使用 django-python3-ldap 查找安全组的用户
问题描述
非常对 LDAP 和 AD 不熟悉.我正在使用 django-python3-ldap 对我的 django 应用程序的用户进行身份验证.我们希望只有一部分用户可以访问我们的 django 应用程序,所以昨天他们添加了安全组MyAppGroup".唯一的问题是,我似乎无法将其添加到搜索库中.用户查找总是失败.
Very new to LDAP and AD. I'm using django-python3-ldap to authenticate users of my django app. We want to make it so that only a subset of our users can access our django app, so yesterday they added the security group 'MyAppGroup.' Only problem is, I don't seem able to add this to the search base. User lookup always fails.
工作搜索库(返回所有用户):
Working search base (returns ALL users):
"ou=Basic Users,ou=BIGAPP Users,dc=subd,dc=domain,dc=com"
当我询问时,他们说 MyAppGroup 是一个安全组,而基本用户"是一个安全组.和BIGAPP 用户"是AD 成员".
When I asked, they said that MyAppGroup was a security group, and that "Basic Users" and "BIGAPP Users" were "AD Members."
dsquery 组-名称MyAppGroup"
返回:
CN=MyAppGroup,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com
此结果不能作为搜索库.我是否需要添加自定义搜索过滤器才能正常工作?任何帮助表示赞赏.
This result does not work as the search base. Do I need to add a custom search filter for this to work? Any help is appreciated.
添加 (&(memberOf=BIGAPPS Group)(memberOf=cn=MyAppGroup)) 到搜索过滤器现在返回LDAP 用户属性为空"
Adding (&(memberOf=BIGAPPS Group)(memberOf=cn=MyAppGroup)) to search filters now returns "LDAP user attributes empty"
编辑 2:运行命令 dsget group "CN=MyAppGroup,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com"-members -expand 返回组成员列表:
EDIT 2:
Running the command dsget group "CN=MyAppGroup,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com" -members -expand returns a list of group members:
CN=User McLastname,OU=Basic Users,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com""CN=User2 o'Lastname,OU=Basic Users,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com",..etc
"CN=User McLastname,OU=Basic Users,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com" "CN=User2 o'Lastname,OU=Basic Users,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com",..etc
所以我知道该组存在.我觉得我错过了一些小部分来完成这项工作.
So I know the group exists. I feel like I'm missing some small piece to make this work.
编辑 3:
LDAP_AUTH_URL = "ldap://sub.domain.com"
LDAP_AUTH_FORMAT_USERNAME = "django_python3_ldap.utils.format_username_active_directory"
LDAP_AUTH_USE_TLS = True
LDAP_AUTH_ACTIVE_DIRECTORY_DOMAIN = "SUBD"
LDAP_AUTH_SEARCH_BASE="DC=subd,DC=domain,DC=com"
LDAP_AUTH_OBJECT_CLASS="user"
LDAP_AUTH_USER_FIELDS = {
"username": "sAMAccountName",
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
LDAP_AUTH_FORMAT_SEARCH_FILTERS="myapp.searchfilter.myapp_search_filters"
搜索过滤器
Search filters
def myapp_search_filters(ldap_fields):
search_filters = format_search_filters(ldap_fields)
search_filters.append("(&(memberOf=cn=MyAppGroup,OU=BIGAPP_Group,DC=subd,DC=domain,dc=com))")
解决方案
在 memberOf 过滤器中使用组的完全限定 DN:(&(memberOf=CN=MyAppGroup,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com))
Use the fully qualified DN of the group in the memberOf filter: (&(memberOf=CN=MyAppGroup,OU=BIGAPP Groups,dc=subd,dc=domain,dc=com))
相关文章