Subgroups Implementation (from LDAP)
90 views
Skip to first unread message
Benjamin SOULAS
Sep 5, 2018, 9:44:19 AM9/5/18
to Django users
Hi everyone,
I m not expert at all in Django so it can be a silly question but I take the risk:
I have to implement LDAP server (which work perfectly with django-auth-ldap, but my question is not related to this library). I was wondering what happens if groups possesses subgroups? Even if it is not handled in the lib, I assume I can override a recursive mechanism in order to populate the subgroup in the auth_group table.
BUT my problem is "How can link subgroups to parent groups" ? Because through /admin page, If you create a group, you can only define its permission and nothing else (which make sens if the aim is to have One level group handling), but if I want to implement subgroups, how do you suggest to do it? I found the module django MPTT but does it corresponds to the need? Bur because I already use DRF + Django + Django-auth-LDAP, does its implementation worth it?
I though it was possible, thanks to custom models which could have as fields parent-group and subgroup (and maybe more, still thinking about it). Once the model is implemented, should I link my overriden django-auth-ldap code to map this Django model in order to make the links? Or should I think differently?
Just to be more precise, in my app I will have permissions and groups defined, the aim is, programmatically or through admin interface make also the links between the LDAP groups and my app groups (LDAP server could have every possible trees)
I don't know if it is clear enough, if not, do not hesitate to ask me questions, I really need help actually
Kind regards,
Benjamin.
Mike Dewhirst
Sep 5, 2018, 5:51:49 PM9/5/18
to django...@googlegroups.com
On 5/09/2018 11:25 PM, Benjamin SOULAS wrote:
> Hi everyone,
>
> I m not expert at all in Django so it can be a silly question but I
> take the risk:
I'm an expert in nothing!
> Hi everyone,
>
> I m not expert at all in Django so it can be a silly question but I
> take the risk:
What about simplifying things by making your groups have smaller sets of
permisssions and putting users into multiple groups to suit their roles.
>
> I have to implement *LDAP server* (which work perfectly with
> *django-auth-ldap*, but my question is not related to this library). I
> was wondering what happens if groups possesses subgroups? Even if it
> is not handled in the lib, I assume I can override a recursive
> mechanism in order to populate the subgroup in the *auth_group* table.
> is not handled in the lib, I assume I can override a recursive
>
> BUT my problem is "*How can link subgroups to parent groups*" ?
> Because through */admin* page, If you create a group, you can only
> define its permission and nothing else (which make sens if the aim is
> to have One level group handling), but if I want to implement
> subgroups, how do you suggest to do it? I found the module django MPTT
> but does it corresponds to the need? Bur because I already use DRF +
> Django + Django-auth-LDAP, does its implementation worth it?
>
> I though it was possible, thanks to *custom models* which could have
> to have One level group handling), but if I want to implement
> subgroups, how do you suggest to do it? I found the module django MPTT
> but does it corresponds to the need? Bur because I already use DRF +
> Django + Django-auth-LDAP, does its implementation worth it?
>
> as fields *parent-group* and *subgroup* (and maybe more, still
> thinking about it). Once the model is implemented, should I link my
> *overriden django-auth-ldap code* to map this Django model in order to
> make the links? Or should I think differently?
>
> Just to be more precise, in my app I will have permissions and groups
> defined, the aim is, programmatically or through admin interface make
> also the links between the LDAP groups and my app groups (LDAP server
> could have every possible trees)
>
> I don't know if it is clear enough, if not, do not hesitate to ask me
> questions, I really need help actually
>
> Kind regards,
>
> Benjamin.
> --
>
> Just to be more precise, in my app I will have permissions and groups
> defined, the aim is, programmatically or through admin interface make
> also the links between the LDAP groups and my app groups (LDAP server
> could have every possible trees)
>
> I don't know if it is clear enough, if not, do not hesitate to ask me
> questions, I really need help actually
>
> Kind regards,
>
> Benjamin.
