mirroring only some groups
40 views
Skip to first unread message
sparkyb
Nov 3, 2010, 7:01:35 PM11/3/10
to django-auth-ldap
I'm looking for a compromise between MIRROR_GROUPS and
FIND_GROUP_PERMISSIONS. On the one hand I like that MIRROR_GROUPS sets
up the group membership so you can see in the Django admin what groups
people are members of. But I do not want to it to create lots of
groups I don't need. My company's LDAP has way more groups than I care
about (I might be able to write a more complicated group search filter
to limit it, but I doubt it). I'd like it if there was another option
to specify only mirroring group membership for LDAP groups that
already have an equivalent in Django, but not creating groups.
The other thing that MIRROR_GROUPS doesn't allow for is groups that
are not LDAP groups. Again, it would be nice if it only added
membership to groups that correspond to LDAP groups (and I guess also
removed membership of groups that correspond to LDAP groups you aren't
a member of), but allowed me to create Django groups that don't
correspond to LDAP groups and left membership in those alone.
FIND_GROUP_PERMISSIONS. On the one hand I like that MIRROR_GROUPS sets
up the group membership so you can see in the Django admin what groups
people are members of. But I do not want to it to create lots of
groups I don't need. My company's LDAP has way more groups than I care
about (I might be able to write a more complicated group search filter
to limit it, but I doubt it). I'd like it if there was another option
to specify only mirroring group membership for LDAP groups that
already have an equivalent in Django, but not creating groups.
The other thing that MIRROR_GROUPS doesn't allow for is groups that
are not LDAP groups. Again, it would be nice if it only added
membership to groups that correspond to LDAP groups (and I guess also
removed membership of groups that correspond to LDAP groups you aren't
a member of), but allowed me to create Django groups that don't
correspond to LDAP groups and left membership in those alone.
Peter Sagerson
Nov 5, 2010, 12:42:14 AM11/5/10
to django-a...@googlegroups.com
That sounds like a pretty good idea. Perhaps a new, non-destructive SYNC_GROUPS option would be in order. I doubt that I'll have time to spend on this in the near future, but contributions are always welcome. Feel free to open an issue if you want to keep it on the radar.
Thanks,
Peter
sparkyb
Nov 8, 2010, 6:54:04 PM11/8/10
to django-auth-ldap
I'm happy to submit a patch, but let me ask you a few implementation
questions first:
The only problem with syncing only groups that exist is that it is
easy to add someone to groups, but not easy to remove someone from
groups. I could remove you from all groups that aren't LDAP groups
you're in, but that doesn't satisfy my desire to have non-ldap groups
that I manage in django. So I need a way to tell if the other groups
you're in are LDAP groups that you're no longer part of. Option 1 is
that I could do an LDAP search for those group names. Option 2 is find
a way to mark django groups as either from LDAP or not (like prefixing
them with "LDAP " or some other configurable string). The problem with
option 2 is that I'd want this behavior to be the same in mirror
groups and it isn't right now. Option 3 is that instead of SYNC_GROUPS
being another bool mutually exclusive with MIRROR_GROUPS, it could be
a modifier to MIRROR_GROUPS, list of group names which to sync. When
None MIRROR_GROUPS would treat all groups as LDAP groups, but when set
to something, MIRROR_GROUPS would only create, set membership, and
remove membership from the named groups. The downside of option 3 is
that you have to name the groups you want synced in your settings file
instead of by just creating the groups in the django admin.
Pretty much any of the 3 serves my needs. Do you have a preference
which I implement?
> smime.p7s
> 5KViewDownload
questions first:
The only problem with syncing only groups that exist is that it is
easy to add someone to groups, but not easy to remove someone from
groups. I could remove you from all groups that aren't LDAP groups
you're in, but that doesn't satisfy my desire to have non-ldap groups
that I manage in django. So I need a way to tell if the other groups
you're in are LDAP groups that you're no longer part of. Option 1 is
that I could do an LDAP search for those group names. Option 2 is find
a way to mark django groups as either from LDAP or not (like prefixing
them with "LDAP " or some other configurable string). The problem with
option 2 is that I'd want this behavior to be the same in mirror
groups and it isn't right now. Option 3 is that instead of SYNC_GROUPS
being another bool mutually exclusive with MIRROR_GROUPS, it could be
a modifier to MIRROR_GROUPS, list of group names which to sync. When
None MIRROR_GROUPS would treat all groups as LDAP groups, but when set
to something, MIRROR_GROUPS would only create, set membership, and
remove membership from the named groups. The downside of option 3 is
that you have to name the groups you want synced in your settings file
instead of by just creating the groups in the django admin.
Pretty much any of the 3 serves my needs. Do you have a preference
which I implement?
> 5KViewDownload
Peter Sagerson
Nov 9, 2010, 3:41:52 AM11/9/10
to django-a...@googlegroups.com
It seems like a good place to start is the third one. Perhaps MIRROR_GROUPS could either be set to True for the current behavior or a list of group names to only mirror those groups. It's explicit, doesn't add any new LDAP traffic, and should be fairly straightforward to implement. And it doesn't preclude a more automatic group syncing system in the future, should that be desirable and possible.
It's worth considering whether it makes more sense to enumerate the groups to mirror or the groups to leave alone (AUTH_LDAP_LOCAL_ONLY_GROUPS or something). The former seems a little more obvious, although in practice it probably depends on which ones are likely to be added and removed more frequently. Whatever feels right. It would be nice if we could list the DNs of groups to mirror, but the way things are set up, you need the whole set of attributes in order to map an LDAP group to a Django group. So either way it will probably have to be a list of Django group names that are applied after the mapping. Unless you can think of a way around that. To be honest, this isn't a feature I've spent much time thinking about; I've never actually used it myself.
Does this sound like the right direction?
Thanks,
Peter
Di majo
May 12, 2024, 3:40:51 PM5/12/24
to django-auth-ldap
MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
Reply all
Reply to author
Forward
0 new messages