Hello,
I am one of the infra guys of the Gentoo distribution. For groups support, we use a special multi-value attribute called gentooACL that has contents like $
server.gentoo.org, ldapadmin.group, developer.group. The reason is that it covers a few cases that cannot be expressed with ou=groups, like:
- Two users, A, B.
- Two servers, X, Y.
- Two groups, G, H.
1. You want user A to be in group G on X, and group H on Y.
2. You want user B to be in group H on X, and group G on Y.
It's impossible with ou=groups. You have to end up subclassing the groups X.G, X.H, Y.G, Y.H, and granting membership to those.
Another case that cannot be expressed with ou=groups is:
nss_base_passwd ou=users,dc=gentoo,dc=org?sub?|(gentooACL=
server1.gentoo.org)(gentooACL=
server2.gentoo.org)
As far as I investigated, django-auth-ldap does not support such a case for groups (correct me if I'm wrong please).
I would like to extend the group support in django-auth-ldap, by implementing a new configuration option like AUTH_LDAP_GROUP_ATTRIBUTE="gentooACL", or a new LDAPGroupType AUTH_LDAP_GROUP_TYPE="Attribute(name_attr="gentooACL"), so that we can do the following:
AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": "active.group", ... }
AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = { "is_developer": "developer.group", ... }
Would you be willing to accept such a functionality? If so, any requirements on the implementation details?
Thanks in advance,
Theo