Skip to content
Snippets Groups Projects
Commit a5c701cd authored by Art's avatar Art :lizard:
Browse files

Update README.md regarding groups. Remove unuser RDN extraction.

parent ce7d9bbf
Branches
Tags v2.3.0
No related merge requests found
Show whitespace changes
Inline Side-by-side
README.md
+ 9
0
View file @ a5c701cd
...@@ -41,6 +41,15 @@ The code snippet above disables the actual SSO. If you need it: ...@@ -41,6 +41,15 @@ The code snippet above disables the actual SSO. If you need it:
- change `DO_YOU_WANT_SSO` to True - change `DO_YOU_WANT_SSO` to True
- see the SSO configuration section - see the SSO configuration section
#### Groups
To receive groups over SSO you need a mapping. You can manage group mapping with `group_mapping` management command. Example:
group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de"
*Groups are not mapped automatically. Because automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create a new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.*
#### Production setup #### Production setup
```python ```python
......
ssoauth/auth_utils.py
+ 1
11
View file @ a5c701cd
...@@ -10,9 +10,6 @@ import functools ...@@ -10,9 +10,6 @@ import functools
import re import re
EXTRACT_RDN = re.compile(r"^\w+=(\w+),.+$", re.IGNORECASE) # RDN is in the first regex group
def _validate_username(username): def _validate_username(username):
assert isinstance(username, str) assert isinstance(username, str)
assert username.islower() assert username.islower()
...@@ -96,13 +93,6 @@ def update_user_data(user, surname=None, forename=None, email=None): ...@@ -96,13 +93,6 @@ def update_user_data(user, surname=None, forename=None, email=None):
user.save() user.save()
def extract_rdn(dn):
""" Extracts group name from the DN. """
match = EXTRACT_RDN.search(dn)
assert match, "Received something weird instead of a DN: {group_dn}".format(**locals())
return match.group(1)
def set_user_groups(user, group_dn_list): def set_user_groups(user, group_dn_list):
""" Updates groups for the user. """ """ Updates groups for the user. """
# using Q to create ignore-case DN lookup since DS is case insensitive # using Q to create ignore-case DN lookup since DS is case insensitive
...@@ -118,7 +108,7 @@ def set_user_groups(user, group_dn_list): ...@@ -118,7 +108,7 @@ def set_user_groups(user, group_dn_list):
assert set(user.groups.all()) == set(groups) # dunno how relation.set() behaves, better safe than sorry assert set(user.groups.all()) == set(groups) # dunno how relation.set() behaves, better safe than sorry
logger.info("Groups for {user} are updated to: {groups}".format(user=user, groups=", ".join(g.name for g in groups))) logger.info("Groups for {user} are updated to: {groups}".format(user=user, groups=", ".join(g.name for g in groups)))
logger.debug("User {user} has {g_n} group(s) based on {dn_n} DN(s): {g_names}".format( logger.debug("User {user} has {g_n} group(s) based on {dn_n} DN(s): {g_names}".format(
user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list))) user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups) or "(none)", dn_n=len(group_dn_list)))
def cleanup_direct_permissions(user): def cleanup_direct_permissions(user):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment