User can't login when member of multiple groups and more then 1000 groups in the domain

[jobec]

When a user logs in, all groups in the domain are fetched and each one is iterated to find if the user is a member. The LDAP query only fetched the first 1000. If a user is a member of a group that's not included in those first 1000 groups, logon will be denied.

This could be solved by adding all groups in LDAP_SUPERUSER_GROUPS, LDAP_STAFF_GROUPS and LDAP_GROUPS_MAP to LDAP_GROUPS_SEARCH_FILTER in a dynamic way. Filtering out all irrelevant groups.

Proposed solution:

• Do this dynamically in the code instead of leaving it up to the user to configure
• Put this in the usage documentation with some example code to append the groups to the query in LDAP_GROUPS_SEARCH_FILTER

[jobec]

Example code to put in settings.py

ldap_groups = []
for group in LDAP_SUPERUSER_GROUPS + LDAP_STAFF_GROUPS + list(LDAP_GROUPS_MAP.values()):
    ldap_groups.append("(distinguishedName={0})".format(group))

if len(ldap_groups) > 0:
    LDAP_GROUPS_SEARCH_FILTER = "(&{0}(|{1}))".format(LDAP_GROUPS_SEARCH_FILTER, "".join(ldap_groups))

[povtux]

Hi,

Thanks for this info & fix. I added both of your changes (log & groups) and updated it in pypi.

Best regards.