<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi all, <div>i just wanted to tell that I've solved the problem thanks to the Django "LDAP Group mirroring" functionality.<br>It is well explained here: <a href="https://django-auth-ldap.readthedocs.io/en/latest/permissions.html">https://django-auth-ldap.readthedocs.io/en/latest/permissions.html</a></div><div><br></div><div>It is just one line of code:<br><br>``` <br><b>AUTH_LDAP_MIRROR_GROUPS = True</b><br></div><div>``` </div><div><br></div><div>In this way, django creates the group if not present and it inserts the user in the group. <br>GeoNode group permissions may be added by the administrator in a subsequent step. <br><br></div><div><br></div><div>By the way, in the first part of the guide it is said that "<b><u>the implementations of LDAPGroupType will have algorithm for deriving the django group name from the LDAP group</u></b>" and that "the least invasive way to map group permissions is to set AUTH_LDAP_FIND_GROUP_PERMS to true" and set "<span class="gmail-n" style="color:rgb(64,64,64);font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;box-sizing:border-box">AUTH_LDAP_CACHE_TIMEOUT</span><span style="color:rgb(64,64,64);font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px"> </span><span class="gmail-o" style="font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;box-sizing:border-box;color:rgb(102,102,102)">=</span><span style="color:rgb(64,64,64);font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px"> </span><span class="gmail-mi" style="font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;box-sizing:border-box;color:rgb(32,128,80)">3600</span>"</div><div><br></div><div>However, my settings were already the following:</div><div><br></div><div><div style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre"><div>AUTH_LDAP_GROUP_TYPE = GeonodeNestedGroupOfNamesType()</div><div>AUTH_LDAP_ALWAYS_UPDATE_USER = <span style="color:rgb(86,156,214)">True</span></div><div>AUTH_LDAP_FIND_GROUP_PERMS = <span style="color:rgb(86,156,214)">True</span></div><div>AUTH_LDAP_CACHE_TIMEOUT = <span style="color:rgb(181,206,168)">3600</span></div></div></div><div><br></div><div>and it did not insert the user in the groups, even if I had created the groups before (maybe my groups did not fit the <i>GeonodeNestedGroupOfNamesType </i>LDAPGroupType implementation?)<div style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre"></div></div><div><br></div><div>By the way, with mirroring it worked.</div><div>Have a good day,</div><div>Chiara</div><div><i><br></i></div><div><br></div><div><i><br></i></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 5, 2019 at 2:59 PM Chiara Sammarco <<a href="mailto:chiara.sammarco@geodatalab.it">chiara.sammarco@geodatalab.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear GeoNode Users, <div><br></div><div>I'm using SPCGeonode 2.10 (Ubuntu 18.04). <br><br>I'm working with the LDAP configuration. Now I'm at the point that users of different LDAP groups can login into GeoNode and they are given staff or superuser privileges according to the LDAP group they belong to.<br><br>And this <a href="http://docs.geonode.org/en/2.10.x/advanced/contrib/#configuration" target="_blank">guide</a> is basically done thanks to: <br><br>```<br><div style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre-wrap"><div>AUTH_LDAP_USER_FLAGS_BY_GROUP = {</div><div> <span style="color:rgb(206,145,120)">'is_staff'</span>: [LDAPGROUP1],</div><div> <span style="color:rgb(206,145,120)">'is_superuser'</span>: [LDAPGROUP2],</div><div> <span style="color:rgb(206,145,120)">'is_active'</span>: [LDAPGROUP1, LDAPGROUP2]</div><div>}</div></div>``` <br><br>The problem is that the users are not inserted in the corresponding group. I've also tried to create the groups in geonode with the same name of the LDAP group, but nothing.<br><br>In the guide it's written:<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(64,64,64);font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252)">Any groups that the user is a member of in LDAP (under the </span><code style="box-sizing:border-box;font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;white-space:nowrap;max-width:100%;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:1px solid rgb(225,228,229);padding:2px 5px;color:rgb(231,76,60);overflow-x:auto"><span style="box-sizing:border-box">cn=groups,dc=ad,dc=example,dc=org</span></code><span style="color:rgb(64,64,64);font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252)"> search base and belonging to one of </span><code style="box-sizing:border-box;font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;white-space:nowrap;max-width:100%;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;border:1px solid rgb(225,228,229);padding:2px 5px;color:rgb(231,76,60);overflow-x:auto"><span style="box-sizing:border-box">(|(cn=abt1)(cn=abt2)(cn=abt3)(cn=abt4)(cn=abt5)(cn=abt6))</span></code><span style="color:rgb(64,64,64);font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252)"> groups) will be mapped to the corresponding geonode groups, even creating these groups in geonode in case they do not exist yet. The geonode user is also made a member of these geonode groups.</span> <br></blockquote></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(64,64,64);font-family:Lato,proxima-nova,"Helvetica Neue",Arial,sans-serif;font-size:16px;background-color:rgb(252,252,252)">You may also manually generate the geonode groups in advance, before users login. In this case, when a user logs in and the mapped LDAP group already exists, the user is merely added to the geonode group</span> <br></blockquote><div><br>So I do expect this behavior. </div><div><br> ``` <br><div style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre-wrap"><div>AUTH_LDAP_GROUP_TYPE = GeonodeNestedGroupOfNamesType()</div><div><div style="line-height:19px"><div>GEONODE_LDAP_GROUP_NAME_ATTRIBUTE = <span style="color:rgb(206,145,120)">"cn"</span></div><div>GEONODE_LDAP_GROUP_PROFILE_FILTERSTR =<span style="color:rgb(206,145,120)">"(|(cn=ldapgroup1)(cn=ldapgroup2))"</span></div><div>GEONODE_LDAP_GROUP_PROFILE_MEMBER_ATTR = <span style="color:rgb(206,145,120)">"member"</span></div></div></div></div> ``` <br></div><div><br></div><div>I've tested also GEONODE_LDAP_GROUP_PROFILE_MEMBER_ATTR = "uniqueMember"</div><div><br>Any ideas of what it can be? or how can I make some code testing for this part. <br><br>In the <a href="https://django-auth-ldap.readthedocs.io/en/latest/users.html#direct-attribute-access" target="_blank">django-auth-ldap </a>documentation, it is written about populating a user and it points out group_dns and group_names attributes. For this part as far as I understand the GeonodeNestedGroupOfNamesType() is in charge of along with the LDAPBackend (I've seen that there's a function <span style="color:rgb(220,220,170);background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;white-space:pre-wrap">add_groups_to_user</span> ) ... How to test this?<br><br>Thanks in advance for your help,</div><div>Chiara<br><br></div><div><table cellspacing="0" cellpadding="0" border="0" style="color:rgb(136,136,136)"><tbody><tr><td valign="top" style="padding:8px 0px 0px"><span style="color:rgb(138,138,138);font-family:Roboto,sans-serif;font-size:8pt">.<br></span></td></tr></tbody></table></div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><span style="margin-top:0px;margin-bottom:0px;color:rgb(0,0,0);font-family:Roboto,sans-serif;font-size:9pt"></span></div><div dir="ltr"><br></div></div></div></div></div></div></div></div></div>