Open automatikdonn opened 8 years ago
sjkingo
commented
8 years ago We could certainly implement this. I like the idea of placing the search filter as a configuration option. We could then add documentation examples for common filters.
Leave it with me.
Thanks!
sjkingo
commented
8 years ago Hmm looking closer at this it seems we already do a more broad search when binding for the user at backends.py#L228. Perhaps we should implement that for group membership testing also (except &(... memberOf(...)).
I don't see this causing an issue with AD or OpenLDAP but I'll test that change and if all goes well, I can push it to master.
sjkingo
commented
8 years ago Sorry, I haven't forgotten about this change - I will do some work on it shortly as it requires some extensive testing to ensure we don't break existing known behaviour.
This is probably at the bottom of the barrel in terms of priority. Please add in FreeIPA support. The only change require is a better method for the search filter. the fix to get this working with freeipa was to change search_filter = '(&(objectClass=user)({}={})(memberof={}))'.format( settings.UID_ATTRIB, str(ldap_user), group_dn) to
search_filter = '(&({}={})(memberof={}))'.format( settings.UID_ATTRIB, str(ldap_user), group_dn)
This is working with my freeipa and mezzanine setup. I'm not a good programmer, or I would just post the full fix.
Maybe a variable like AUTH_LDAP_ADMIN_SEARCH_FILTER =