Working With Groups

Types of Groups

Working with groups in LDAP can be a tricky business, mostly because there are so many different kinds. This module includes an extensible API for working with any kind of group and includes implementations for the most common ones. LDAPGroupType is a base class whose concrete subclasses can determine group membership for particular grouping mechanisms. Four built-in subclasses cover most grouping mechanisms:

posixGroup and nisNetgroup objects are somewhat specialized, so they get their own classes. The other two cover mechanisms whereby a group object stores a list of its members as distinguished names. This includes groupOfNames, groupOfUniqueNames, and Active Directory groups, among others. The nested variant allows groups to contain other groups, to as many levels as you like. For convenience and readability, several trivial subclasses of the above are provided:

Finding Groups

To get started, you’ll need to provide some basic information about your LDAP groups. AUTH_LDAP_GROUP_SEARCH is an LDAPSearch object that identifies the set of relevant group objects. That is, all groups that users might belong to as well as any others that we might need to know about (in the case of nested groups, for example). AUTH_LDAP_GROUP_TYPE is an instance of the class corresponding to the type of group that will be returned by AUTH_LDAP_GROUP_SEARCH. All groups referenced elsewhere in the configuration must be of this type and part of the search results.

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "ou=groups,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

Limiting Access

The simplest use of groups is to limit the users who are allowed to log in. If AUTH_LDAP_REQUIRE_GROUP is set, then only users who are members of that group will successfully authenticate. AUTH_LDAP_DENY_GROUP is the reverse: if given, members of this group will be rejected.

AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=example,dc=com"
AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=example,dc=com"

However, these two settings alone may not be enough to satisfy your needs. In such cases, you can use the LDAPGroupQuery object to perform more complex matches against a user’s groups. For example:

from django_auth_ldap.config import LDAPGroupQuery

AUTH_LDAP_REQUIRE_GROUP = (
    LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com")
    | LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com")
) & ~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")

It is important to note a couple features of the example above. First and foremost, this handles the case of both AUTH_LDAP_REQUIRE_GROUP and AUTH_LDAP_DENY_GROUP in one setting. Second, you can use three operators on these queries: &, |, and ~: and, or, and not, respectively.

When groups are configured, you can always get the list of a user’s groups from user.ldap_user.group_dns or user.ldap_user.group_names. More advanced uses of groups are covered in the next two sections.