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Benjamin SOULAS
Sep 6, 2018, 10:49:03 AM9/6/18
to Django users
Hi Mike !
The problem is our app have to be able to retrieve a Customer LDAP server. So we won't be able to know groups will be into the LDAP server.
To be concise, when we'll set up the app, we'll have to retrieve the LDAP groups, insert them in django ORM, then make the link (with a table, so a model) between LDAP groups extracted and our App groups
The App permissions will follow the same principle, stored in the Django ORM (which is the regular case) and thanks to the app (something django admin-like) we will link the permissions to the App groups
I don't know how clear I am ...
Kind regards
Benjamin
> <mailto:django-users+unsub...@googlegroups.com>.
Mike Dewhirst
Sep 6, 2018, 7:57:27 PM9/6/18
to django...@googlegroups.com
On 7/09/2018 12:49 AM, Benjamin SOULAS wrote:
> Hi Mike !
>
> The problem is our app have to be able to retrieve a Customer LDAP
> server. So we won't be able to know groups will be into the LDAP server.
>
> To be concise, when we'll set up the app, we'll have to retrieve the
> LDAP groups, insert them in django ORM, then make the link (with a
> table, so a model) between LDAP groups extracted and our App groups
Are you using django-auth with auth-groups and auth-group-permissions?
> Hi Mike !
>
> The problem is our app have to be able to retrieve a Customer LDAP
> server. So we won't be able to know groups will be into the LDAP server.
>
> To be concise, when we'll set up the app, we'll have to retrieve the
> LDAP groups, insert them in django ORM, then make the link (with a
> table, so a model) between LDAP groups extracted and our App groups
If it was me, I'd set up all the ldap groups as Django auth-groups and
preset their permissions. Then all the login backend has to do is check
that a user's ldap groups haven't changed. If they have changed then I
would have to adjust the auth-groups accordingly.
If you have ldap subgroups I would flatten them into the smallest
denominator and make equivalent auth-groups.
If you choose a strategic naming convention you could work it out on the
fly without needing a mapping table between ldap groups/sub-groups and
Django auth-groups.
> > <mailto:django-users...@googlegroups.com <javascript:>>.
> > To post to this group, send email to django...@googlegroups.com
> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/django-users
> <https://groups.google.com/group/django-users>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> > For more options, visit https://groups.google.com/d/optout
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com?utm_medium=email&utm_source=footer>.
Benjamin SOULAS
Sep 7, 2018, 2:38:29 AM9/7/18
to Django users
Actually, I don't use ldap groups permission really, I have just configured my settings in which AUTH_LDAP_GROUP_SEARCH looks for a posixGroup Type (it is what I use for now, but in the future, it would be logical there will have GroupOfName and other types).
My aim is to use django-auth-ldap only as authentication, because we won't be able to know which groups will be implemented and which Django group will be applied to the LDAP group. I tried to check in django-auth-ldap source code how groups are handled/retrieved, it seems relly complicated (I don't know How should I implement the LDAPBackend and use/override the related method in order to use the LDAP admin to retrieve all the groups and populate them into the Django ORM)
For now, the solution I got is to directly use python-ldap library to execute a search request in wich I specify the node I want to look at to retrieve them recursively, and finally, I succeed in populate them)
For the links between Django groups and LDAP groups, I have no choice to do this, so I thought I should have to implement a django model (which aim, like other models, is to store stuff in ORM) which could have a OneToManyField in order to link several LDAP groups to my Django groups predefined in my app
When you say "If you have ldap subgroups I would flatten them into the smallest denominator and make equivalent auth-groups." I am not sure to understand what it really means and how to implement this, thanks to django-auth-ldap? Or as I already done with python-ldap??
I don't think I could chosse a naming convention if, in advance, it is not possible to me to know which groups will be retrieved, right?
> > <mailto:django-users+unsub...@googlegroups.com <javascript:>>.
