I’m trying to set up LDAP authentication with my Django app using Django-Auth
The basic idea I want to do is any LDAP user with “IT – Help Desk” in the description would get mapped to a certain Django group, a user with “Admin” in the description would go to another Django group, and anyone else wouldn’t be allowed in.
(There are legacy reasons I have to use the description field, so that’s not an option to change)
Update:
Some parts of the follow up conversation moved over here.
django-auth-ldap 1.0.9 (released 3/27) added a pair of Django signals that clients can use to do some custom population of user and profile objects. I would recommend connecting to the populate_user signal and using the LDAP attributes to update the user’s group membership. e.g.:
import django_auth_ldap.backenddef update_groups(sender, user=None, ldap_user=None, **kwargs):
# Remember that every attribute maps to a list of values
descriptions = ldap_user.attrs.get("description", []) if "IT - Help Desk" in descriptions:
# Add user to group
else:
# Remove user from groupdjango_auth_ldap.backend.populate_user.connect(update_groups)
This is even safe to combine with AUTH_LDAP_MIRROR_GROUPS, as the signal is sent after all built-in user population is complete.
Check more discussion of this question.