[GeoNode-users] LDAP User inclusion into the corresponding GeoNode Group

Chiara Sammarco chiara.sammarco at geodatalab.it
Wed Nov 6 00:59:10 PST 2019


Hi all,
i just wanted to tell that I've solved the problem thanks to the Django
"LDAP Group mirroring" functionality.
It is well explained here:
https://django-auth-ldap.readthedocs.io/en/latest/permissions.html

It is just one line of code:

```
*AUTH_LDAP_MIRROR_GROUPS = True*
```

In this way, django creates the group if not present and it inserts the
user in the group.
GeoNode group permissions may be added by the administrator in a subsequent
step.


By the way, in the first part of the guide it is said that "*the
implementations of LDAPGroupType will have algorithm for deriving the
django group name from the LDAP group*" and that "the least invasive way to
map group permissions is to set AUTH_LDAP_FIND_GROUP_PERMS to true"  and
set "AUTH_LDAP_CACHE_TIMEOUT = 3600"

However, my settings were already the following:

AUTH_LDAP_GROUP_TYPE = GeonodeNestedGroupOfNamesType()
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600

and it did not insert the user in the groups, even if I had created the
groups before (maybe my groups did not fit the *GeonodeNestedGroupOfNamesType
*LDAPGroupType implementation?)

By the way, with mirroring it worked.
Have a good day,
Chiara




On Tue, Nov 5, 2019 at 2:59 PM Chiara Sammarco <
chiara.sammarco at geodatalab.it> wrote:

> Dear GeoNode Users,
>
> I'm using SPCGeonode 2.10 (Ubuntu 18.04).
>
> I'm working with the LDAP configuration. Now I'm at the point that users
> of different LDAP groups can login into GeoNode and they are given staff or
> superuser privileges according to the LDAP group they belong to.
>
> And this guide
> <http://docs.geonode.org/en/2.10.x/advanced/contrib/#configuration> is
> basically done thanks to:
>
> ```
> AUTH_LDAP_USER_FLAGS_BY_GROUP = {
>     'is_staff': [LDAPGROUP1],
>     'is_superuser': [LDAPGROUP2],
>     'is_active': [LDAPGROUP1, LDAPGROUP2]
> }
> ```
>
> The problem is that the users are not inserted in the corresponding group.
> I've also tried to create the groups in geonode with the same name of the
> LDAP group, but nothing.
>
> In the guide it's written:
>
> Any groups that the user is a member of in LDAP (under the
>> cn=groups,dc=ad,dc=example,dc=org search base and belonging to one of
>> (|(cn=abt1)(cn=abt2)(cn=abt3)(cn=abt4)(cn=abt5)(cn=abt6)) groups) will
>> be mapped to the corresponding geonode groups, even creating these groups
>> in geonode in case they do not exist yet. The geonode user is also made a
>> member of these geonode groups.
>>
>
> You may also manually generate the geonode groups in advance, before users
>> login. In this case, when a user logs in and the mapped LDAP group already
>> exists, the user is merely added to the geonode group
>>
>
> So I do expect this behavior.
>
>   ```
> AUTH_LDAP_GROUP_TYPE = GeonodeNestedGroupOfNamesType()
> GEONODE_LDAP_GROUP_NAME_ATTRIBUTE = "cn"
> GEONODE_LDAP_GROUP_PROFILE_FILTERSTR ="(|(cn=ldapgroup1)(cn=ldapgroup2))"
> GEONODE_LDAP_GROUP_PROFILE_MEMBER_ATTR = "member"
>   ```
>
> I've tested also GEONODE_LDAP_GROUP_PROFILE_MEMBER_ATTR = "uniqueMember"
>
> Any ideas of what it can be? or how can I make some code testing for this
> part.
>
> In the django-auth-ldap
> <https://django-auth-ldap.readthedocs.io/en/latest/users.html#direct-attribute-access>documentation,
> it is written about populating a user and it points out group_dns and
> group_names attributes. For this part as far as I understand the
> GeonodeNestedGroupOfNamesType() is in charge of along with the LDAPBackend
> (I've seen that there's a function add_groups_to_user ) ... How to test
> this?
>
> Thanks in advance for your help,
> Chiara
>
> .
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20191106/fbaa6ace/attachment-0001.html>


More information about the geonode-users mailing list