Closed alandmoore closed 8 years ago
sjkingo
commented
8 years ago This sounds like an interesting feature: what are your use cases for it? How would you do the identity mapping between Django and LDAP group?
Would it be similar to authentication where upon success, the memberOf attribute is enumerated and any groups there added to the corresponding Django group?
Just trying to expand out the idea :)
alandmoore
commented
8 years ago In my case, I have groups in our AD, and I want permissions in the application to be determined by group membership in the AD. So for example there might be a "myapp_user" and "myapp_admins" group in AD. I want the admins to have additional priveleges in the application, maybe some limited abilities in the django admin.
Right now, I can make these users able to login to the admin, but I don't see a way to assign any actual permissions by virtue of LDAP group membership. I can assign permissions to Django groups, though, so what's needed is a way to associate the two.
I'm thinking there could be a setting which maps an LDAP group membership to django groups. On login, the LDAP backend could check for membership in each LDAP group, and add groups accordingly.
What gets sticky is if Django group membership should be revoked if the LDAP group membership is removed.
Hope I'm explaining this well. What I'm ultimately trying to do is not have to manage group memberships manually in both the LDAP and in Django admin.
sjkingo
commented
8 years ago That use case sounds exactly what I was thinking. I believe this would be a great addition to the library.
Would you like to implement it and send a PR, or would you like me to?
alandmoore
commented
8 years ago I can take a crack at it.
sjkingo
commented
8 years ago Merged in #17
I did not see a way to map LDAP groups to Django groups. Would that be appropriate functionality to include in this module, or should that be done outside the auth module?