> > To post to this group, send email to django...@googlegroups.com
> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/django-users
> <https://groups.google.com/group/django-users>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/django-users/0c3fbcde-5959-4d48-b9eb-75b94a6ff350%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users+unsub...@googlegroups.com>.
Mike Dewhirst
Sep 7, 2018, 3:48:16 AM9/7/18
to django...@googlegroups.com
On 7/09/2018 4:38 PM, Benjamin SOULAS wrote:
> Actually, I don't use ldap groups permission really,
I'm jumping to conclusions here with inadequate evidence. But I'll go
> Actually, I don't use ldap groups permission really,
ahead anyway. It makes sense to me that your app being different than
the ldap system will have no use for ldap permissions.
So let me presume that the ldap group names mean something to you. For
example I'm guessing ldap group "chief_exec" might translate in your app
to "chief_exec".
I'm also guessing from your subject line that there are ldap groups
subordinate to "chief_exec". Perhaps for example "budgeting" or "awards"
but which are both ldap sub-groups of "chief_exec"
To flatten them out you might adopt a naming convention of "chief_exec",
"chief_exec_budgeting" and "chief_exec_awards"
My only interest in this thread really was to suggest such a flattening
of the corporate ldap hierarchy into simple Django auth-groups as being
a possible solution to the problem as I (mis)understood at the time.
I don't have sufficient experience with Django-ldap to help with the
technicalities.
I hope I haven't spoiled your flow. Lots of very helpful people on this
list will ignore this thread simply because there is already a
conversation happening. I suggest you start a new thread with a subject
line somewhat different but which really encapsulates the nub of your
problem.
Bon chance!
Cheers
Mike
> <javascript:> <javascript:>>.
> > <mailto:django-users...@googlegroups.com <javascript:>>.
> > To post to this group, send email to django...@googlegroups.com
> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/django-users
> <https://groups.google.com/group/django-users>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com
> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/django-users
> <https://groups.google.com/group/django-users>.
> > To view this discussion on the web visit
> >
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/742ac678-8359-4189-8b67-fa420ff01f0f%40googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/django-users/742ac678-8359-4189-8b67-fa420ff01f0f%40googlegroups.com?utm_medium=email&utm_source=footer>.
Benjamin SOULAS
Sep 7, 2018, 4:21:03 AM9/7/18
to Django users
Well indeed, flattening the ldap groups hierarchy could be a solution, but I don't know if my boss will be OK with that, we are still thinking about implementation and explore the techno we need to implement our features.
But I think I will keep it in mind seriously, because it could resolve the ldap groups + subgroups link. Anyway, I think I cannot solve the link between my LDAP groups and app groups (which name conventions are obviously different) better than create a django "Link" (I have to find a goup name) model.
For now, just on the beginning, I implemented functions (in views, should find an other way ...) that creates my groups, I don't know (yet) how, when your server starts, I can already populate my app Groups without any django admin user intervention, I think it can be easily implemented, just have to take a look, because doing this in view with a GET or POST request, its good enough to see the result in /admin page, but, be honest, so dirty ...
Any way, for now I found a way for my groups retrieval, now, next steps: introduce my own groups with their own permissions, implement the Links table, find a way to create links between LDAP groups and my app group (maybe in /admin, in registering the Link model in admin.py) and then, check scenario thought about can be done.
To be honest, you helped me with the flattened representation of the groups, thanks a lot for that, now, I think I will follow your advices for creating new subjects, I did in django-auth-ldap google groups, but nobody answers, this is why I came here ..
Thanks a lot (Merci beaucoup!
Kind regards
> > > <mailto:django-users+unsub...@googlegroups.com
> > <mailto:django-users+unsub...@googlegroups.com <javascript:>>.
> > To post to this group, send email to django...@googlegroups.com
> <javascript:>
> > <mailto:django...@googlegroups.com <javascript:>>.
> > Visit this group at https://groups.google.com/group/django-users
> <https://groups.google.com/group/django-users>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/django-users/c3f81532-95c8-4152-a36e-97eeb68ccb22%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users+unsub...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages