You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
how does one set that up in the settings file? it seems that would be a good addition to the doc. I easily figured out how to grant access, I am not clear on how to deny.
Hi dpwildboar,
At this moment, there is no way to explicitly deny. I never had this need and no one else asked for this feature.
Personally, I create as many groups as needed to give access to features by the binding between LDAP groups and Django groups. This way, if a user must have access to something on the Django, he will get it, otherwise, he will have nothing.
Could you maybe explain a bit more about the need? Don't you have the opportunity to create groups to manage all of that?
Thanks
for example if I have a python ldap3 that considers this a deny if found:
conn.search(search_base="DC=adomain,DC=com",
search_filter="(&(objectCategory=person)(sAMAccountName=" + connection_information['AD_Accnt'].split("\",1)[1] + ")(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=App-X-Deny,OU=Security Groups,DC= adomain,DC=com))",
search_scope=SUBTREE,
attributes = ["sAMAccountName","displayName","mail"],
size_limit=0)
how does one set that up in the settings file? it seems that would be a good addition to the doc. I easily figured out how to grant access, I am not clear on how to deny.
along that line if you look at the doc for the older https://django-auth-ldap.readthedocs.io/en/latest/
it has a specific way to state that with
AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=example,dc=com"
AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=example,dc=com"
or
AUTH_LDAP_REQUIRE_GROUP = (
LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com")
| LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com")
) & ~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")
having something like this as a feature would be nice.
The text was updated successfully, but these errors were encountered: