Add env variables AUTH_LDAP_GROUP_SEARCH_ROOT for LDAP group mirrorin…

…g and AUTH_LDAP_CHRIS_ADMIN_GROUP to define a ChRIS admin group
FNNDSC · Nov 7, 2024 · e41e1a7 · e41e1a7
1 parent 3e15a1b
commit e41e1a7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/chris_backend/config/settings/local.py b/chris_backend/config/settings/local.py
@@ -10,7 +10,7 @@
 
 import os
 import ldap
-from django_auth_ldap.config import LDAPSearch
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
 from .common import *  # noqa
 from core.storage import verify_storage_connection
 
@@ -192,6 +192,8 @@
     AUTH_LDAP_BIND_DN = 'uid=admin,ou=people,dc=example,dc=org'
     AUTH_LDAP_BIND_PASSWORD = 'chris1234'
     AUTH_LDAP_USER_SEARCH_ROOT = 'ou=people,dc=example,dc=org'
+    AUTH_LDAP_GROUP_SEARCH_ROOT = 'ou=groups,dc=example,dc=org'
+    AUTH_LDAP_CHRIS_ADMIN_GROUP = 'chris_admin'
 
     AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_ROOT, ldap.SCOPE_SUBTREE,
                                        '(uid=%(user)s)')
@@ -200,6 +202,13 @@
         'last_name': 'sn',
         'email': 'mail'
     }
+    AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_ROOT, ldap.SCOPE_SUBTREE,
+                                        '(objectClass=groupOfNames)')
+    AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+    AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        'is_staff': f'cn={AUTH_LDAP_CHRIS_ADMIN_GROUP},{AUTH_LDAP_GROUP_SEARCH_ROOT}'
+    }
+    AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ['all_users', 'pacs_users']
 
     AUTHENTICATION_BACKENDS = (
         'users.models.CustomLDAPBackend',

diff --git a/chris_backend/config/settings/production.py b/chris_backend/config/settings/production.py
@@ -5,7 +5,7 @@
 """
 
 import ldap
-from django_auth_ldap.config import LDAPSearch
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
 from .common import *  # noqa
 from environs import Env, EnvValidationError
 from core.storage import verify_storage_connection
@@ -168,6 +168,8 @@ def get_secret(setting, secret_type=env):
     AUTH_LDAP_BIND_DN = get_secret('AUTH_LDAP_BIND_DN')
     AUTH_LDAP_BIND_PASSWORD = get_secret('AUTH_LDAP_BIND_PASSWORD')
     AUTH_LDAP_USER_SEARCH_ROOT = get_secret('AUTH_LDAP_USER_SEARCH_ROOT')
+    AUTH_LDAP_GROUP_SEARCH_ROOT = get_secret('AUTH_LDAP_GROUP_SEARCH_ROOT')
+    AUTH_LDAP_CHRIS_ADMIN_GROUP = get_secret('AUTH_LDAP_CHRIS_ADMIN_GROUP')
 
     AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_SEARCH_ROOT, ldap.SCOPE_SUBTREE,
                                        '(uid=%(user)s)')
@@ -176,6 +178,13 @@ def get_secret(setting, secret_type=env):
         'last_name': 'sn',
         'email': 'mail'
     }
+    AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_ROOT, ldap.SCOPE_SUBTREE,
+                                        '(objectClass=groupOfNames)')
+    AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+    AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        'is_staff': f'cn={AUTH_LDAP_CHRIS_ADMIN_GROUP},{AUTH_LDAP_GROUP_SEARCH_ROOT}'
+    }
+    AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ['all_users', 'pacs_users']
 
     AUTHENTICATION_BACKENDS = (
         'users.models.CustomLDAPBackend',