python-django-auth-ldap-doc 1.4.0-1 / usr / share / doc / python-django-auth-ldap-doc / html / permissions.html

This file is indexed.

/usr/share/doc/python-django-auth-ldap-doc/html/permissions.html is in python-django-auth-ldap-doc 1.4.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Permissions &#8212; django-auth-ldap 1.4.0 documentation</title>
    <link rel="stylesheet" href="_static/classic.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '1.4.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Multiple LDAP Configs" href="multiconfig.html" />
    <link rel="prev" title="User objects" href="users.html" /> 
  </head>
  <body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="multiconfig.html" title="Multiple LDAP Configs"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="users.html" title="User objects"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">django-auth-ldap 1.4.0 documentation</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="permissions">
<h1>Permissions<a class="headerlink" href="#permissions" title="Permalink to this headline"></a></h1>
<p>Groups are useful for more than just populating the user’s <code class="docutils literal"><span class="pre">is_*</span></code> fields.
<a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> would not be complete without
some way to turn a user’s LDAP group memberships into Django model permissions.
In fact, there are two ways to do this.</p>
<p>Ultimately, both mechanisms need some way to map LDAP groups to Django groups.
Implementations of <a class="reference internal" href="reference.html#django_auth_ldap.config.LDAPGroupType" title="django_auth_ldap.config.LDAPGroupType"><code class="xref py py-class docutils literal"><span class="pre">LDAPGroupType</span></code></a> will have an
algorithm for deriving the Django group name from the LDAP group. Clients that
need to modify this behavior can subclass the
<a class="reference internal" href="reference.html#django_auth_ldap.config.LDAPGroupType" title="django_auth_ldap.config.LDAPGroupType"><code class="xref py py-class docutils literal"><span class="pre">LDAPGroupType</span></code></a> class. All of the built-in
implementations take a <code class="docutils literal"><span class="pre">name_attr</span></code> argument to <code class="docutils literal"><span class="pre">__init__</span></code>, which
specifies the LDAP attribute from which to take the Django group name. By
default, the <code class="docutils literal"><span class="pre">cn</span></code> attribute is used.</p>
<div class="section" id="using-groups-directly">
<h2>Using Groups Directly<a class="headerlink" href="#using-groups-directly" title="Permalink to this headline"></a></h2>
<p>The least invasive way to map group permissions is to set
<a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_FIND_GROUP_PERMS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_FIND_GROUP_PERMS</span></code></a> to <code class="docutils literal"><span class="pre">True</span></code>.
<a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> will then find all of the LDAP
groups that a user belongs to, map them to Django groups, and load the
permissions for those groups. You will need to create the Django groups and
associate permissions yourself, generally through the admin interface.</p>
<p>To minimize traffic to the LDAP server,
<a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> can make use of Django’s cache
framework to keep a copy of a user’s LDAP group memberships. To enable this
feature, set <a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_CACHE_GROUPS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_CACHE_GROUPS</span></code></a> to <code class="docutils literal"><span class="pre">True</span></code>. You can also set
<a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_GROUP_CACHE_TIMEOUT"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_GROUP_CACHE_TIMEOUT</span></code></a> to override the timeout of cache
entries (in seconds).</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">AUTH_LDAP_CACHE_GROUPS</span> <span class="o">=</span> <span class="bp">True</span>
<span class="n">AUTH_LDAP_GROUP_CACHE_TIMEOUT</span> <span class="o">=</span> <span class="mi">300</span>
</pre></div>
</div>
</div>
<div class="section" id="group-mirroring">
<h2>Group Mirroring<a class="headerlink" href="#group-mirroring" title="Permalink to this headline"></a></h2>
<p>The second way to turn LDAP group memberships into permissions is to mirror the
groups themselves. This approach has some important disadvantages and should be
avoided if possible. For one thing, membership will only be updated when the
user authenticates, which may be especially inappropriate for sites with long
session timeouts.</p>
<p>If <a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_MIRROR_GROUPS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_MIRROR_GROUPS</span></code></a> is <code class="docutils literal"><span class="pre">True</span></code>, then every time a user logs
in, <a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> will update the database with
the user’s LDAP groups. Any group that doesn’t exist will be created and the
user’s Django group membership will be updated to exactly match their LDAP group
membership. If the LDAP server has nested groups, the Django database will end
up with a flattened representation. For group mirroring to have any effect, you
of course need <code class="xref py py-class docutils literal"><span class="pre">ModelBackend</span></code> installed as
an authentication backend.</p>
<p>By default, we assume that LDAP is the sole authority on group membership; if
you remove a user from a group in LDAP, they will be removed from the
corresponding Django group the next time they log in. It is also possible to
have django-auth-ldap ignore some Django groups, presumably because they are
managed manually or through some other mechanism. If
<a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_MIRROR_GROUPS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_MIRROR_GROUPS</span></code></a> is a list of group names, we will manage
these groups and no others. If <a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_MIRROR_GROUPS_EXCEPT"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_MIRROR_GROUPS_EXCEPT</span></code></a> is a
list of group names, we will manage all groups except those named;
<a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_MIRROR_GROUPS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_MIRROR_GROUPS</span></code></a> is ignored in this case.</p>
</div>
<div class="section" id="non-ldap-users">
<h2>Non-LDAP Users<a class="headerlink" href="#non-ldap-users" title="Permalink to this headline"></a></h2>
<p><a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> has one more feature pertaining
to permissions, which is the ability to handle authorization for users that it
did not authenticate. For example, you might be using
<code class="xref py py-class docutils literal"><span class="pre">RemoteUserBackend</span></code>
to map externally authenticated users to Django users. By setting
<a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_AUTHORIZE_ALL_USERS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_AUTHORIZE_ALL_USERS</span></code></a>,
<a class="reference internal" href="reference.html#django_auth_ldap.backend.LDAPBackend" title="django_auth_ldap.backend.LDAPBackend"><code class="xref py py-class docutils literal"><span class="pre">LDAPBackend</span></code></a> will map these users to LDAP
users in the normal way in order to provide authorization information. Note that
this does <em>not</em> work with <a class="reference internal" href="reference.html#std:setting-AUTH_LDAP_MIRROR_GROUPS"><code class="xref std std-setting docutils literal"><span class="pre">AUTH_LDAP_MIRROR_GROUPS</span></code></a>; group mirroring is
a feature of authentication, not authorization.</p>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Permissions</a><ul>
<li><a class="reference internal" href="#using-groups-directly">Using Groups Directly</a></li>
<li><a class="reference internal" href="#group-mirroring">Group Mirroring</a></li>
<li><a class="reference internal" href="#non-ldap-users">Non-LDAP Users</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="users.html"
                        title="previous chapter">User objects</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="multiconfig.html"
                        title="next chapter">Multiple LDAP Configs</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="_sources/permissions.rst.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="multiconfig.html" title="Multiple LDAP Configs"
             >next</a> |</li>
        <li class="right" >
          <a href="users.html" title="User objects"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">django-auth-ldap 1.4.0 documentation</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2018, Peter Sagerson.
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
    </div>
  </body>
</html>

APT Browse - Built by Thomas Orozco.