povtux
commented
4 years ago Hi dpwildboar, At this moment, there is no way to explicitly deny. I never had this need and no one else asked for this feature. Personally, I create as many groups as needed to give access to features by the binding between LDAP groups and Django groups. This way, if a user must have access to something on the Django, he will get it, otherwise, he will have nothing.
Could you maybe explain a bit more about the need? Don't you have the opportunity to create groups to manage all of that? Thanks
for example if I have a python ldap3 that considers this a deny if found:
conn.search(search_base="DC=adomain,DC=com", search_filter="(&(objectCategory=person)(sAMAccountName=" + connection_information['AD_Accnt'].split("\",1)[1] + ")(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=App-X-Deny,OU=Security Groups,DC= adomain,DC=com))", search_scope=SUBTREE, attributes = ["sAMAccountName","displayName","mail"], size_limit=0)
how does one set that up in the settings file? it seems that would be a good addition to the doc. I easily figured out how to grant access, I am not clear on how to deny.
along that line if you look at the doc for the older https://django-auth-ldap.readthedocs.io/en/latest/
it has a specific way to state that with
AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=example,dc=com" AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=example,dc=com"
or
AUTH_LDAP_REQUIRE_GROUP = ( LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com") | LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com") ) & ~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")
having something like this as a feature would be nice.