From 5ff4e3b19470e27e8a72efc008e12720157dbaae Mon Sep 17 00:00:00 2001 From: bellwood Date: Thu, 13 Apr 2017 17:03:58 -0400 Subject: [PATCH] Enhance LDAP documentation Incorporating @marvnrawley's enhancements from #518 --- docs/installation/ldap.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/installation/ldap.md b/docs/installation/ldap.md index 6a4994a5c..9231e422f 100644 --- a/docs/installation/ldap.md +++ b/docs/installation/ldap.md @@ -49,6 +49,8 @@ AUTH_LDAP_BIND_PASSWORD = "demo" # ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) LDAP_IGNORE_CERT_ERRORS = True ``` +!!! info + When using Windows Server 2012 you may need to specify a port on AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure. ## User Authentication @@ -70,6 +72,8 @@ AUTH_LDAP_USER_ATTR_MAP = { "last_name": "sn" } ``` +!!! info + When using Windows Server 2012 AUTH_LDAP_USER_DN_TEMPLATE should be set to None. # User Groups for Permissions @@ -99,3 +103,17 @@ AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600 ``` + +!!! info + "is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in. + +"is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis. + +"is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions. + +!!! info + It is also possible map user attributes to Django attributes: +AUTH_LDAP_USER_ATTR_MAP = { +"first_name": "givenName", +"last_name": "sn" +}