0

I have a Django Rest Framework App with simple JWT Token and LDAP authentication configured. I'm trying to allow users based on the LDAP security group that they belong to.

I've done the below: settings.py


AUTH_LDAP_SERVER_URI = 'ldap://xxx'
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_BIND_DN = 'xxx'
AUTH_LDAP_BIND_PASSWORD = 'xxx'

AUTH_LDAP_USER_DN_TEMPLATE = 'cn=%(user)s,ou=Users,ou=xxx,dc=xxx,dc=xxx'

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch('ou=xxx,dc=xxx,dc=xxx', ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)

AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = [LDAPSearch("CN=Store Keeper, OU = xxx, OU = xxx, OU = Fabrication, OU = xxx, DC = xxx, DC = xxx", ldap.SCOPE_SUBTREE, "(objectClass=group)"),
                               LDAPSearch("OU = xxx, OU = xxx, OU = xxx, OU = xxx, DC = xxx, DC = local", ldap.SCOPE_SUBTREE, "(objectClass=group)"),]

AUTH_LDAP_REQUIRE_GROUP = (
    LDAPGroupQuery("CN=Store Keeper,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx") |
    LDAPGroupQuery("CN=Store Assistant,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx")
)

# AUTH_LDAP_GROUP_TYPE_PARAMS = {'memberOf': 'dn'}
AUTH_LDAP_CACHE_GROUPS = True


"""
To cache group memberships for the timeout period specified
and use the cached groups for subsequent requests. 
"""
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300


AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_TIMEOUT = 0

# To get first name, last name and email from LDAP connection and add to Users table in the app
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail'
}


# JWT Authentication
JWT_AUTH = {
    'JWT_VERIFY': True,
    'JWT_VERIFY_EXPIRATION': True,
    'JWT_AUTH_HEADER_PREFIX': 'Bearer',
}

#JWT Token time settings
SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': datetime.timedelta(days=1),
    'REFRESH_TOKEN_LIFETIME': datetime.timedelta(days=7),
    'ROTATE_REFRESH_TOKENS': False,
    'BLACKLIST_AFTER_ROTATION': False,
    'AUTH_HEADER_TYPES': ('Bearer',),
    'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
}

But when I try to access request.user.ldap_user.group_names, I get an Attribute error which says that ldap_user is not an attribute of object User.

Can you please advise on what I'm doing wrong here?

Thanks

Alucor
  • 1

0 Answers0