Hi There!
I tinkered a bit with ldap_auth.py and it's in 1.99.6 now.
Now you can restrict login access based on ldap groups where the user is a
member
You need just to specify allowed_groups:
auth.settings.login_methods.append(ldap_auth(...as usual...,
allowed_groups = [...],
group_dn = 'ou=Groups,dc=domain,dc=com',
group_name_attrib = 'cn',
group_member_attrib = 'memberUid',
group_filterstr = 'objectClass=*'
))
Where:
allowed_groups - a list with allowed ldap group names like
['admin','user']
group_dn - the ldap branch of the groups like
"ou=Groups,dc=domain,dc=com"
group_name_attrib - the attribute where the group name is stored like
"CN"
group_member_attrib - the attibute containing the group members name
like "memberUid"
group_filterstr - as the filterstr but for group select
You can now manage auth_groups and auth_membership automatically. You need
to set manage_groups=True:
auth.settings.login_methods.append(ldap_auth(...as usual...,
manage_groups = True,
db = db,
group_dn = 'ou=Groups,dc=domain,dc=com',
group_name_attrib = 'cn',
group_member_attrib = 'memberUid',
group_filterstr = 'objectClass=*'
))
Where:
manage_groups - let web2py handle the groups from ldap
db - is the database object (need to have auth_user, auth_group,
auth_membership)
group_dn - the ldap branch of the groups like
"ou=Groups,dc=domain,dc=com"
group_name_attrib - the attribute where the group name is stored like
"cn"
group_member_attrib - the attibute containing the group members name
like "memberUid"
group_filterstr - as the filterstr but for group select
If the user can log in then ldap_auth set up the corresponding groups and
memberships in app's db so RBAC can work properly and you don't have to set
group membership in ldap and in app's db too.
Ther "group_*" properties are shared by allowed_groups and manage_groups.
Tested only with OpenLdap (I have no AD and co.)
