Merge branch 'feature/ldap-flags' into 'master'

Support global permission flags by LDAP group Closes #178 See merge request AlekSIS/AlekSIS!149

Merge branch 'feature/ldap-flags' into 'master'
aaaffe88 · Jonathan Weth · 568fd694 · 26bdac37 · aaaffe88
Commit aaaffe88 authored 5 years ago by Jonathan Weth
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -186,7 +186,7 @@ AUTHENTICATION_BACKENDS = []
 if _settings.get("ldap.uri", None):
    # LDAP dependencies are not necessarily installed, so import them here
    import ldap  # noqa
-    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType  # noqa
+    from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType, NestedGroupOfUniqueNamesType, PosixGroupType  # noqa

    # Enable Django's integration to LDAP
    AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
@@ -212,6 +212,33 @@ if _settings.get("ldap.uri", None):
        "email": _settings.get("ldap.map.email", "mail"),
    }

+    # Discover flags by LDAP groups
+    if _settings.get("ldap.groups.base", None):
+        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+            _settings.get("ldap.groups.base"),
+            ldap.SCOPE_SUBTREE,
+            _settings.get("ldap.groups.filter", "(objectClass=%s)" % _settings.get("ldap.groups.type", "groupOfNames")),
+        )
+
+        _group_type = _settings.get("ldap.groups.type", "groupOfNames").lower()
+        if _group_type == "groupofnames":
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
+        elif _group_type == "groupofuniquenames":
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfUniqueNamesType()
+        elif _group_type == "posixgroup":
+            AUTH_LDAP_GROUP_TYPE = PosixGroupType()
+
+        AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        }
+        for _flag in ["is_active", "is_staff", "is_superuser"]:
+            _dn = _settings.get("ldap.groups.flags.%s" % _flag, None)
+            if _dn:
+                AUTH_LDAP_USER_FLAGS_BY_GROUP[_flag] = _dn
+
+        # Backend admin requires superusers to also be staff members
+        if "is_superuser" in AUTH_LDAP_USER_FLAGS_BY_GROUP and "is_staff" not in AUTH_LDAP_USER_FLAGS_BY_GROUP:
+            AUTH_LDAP_USER_FLAGS_BY_GROUP["is_staff"] = AUTH_LDAP_USER_FLAGS_BY_GROUP["is_superuser"]
+
 # Add ModelBckend last so all other backends get a chance
 # to verify passwords first
 AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")