[web2py] Re: About ldap_auth in 1.99.6

Fri, 02 Mar 2012 23:57:52 -0800 

If there is somebody using ldap_auth with AD please try to test 
allowed_groups and / or manage_groups as I have no means to test it. And I 
do not know differences between OpenLdap and AD regarding groups :(

Tnx.

2012. március 2., péntek 22:30:37 UTC+1 időpontban szimszon a következőt 
írta:
>
> Hi There!
>
> I tinkered a bit with ldap_auth.py and it's in 1.99.6 now.
>
> Now you can restrict login access based on ldap groups where the user is a 
> member
> You need just to specify allowed_groups:
>
>         auth.settings.login_methods.append(ldap_auth(...as usual...,
>             allowed_groups = [...],
>             group_dn = 'ou=Groups,dc=domain,dc=com',
>             group_name_attrib = 'cn',
>             group_member_attrib = 'memberUid',
>             group_filterstr = 'objectClass=*'
>             ))
>
>
>         Where:
>         allowed_groups - a list with allowed ldap group names like 
> ['admin','user']
>         group_dn - the ldap branch of the groups like 
> "ou=Groups,dc=domain,dc=com"
>         group_name_attrib - the attribute where the group name is stored like 
> "CN"
>         group_member_attrib - the attibute containing the group members name 
> like "memberUid"
>         group_filterstr - as the filterstr but for group select
>
>
> You can now manage auth_groups and auth_membership automatically. You need 
> to set manage_groups=True:
>
>         auth.settings.login_methods.append(ldap_auth(...as usual...,
>             manage_groups = True,
>             db = db,
>             group_dn = 'ou=Groups,dc=domain,dc=com',
>             group_name_attrib = 'cn',
>             group_member_attrib = 'memberUid',
>             group_filterstr = 'objectClass=*'
>             ))
>                 Where:
>         manage_groups - let web2py handle the groups from ldap
>         db - is the database object (need to have auth_user, auth_group, 
> auth_membership)
>         group_dn - the ldap branch of the groups like 
> "ou=Groups,dc=domain,dc=com"
>         group_name_attrib - the attribute where the group name is stored like 
> "cn"
>         group_member_attrib - the attibute containing the group members name 
> like "memberUid"
>         group_filterstr - as the filterstr but for group select
>
>
> If the user can log in then ldap_auth set up the corresponding groups and 
> memberships in app's db so RBAC can work properly and you don't have to set 
> group membership  in ldap and in app's db too.
>
> Ther "group_*" properties are shared by allowed_groups and manage_groups.
>
> Tested only with OpenLdap (I have no AD and co.)
>

Reply via email to