From 5ff4e3b19470e27e8a72efc008e12720157dbaae Mon Sep 17 00:00:00 2001 From: bellwood Date: Thu, 13 Apr 2017 17:03:58 -0400 Subject: [PATCH 1/3] Enhance LDAP documentation Incorporating @marvnrawley's enhancements from #518 --- docs/installation/ldap.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/installation/ldap.md b/docs/installation/ldap.md index 6a4994a5c..9231e422f 100644 --- a/docs/installation/ldap.md +++ b/docs/installation/ldap.md @@ -49,6 +49,8 @@ AUTH_LDAP_BIND_PASSWORD = "demo" # ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) LDAP_IGNORE_CERT_ERRORS = True ``` +!!! info + When using Windows Server 2012 you may need to specify a port on AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure. ## User Authentication @@ -70,6 +72,8 @@ AUTH_LDAP_USER_ATTR_MAP = { "last_name": "sn" } ``` +!!! info + When using Windows Server 2012 AUTH_LDAP_USER_DN_TEMPLATE should be set to None. # User Groups for Permissions @@ -99,3 +103,17 @@ AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 ``` + +!!! info + "is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in. + +"is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis. + +"is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions. + +!!! info + It is also possible map user attributes to Django attributes: +AUTH_LDAP_USER_ATTR_MAP = { +"first_name": "givenName", +"last_name": "sn" +} From 1ec09270a7bf86bccbf168deef2f82fd075c3f01 Mon Sep 17 00:00:00 2001 From: Brian Ellwood Date: Mon, 5 Jun 2017 20:35:05 -0400 Subject: [PATCH 2/3] Update ldap.md Capitalization --- docs/installation/ldap.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/installation/ldap.md b/docs/installation/ldap.md index 9231e422f..56c82d1e4 100644 --- a/docs/installation/ldap.md +++ b/docs/installation/ldap.md @@ -105,14 +105,14 @@ AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 ``` !!! info - "is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in. +"is_active" - You must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in. -"is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis. +"is_staff" - Users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis. -"is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions. +"is_superuser" - Users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions. !!! info - It is also possible map user attributes to Django attributes: +It is also possible map user attributes to Django attributes: AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn" From d0649ba815997fda820091ccd374622d629c7552 Mon Sep 17 00:00:00 2001 From: Brian Ellwood Date: Mon, 5 Jun 2017 20:37:09 -0400 Subject: [PATCH 3/3] Update ldap.md Wrap code in code block --- docs/installation/ldap.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/installation/ldap.md b/docs/installation/ldap.md index 56c82d1e4..729e02ff4 100644 --- a/docs/installation/ldap.md +++ b/docs/installation/ldap.md @@ -113,7 +113,10 @@ AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 !!! info It is also possible map user attributes to Django attributes: + +```no-highlight AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn" } +```