InvenTree
InvenTree copied to clipboard
inventree
[FR] Configurable LDAP Group Classes + Mirror Groups
Please verify that this feature request has NOT been suggested before.
- [X] I checked and didn't find a similar feature request
Problem statement
LDAP authentication group type does not match all environments. Current implementation assumes a group type of GroupOfUniqueNamesType. In my case, this would need to be NestedMemberDNGroupType instead
https://github.com/inventree/InvenTree/blob/36bfd62c9384623a7cc2201055fd2675649cb4b9/InvenTree/InvenTree/settings.py#L310
Additionally, the AUTH_LDAP_GROUP_SEARCH setting hardcodes an objectClass to search for, which does not match all environments.
https://github.com/inventree/InvenTree/blob/36bfd62c9384623a7cc2201055fd2675649cb4b9/InvenTree/InvenTree/settings.py#L363-L368
For my environment, I would need this instead. Note the change of objectClass,, and that I specified the member_attr when setting AUTH_LDAP_GROUP_TYPE
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
get_setting("INVENTREE_LDAP_GROUP_SEARCH", "ldap.group_search"),
ldap.SCOPE_SUBTREE,
"(objectClass=group)",
)
AUTH_LDAP_GROUP_TYPE = NestedMemberDNGroupType(member_attr="member", name_attr="cn")
Finally, I'd like to mirror my LDAP groups from the search base to InvenTree. The AUTH_LDAP_MIRROR_GROUPS option should be available. Something like
AUTH_LDAP_MIRROR_GROUPS = get_boolean_setting("INVENTREE_LDAP_MIRROR_GROUPS")
Suggested solution
Make these tweaks configurable through the .env file.
Describe alternatives you've considered
We are unable to use LDAP authentication in our AD environment with the current settings. I was able to get this working for us by changing the hardcoded objects to match by environment described above by directly editing settings.py, but feel this should be configurable and upstreamed, instead of my hacky edits.
Examples of other systems
No response
Do you want to develop this?
- [ ] I want to develop this.
Upvote & Fund
- We're using Polar.sh so you can upvote and help fund this issue.
- We receive the funding once the issue is completed & confirmed by you.
- Thank you in advance for helping prioritize & fund our backlog.
@mechanarchy you recently provided some LDAP improvements - does the suggested patch here make sense to you?
@SchrodingersGat Yeah I definitely suspected that the LDAP group code would need some further refining. I got it working for me but I use LLDAP which is quite minimal and opinionated.
So I'm totally happy to improve the configurability of the LDAP groups feature. If you'd like, please assign this issue to me and I'll see if I can make a PR in the next couple of days.
This issue seems stale. Please react to show this is still important.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Apologies, no - in truth I forgot about it over Christmas/New Year, and I now have a new baby so I am not sure when I will get time for it. I've un-assigned myself & hope someone else may be able to pick it up.
It seems like it should be okay to implement most of it, but it might be a bit tricky plucking the GroupOfUniqueNamesType/NestedMemberDNGroupType/etc types out of the django_auth_ldap.config module based on the user input. Probably some try/except trickery with getattr and graceful fallback+logging
This issue seems stale. Please react to show this is still important.
@matmair No, unfortunately I still have basically no time for this/other hobbies at the moment.
Please do feel free to implement it yourself, if you need any help or pointers I can reply on GitHub issues/PRs but I just haven't been able to get anywhere near an IDE or git in the last few months.
@jacobfelknor (or anyone else) - has any progress been made toward this goal?
I have continued to use my workaround since I opened this issue and had forgotten about it. I will revisit this,