django-auth-ldap AUTH_LDAP_FIND_GROUPS_PERMS not working

Question

I'm running Django 1.8.18 and django-auth-ldap 1.2.11 authenticating against Active Directory.

My current configuration authenticates properly against the AD, however, when I enabled AUTH_LDAP_FIND_GROUPS_PERMS it doesn't seem to do anything. I've previously tried AUTH_LDAP_MIRROR_GROUPS (which works without any problem), and found all of the user's groups created. The only slight issue is that it also remove any local group memberships the user had.

In any case, after having the groups auto-created by AUTH_LDAP_MIRROR_GROUPS I would expect AUTH_LDAP_FIND_GROUPS_PERMS would auto-add the user to that same group on the next login. However, this did not happen. The only change in configuration was those two lines. The AUTH_LDAP_GROUP_TYPE is set to NestedActiveDirectoryGroupType()

Any ideas why users aren't being added to the groups with matching names?

score 3 · Accepted Answer · answered May 12 '17 at 05:15

3

Turns out that AUTH_LDAP_FIND_GROUPS_PERMS doesn't actually add users to a group, but virtually adds them to it making sure their permissions respond as if they are in the groups that match names.

answered May 12 '17 at 05:15

Programming123

302
3
15

Thanks a lot! This was really confusing to debug, because the only way to verify that things worked was not the intuitive way of looking whether the _group membership_ has been established, but the indirect way of looking whether the _permissions have been granted_. – Lukas Juhrich Nov 04 '17 at 06:01

score 2 · Answer 2 · answered May 11 '17 at 14:25

I suspect that it's the AUTH_LDAP_GROUP_TYPE you're using. I am also using this library, and have it syncing groups/memberships. This is a full dump of my settings for the library:

AUTH_LDAP_START_TLS = True
AUTH_LDAP_SERVER_URI = 'xxxx'
AUTH_LDAP_GLOBAL_OPTIONS = {
    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
}
AUTH_LDAP_BIND_DN = 'yyyy'
AUTH_LDAP_BIND_PASSWORD = 'zzzz'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch(
        'OU=OurCorp,DC=foo,DC=bar,DC=com',
        ldap.SCOPE_SUBTREE,
        filterstr='(uid=%(user)s)'
    ),
)

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail",
}

AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=group)'
)
AUTH_LDAP_MIRROR_GROUPS = True

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_staff': [  # Allow login to the Django admin site
        'CN=Our-Staff-Group,OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com',
    ],
    'is_superuser': [  # Implicitly grant ALL permissions to members of these groups
        'CN=Our-Superuser-Group,OU=Security Groups,OU=Users and Groups,OU=OurCorp,DC=foo,DC=bar,DC=com'
    ],
}

As I mentioned, I think the AUTH_LDAP_GROUP_TYPE is likely your issue, but that could depend on your own AD setup.

Ah, I figured it out - I assumed that `AUTH_LDAP_FIND_GROUPS_PERMS` would add the user to the groups in question. Instead, it simply creates a virtual membership in the group responding to permission checks in line with the group. — Programming123, May 12 '17 at 05:14
I fell upon the same issue and your solution really worked. Thank you :-) — Pabasara Ranathunga, Aug 17 '20 at 13:43

django-auth-ldap AUTH_LDAP_FIND_GROUPS_PERMS not working

2 Answers2