its not really clear how to deny access if not a member of a group(s) or alternatively deny if in a group

[dpwildboar]

for example if I have a python ldap3 that considers this a deny if found:

conn.search(search_base="DC=adomain,DC=com",
search_filter="(&(objectCategory=person)(sAMAccountName=" + connection_information['AD_Accnt'].split("\",1)[1] + ")(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=App-X-Deny,OU=Security Groups,DC= adomain,DC=com))",
search_scope=SUBTREE,
attributes = ["sAMAccountName","displayName","mail"],
size_limit=0)

how does one set that up in the settings file? it seems that would be a good addition to the doc. I easily figured out how to grant access, I am not clear on how to deny.

along that line if you look at the doc for the older https://django-auth-ldap.readthedocs.io/en/latest/

it has a specific way to state that with

AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=example,dc=com"
AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=example,dc=com"

or

AUTH_LDAP_REQUIRE_GROUP = (
LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com")
| LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com")
) & ~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")

having something like this as a feature would be nice.

[povtux]

Hi dpwildboar,
At this moment, there is no way to explicitly deny. I never had this need and no one else asked for this feature.
Personally, I create as many groups as needed to give access to features by the binding between LDAP groups and Django groups. This way, if a user must have access to something on the Django, he will get it, otherwise, he will have nothing.

Could you maybe explain a bit more about the need? Don't you have the opportunity to create groups to manage all of that?
Thanks