From d9ff19fd30a12245fe595b3c67c0e31583146e17 Mon Sep 17 00:00:00 2001 From: NeodymiumFerBore <32781483+NeodymiumFerBore@users.noreply.github.com> Date: Mon, 2 Sep 2024 17:27:37 +0000 Subject: [PATCH] Support for multiple AUTH_LDAP_REQUIRE_GROUP from environment variable --- configuration/ldap/ldap_config.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/configuration/ldap/ldap_config.py b/configuration/ldap/ldap_config.py index 82fad72..d25b3e8 100644 --- a/configuration/ldap/ldap_config.py +++ b/configuration/ldap/ldap_config.py @@ -2,7 +2,7 @@ from importlib import import_module from os import environ import ldap -from django_auth_ldap.config import LDAPSearch +from django_auth_ldap.config import LDAPGroupQuery, LDAPSearch # Read secret from file @@ -86,12 +86,22 @@ AUTH_LDAP_GROUP_TYPE = _import_group_type(environ.get('AUTH_LDAP_GROUP_TYPE', 'G # Define a group required to login. AUTH_LDAP_REQUIRE_GROUP = environ.get('AUTH_LDAP_REQUIRE_GROUP_DN') +# If non-empty string, AUTH_LDAP_REQUIRE_GROUP will be treated as a list delimited by this separator +AUTH_LDAP_REQUIRE_GROUP_SEPARATOR = environ.get('AUTH_LDAP_REQUIRE_GROUP_DN_SEPARATOR', '') + # Define special user types using groups. Exercise great caution when assigning superuser status. AUTH_LDAP_USER_FLAGS_BY_GROUP = {} if AUTH_LDAP_REQUIRE_GROUP is not None: + # Build an LDAPGroupQuery when AUTH_LDAP_REQUIRE_GROUP should be treated as a list + if AUTH_LDAP_REQUIRE_GROUP_SEPARATOR: + _groups = list(filter(None, AUTH_LDAP_REQUIRE_GROUP.split(AUTH_LDAP_REQUIRE_GROUP_SEPARATOR))) + AUTH_LDAP_REQUIRE_GROUP = LDAPGroupQuery(_groups[0]) + for i in range(1, len(_groups)): + AUTH_LDAP_REQUIRE_GROUP |= LDAPGroupQuery(_groups[i]) + AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''), + "is_active": AUTH_LDAP_REQUIRE_GROUP, "is_staff": environ.get('AUTH_LDAP_IS_ADMIN_DN', ''), "is_superuser": environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '') }