Group based authorization for non-ldap authenticated users

[Brian Awood]

Hello,

I'm handling authentication with a SAML2 IdP, using djangosaml2, in order to have single sign-on functionality.  However, I need to be able to do authorization via ldap groups which are not part of the SAML assertion.  From my understanding of the django_auth_ldap, I should be able to do this using AUTH_LDAP_AUTHORIZE_ALL_USERS and AUTH_LDAP_FIND_GROUP_PERMS settings, but I'm having some difficulties.  My authentication works correctly, but it doesn't seem the ldap backend ever gets called for the authz part, as I don't see any group searches on the LDAP server.  Below are what I think are my relevant settings.  I've tested basic connectivity to my ldap server. I was also able to remove the saml2 backend, use a user dn template, and successfully authenticate with LDAP, so I know there isn't anything wrong with the basic installation or setup.  I'm fairly new to django so any assistance would be greatly appreciated.

AUTHENTICATION_BACKENDS = (

     'djangosaml2.backends.Saml2Backend',

     'django_auth_ldap.backend.LDAPBackend',

     'django.contrib.auth.backends.ModelBackend',

)

AUTH_LDAP_SERVER_URI = ldap://ldap.myserver.org
AUTH_LDAP_GROUP_SEARCH = LDAPSearch('ou=Groups,dc=mydomain,dc=org', ldap.SCOPE_SUBTREE, '(objectClass=groupOfNames)')
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_AUTHORIZE_ALL_USERS = True

In my view code I'm using an @user_passes_test decorator and checking is the user is in a special group in order to grant access, like; 

def in_allow_group(user):

     """Use with a ``user_passes_test`` decorator to restrict access to

         authenticated users who are in allowed group."""

     return user.is_authenticated() and user.groups.filter(name=allow_group).exists()

Should I be making a call directly to the LDAPBackend code instead of user.groups or is there something else I should be doing to have the LDAP code map the users group membership?

Thanks for any assistance.

-Brian

[Peter Sagerson]

In principle, that seems reasonable. Have you enabled debug logging to see if there are any unexpected failures?[1] Does your LDAP server accept anonymous binds or do you need to set AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD?

[1] https://pythonhosted.org/django-auth-ldap/logging.html

--
You received this message because you are subscribed to the Google Groups "django-auth-ldap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-auth-ld...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brian Awood]

I have debug logging enabled, but no errors and my LDAP server accepts anonymous binds. There also wasn't even a hint of an attempted connection on the LDAP server side, so I suspect something with how the Saml2Backend is handling the auth process and it completely skips the rest of the backends on a successful login.   I'm not sure if there is a better way, but I've gotten a little further by changing the "in_allow_group" definition in my view to

from django_auth_ldap.backend import LDAPBackend

def in_allow_group(user):

     if user.is_authenticated():

         LDAPBackend().get_all_permissions(user)

     return user.groups.filter(name=allow_group).exists()

That produces a group search on my LDAP server and I can see from the debug logs that its finding my allow_group, but the exists() check isn't matching the group name for some reason.

[Peter Sagerson]

The next step is probably to put a breakpoint in django_auth_ldap.backend.LDAPBackend.get_group_permissions and see if it’s getting that far.

[Brian Awood]

Thanks for assistance Peter, 

After I manually call LDAPBackend().get_all_permissions(user) I see the search_s results with all my groups listed in the log, including the one I'm trying to test against, and then I see some debug lines trying some SELECT statements like;

(0.001) SELECT `auth_group`.`name` FROM `auth_group` INNER JOIN `auth_user_groups` ON ( `auth_group`.`id` = `auth_user_groups`.`group_id` ) WHERE `auth_user_groups`.`user_id` = 1 LIMIT 21; args=(1,)

(0.000) SELECT (1) AS `a` FROM `auth_group` INNER JOIN `auth_user_groups` ON ( `auth_group`.`id` = `auth_user_groups`.`group_id` ) WHERE (`auth_user_groups`.`user_id` = 1 AND `auth_group`.`name` = 'allow group' LIMIT 1; args=(1, 'allow group')

which is were I think my user.groups test is occurring, but failing.  I created the 'allow group' in the Django admin interface and gave it one of default permissions, but that doesn't seem to have any affect either.  So I guess I'm still missing something, but I'm not sure what.  

You received this message because you are subscribed to a topic in the Google Groups "django-auth-ldap" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-auth-ldap/om8379fNKpQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-auth-ld...@googlegroups.com.

[Brian Awood]

I set a break point, stepped through with pdb, and I see that it's successfully getting my list of groups, then mapping the permissions for the group that matched my test group.  But it doesn't appear to map the users LDAP groups to Django groups, so I think that explains why my check against the user.groups is failing.  So it seems I'm misinterpreting how to use the authorization functionality in django-auth-ldap.  

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638