5
我使用django-ldap-auth来验证用户对LDAP - 服务器(ActiveDirectory)。用户能够登录并且每个用户的标志(例如is_staff)被正确设置。从LDAP获取组到django
我还想根据ldap用户组将django-groups添加到我的django用户。我这里还有我的设置:
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, ActiveDirectoryGroupType
AUTH_LDAP_SERVER_URI = "ldap://XXX"
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
# I somewhere read that this should help, but it didn't:
#AUTH_LDAP_GLOBAL_OPTIONS = {
# ldap.OPT_REFERRALS: 0
#}
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Benutzer,ou=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX",
ldap.SCOPE_SUBTREE, "(cn=%(user)s)")
AUTH_LDAP_USER_DN_TEMPLATE = "CN=%(user)s,OU=Benutzer,OU=Konten,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
# Set up the basic group parameters.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=AnwenderRollen,OU=Gruppen,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="CN")
# also tried various possibilities for objectClass and AUTH_LDAP_GROUP_TYPE
#AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
#AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType(name_attr="cn")
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenname",
"last_name": "sn",
"email": "mail"
}
AUTH_LDAP_PROFILE_ATTR_MAP = {
#"employee_number": "employeeNumber"
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#"is_active": "cn=active,ou=django,ou=groups,dc=example,dc=com",
"is_staff": "CN=GROUPNAME,OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX",
"is_superuser": "CN=GROUPNAME,OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX"
}
AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {
#"is_awesome": "cn=awesome,ou=django,ou=groups,dc=example,dc=com",
}
# This is the default, but I like to be explicit.
AUTH_LDAP_ALWAYS_UPDATE_USER = True
# Use LDAP group membership to calculate group permissions.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache group memberships for an hour to minimize LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1 #3600
# Keep ModelBackend around for per-user permissions and maybe a local
# superuser.
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
的这种设置,只有部分工作:登录工作,一个Django用户创建,该属性是从LDAP(AUTH_LDAP_USER_ATTR_MAP)采取和标志设置(AUTH_LDAP_USER_FLAGS_BY_GROUP)具有相同如AUTH_LDAP_GROUP_SEARCH中的组路径。但是,这组搜索确实不工作,因为这个错误的:
DEBUG Populating Django user USERNAME
DEBUG search_s('CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 0, '(objectClass=*)') returned 1 objects: cn=USERNAME,ou=benutzer,ou=konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX is a member of cn=GROUPNAME,ou=anwenderrollen,ou=gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX is a member of cn=GROUPNAME,ou=anwenderrollen,ou=gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX
DEBUG Django user USERNAMEdoes not have a profile to populate
ERROR search_s('OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 2, '(&(objectClass=groupOfNames)(member=CN=USERNAME,OU=Benutzer,OU=Konten,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX))') raised OPERATIONS_ERROR({'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'},)
DEBUG search_s('OU=AnwenderRollen,OU=Gruppen,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX', 2, '(&(objectClass=groupOfNames)(member=CN=USERNAME,OU=Benutzer,ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=XXX))') returned 0 objects:
自组路径是标志和组搜索我是假设它应该工作一样。绑定为身份验证用户时搜索组是否成问题?
我错过了什么?