Wow that's great!! I tested both allowed_groups and managed_groups in opendladp and it work!!!
Thank you -- Massimiliano On Sat, Mar 3, 2012 at 8:57 AM, szimszon <[email protected]> wrote: > If there is somebody using ldap_auth with AD please try to test > allowed_groups and / or manage_groups as I have no means to test it. And I > do not know differences between OpenLdap and AD regarding groups :( > > Tnx. > > 2012. március 2., péntek 22:30:37 UTC+1 időpontban szimszon a következőt > írta: > >> Hi There! >> >> I tinkered a bit with ldap_auth.py and it's in 1.99.6 now. >> >> Now you can restrict login access based on ldap groups where the user is >> a member >> You need just to specify allowed_groups: >> >> auth.settings.login_methods.**append(ldap_auth(...as usual..., >> allowed_groups = [...], >> group_dn = 'ou=Groups,dc=domain,dc=com', >> group_name_attrib = 'cn', >> group_member_attrib = 'memberUid', >> group_filterstr = 'objectClass=*' >> )) >> >> >> Where: >> allowed_groups - a list with allowed ldap group names like >> ['admin','user'] >> group_dn - the ldap branch of the groups like >> "ou=Groups,dc=domain,dc=com" >> group_name_attrib - the attribute where the group name is stored >> like "CN" >> group_member_attrib - the attibute containing the group members name >> like "memberUid" >> group_filterstr - as the filterstr but for group select >> >> >> You can now manage auth_groups and auth_membership automatically. You >> need to set manage_groups=True: >> >> auth.settings.login_methods.**append(ldap_auth(...as usual..., >> manage_groups = True, >> db = db, >> group_dn = 'ou=Groups,dc=domain,dc=com', >> group_name_attrib = 'cn', >> group_member_attrib = 'memberUid', >> group_filterstr = 'objectClass=*' >> )) >> Where: >> manage_groups - let web2py handle the groups from ldap >> db - is the database object (need to have auth_user, auth_group, >> auth_membership) >> group_dn - the ldap branch of the groups like >> "ou=Groups,dc=domain,dc=com" >> group_name_attrib - the attribute where the group name is stored >> like "cn" >> group_member_attrib - the attibute containing the group members name >> like "memberUid" >> group_filterstr - as the filterstr but for group select >> >> >> If the user can log in then ldap_auth set up the corresponding groups and >> memberships in app's db so RBAC can work properly and you don't have to set >> group membership in ldap and in app's db too. >> >> Ther "group_*" properties are shared by allowed_groups and manage_groups. >> >> Tested only with OpenLdap (I have no AD and co.) >> >
