SchrodingersGat
commented
11 months ago @mechanarchy you recently provided some LDAP improvements - does the suggested patch here make sense to you?
Open jacobfelknor opened 11 months ago
SchrodingersGat
commented
11 months ago @mechanarchy you recently provided some LDAP improvements - does the suggested patch here make sense to you?
mechanarchy
commented
11 months ago @SchrodingersGat Yeah I definitely suspected that the LDAP group code would need some further refining. I got it working for me but I use LLDAP which is quite minimal and opinionated.
So I'm totally happy to improve the configurability of the LDAP groups feature. If you'd like, please assign this issue to me and I'll see if I can make a PR in the next couple of days.
SchrodingersGat
commented
11 months ago Much appreciated 👍
jacobfelknor
commented
11 months ago Thanks guys!
github-actions[bot]
commented
8 months ago This issue seems stale. Please react to show this is still important.
matmair
commented
8 months ago @mechanarchy any movement on this?
mechanarchy
commented
8 months ago Apologies, no - in truth I forgot about it over Christmas/New Year, and I now have a new baby so I am not sure when I will get time for it. I've un-assigned myself & hope someone else may be able to pick it up.
It seems like it should be okay to implement most of it, but it might be a bit tricky plucking the GroupOfUniqueNamesType/NestedMemberDNGroupType/etc types out of the django_auth_ldap.config module based on the user input. Probably some try/except trickery with getattr and graceful fallback+logging
github-actions[bot]
commented
6 months ago This issue seems stale. Please react to show this is still important.
matmair
commented
6 months ago @mechanarchy are you still on this or should I give it a try?
mechanarchy
commented
6 months ago @matmair No, unfortunately I still have basically no time for this/other hobbies at the moment.
Please do feel free to implement it yourself, if you need any help or pointers I can reply on GitHub issues/PRs but I just haven't been able to get anywhere near an IDE or git in the last few months.
SchrodingersGat
commented
5 days ago @jacobfelknor (or anyone else) - has any progress been made toward this goal?
jacobfelknor
commented
5 days ago I have continued to use my workaround since I opened this issue and had forgotten about it. I will revisit this,
Please verify that this feature request has NOT been suggested before.
Problem statement
LDAP authentication group type does not match all environments. Current implementation assumes a group type of
GroupOfUniqueNamesType. In my case, this would need to beNestedMemberDNGroupTypeinsteadhttps://github.com/inventree/InvenTree/blob/36bfd62c9384623a7cc2201055fd2675649cb4b9/InvenTree/InvenTree/settings.py#L310
Additionally, the
AUTH_LDAP_GROUP_SEARCHsetting hardcodes anobjectClassto search for, which does not match all environments.https://github.com/inventree/InvenTree/blob/36bfd62c9384623a7cc2201055fd2675649cb4b9/InvenTree/InvenTree/settings.py#L363-L368
For my environment, I would need this instead. Note the change of
objectClass,, and that I specified themember_attrwhen settingAUTH_LDAP_GROUP_TYPEFinally, I'd like to mirror my LDAP groups from the search base to InvenTree. The
AUTH_LDAP_MIRROR_GROUPSoption should be available. Something likeSuggested solution
Make these tweaks configurable through the
.envfile.Describe alternatives you've considered
We are unable to use LDAP authentication in our AD environment with the current settings. I was able to get this working for us by changing the hardcoded objects to match by environment described above by directly editing
settings.py, but feel this should be configurable and upstreamed, instead of my hacky edits.Examples of other systems
No response
Do you want to develop this?
Upvote & Fund