From e41e1a7a5edb76e3a29e07c953a79cd1ebc75fb2 Mon Sep 17 00:00:00 2001 From: Jorge Date: Thu, 7 Nov 2024 14:31:55 -0500 Subject: [PATCH] Add env variables AUTH_LDAP_GROUP_SEARCH_ROOT for LDAP group mirroring and AUTH_LDAP_CHRIS_ADMIN_GROUP to define a ChRIS admin group --- chris_backend/config/settings/local.py | 11 ++++++++++- chris_backend/config/settings/production.py | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/chris_backend/config/settings/local.py b/chris_backend/config/settings/local.py index c5828db1..7d3d009a 100755 --- a/chris_backend/config/settings/local.py +++ b/chris_backend/config/settings/local.py @@ -10,7 +10,7 @@ import os import ldap -from django_auth_ldap.config import LDAPSearch +from django_auth_ldap.config import LDAPSearch, GroupOfNamesType from .common import * # noqa from core.storage import verify_storage_connection @@ -192,6 +192,8 @@ AUTH_LDAP_BIND_DN = 'uid=admin,ou=people,dc=example,dc=org' AUTH_LDAP_BIND_PASSWORD = 'chris1234' AUTH_LDAP_USER_SEARCH_ROOT = 'ou=people,dc=example,dc=org' + AUTH_LDAP_GROUP_SEARCH_ROOT = 'ou=groups,dc=example,dc=org' + AUTH_LDAP_CHRIS_ADMIN_GROUP = 'chris_admin' AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_ROOT, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') @@ -200,6 +202,13 @@ 'last_name': 'sn', 'email': 'mail' } + AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_ROOT, ldap.SCOPE_SUBTREE, + '(objectClass=groupOfNames)') + AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() + AUTH_LDAP_USER_FLAGS_BY_GROUP = { + 'is_staff': f'cn={AUTH_LDAP_CHRIS_ADMIN_GROUP},{AUTH_LDAP_GROUP_SEARCH_ROOT}' + } + AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ['all_users', 'pacs_users'] AUTHENTICATION_BACKENDS = ( 'users.models.CustomLDAPBackend', diff --git a/chris_backend/config/settings/production.py b/chris_backend/config/settings/production.py index 7420cabb..132d6ba7 100755 --- a/chris_backend/config/settings/production.py +++ b/chris_backend/config/settings/production.py @@ -5,7 +5,7 @@ """ import ldap -from django_auth_ldap.config import LDAPSearch +from django_auth_ldap.config import LDAPSearch, GroupOfNamesType from .common import * # noqa from environs import Env, EnvValidationError from core.storage import verify_storage_connection @@ -168,6 +168,8 @@ def get_secret(setting, secret_type=env): AUTH_LDAP_BIND_DN = get_secret('AUTH_LDAP_BIND_DN') AUTH_LDAP_BIND_PASSWORD = get_secret('AUTH_LDAP_BIND_PASSWORD') AUTH_LDAP_USER_SEARCH_ROOT = get_secret('AUTH_LDAP_USER_SEARCH_ROOT') + AUTH_LDAP_GROUP_SEARCH_ROOT = get_secret('AUTH_LDAP_GROUP_SEARCH_ROOT') + AUTH_LDAP_CHRIS_ADMIN_GROUP = get_secret('AUTH_LDAP_CHRIS_ADMIN_GROUP') AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_ROOT, ldap.SCOPE_SUBTREE, '(uid=%(user)s)') @@ -176,6 +178,13 @@ def get_secret(setting, secret_type=env): 'last_name': 'sn', 'email': 'mail' } + AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_ROOT, ldap.SCOPE_SUBTREE, + '(objectClass=groupOfNames)') + AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() + AUTH_LDAP_USER_FLAGS_BY_GROUP = { + 'is_staff': f'cn={AUTH_LDAP_CHRIS_ADMIN_GROUP},{AUTH_LDAP_GROUP_SEARCH_ROOT}' + } + AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ['all_users', 'pacs_users'] AUTHENTICATION_BACKENDS = ( 'users.models.CustomLDAPBackend',