django-auth-ldap default values for newly created user

Question

I have a Django app which has two authentication backends, an LDAP backend that has all 'internal' users and a custom backend having 'external' users. All internal users which match the LDAP group search filter should be created with is_staff: True.

Previously, we used

AUTH_LDAP_USER_ATTR_MAP = {
    "name": "cn",
    "email": "mail",
    "is_staff": "mail",
}

and this seemed to work just fine, however using Django 1.10 we now get:

django.core.exceptions.ValidationError: ["'me@example.com' value must be either True or False."]

I know I can search for group membership and match that to is_staff but basically I want all accounts for users that authenticate against LDAP automatically set to is_staff: True.

Is there a proper way to do this? I know I can fix it after the fact by hooking into the django_auth_ldap.backend.populate_user signal but then the user is already created, preferably I'd want to modify the user before they are created.

score 0 · Answer 1 · answered May 31 '17 at 17:23

The proper implementation would likely be with the AUTH_LDAP_USER_FLAGS_BY_GROUP setting, as documented here: http://pythonhosted.org/django-auth-ldap/users.html#easy-attributes

Specifically, if you can identify a group to which all of your users belong, you can have something like:

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": "cn=users,ou=groups,dc=example,dc=com"
}

django-auth-ldap default values for newly created user

1 Answers1