get("ldap.groups.type", "groupOfUniqueNames"):
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfUniqueNamesType()
+        elif _settings.get("ldap.groups.type", "posixGroup"):
+            AUTH_LDAP_GROUP_TYPE = PosixGroupType()
+
+        AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        }
+        for flag in ["is_active", "is_staff", "is_superuser"]:
+            dn = _settings.get("ldap.groups.flags.%s" % flag, None)
+            if dn:
+                AUTH_LDAP_USER_FLAGS_BY_GROUP[flag] = dn
+
 # Add ModelBckend last so all other backends get a chance
 # to verify passwords first
 AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")