1. Peter Sagerson
  2. django-auth-ldap

Commits

Peter Sagerson  committed 8808099

Add test and documentation for AUTH_LDAP_DENY_GROUP.

Version 1.0.15.

  • Participants
  • Parent commits 09ab49e
  • Branches default
  • Tags 1.0.15

Comments (0)

Files changed (6)

File django_auth_ldap/__init__.py

View file
  • Ignore whitespace
-version = (1, 0, 14)
-version_string = "1.0.14"
+version = (1, 0, 15)
+version_string = "1.0.15"

File django_auth_ldap/backend.py

View file
  • Ignore whitespace
 
     def _check_denied_group(self):
         """
-        Returns True if denied group (AUTH_LDAP_DENY_GROUP) isn't
-        met. Always returns True if AUTH_LDAP_DENY_GROUP is None.
+        Returns True if the negative group requirement (AUTH_LDAP_DENY_GROUP)
+        is met. Always returns True if AUTH_LDAP_DENY_GROUP is None.
         """
         denied_group_dn = ldap_settings.AUTH_LDAP_DENY_GROUP
 
         'AUTH_LDAP_BIND_PASSWORD': '',
         'AUTH_LDAP_CACHE_GROUPS': False,
         'AUTH_LDAP_CONNECTION_OPTIONS': {},
+        'AUTH_LDAP_DENY_GROUP': None,
         'AUTH_LDAP_FIND_GROUP_PERMS': False,
         'AUTH_LDAP_GLOBAL_OPTIONS': {},
         'AUTH_LDAP_GROUP_CACHE_TIMEOUT': None,
         'AUTH_LDAP_PROFILE_ATTR_MAP': {},
         'AUTH_LDAP_PROFILE_FLAGS_BY_GROUP': {},
         'AUTH_LDAP_REQUIRE_GROUP': None,
-        'AUTH_LDAP_DENY_GROUP': None,
         'AUTH_LDAP_SERVER_URI': 'ldap://localhost',
         'AUTH_LDAP_START_TLS': False,
         'AUTH_LDAP_USER_ATTR_MAP': {},

File django_auth_ldap/tests.py

View file
  • Ignore whitespace
         self.assertEqual(self.mock_ldap.ldap_methods_called(),
             ['initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s', 'initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s'])
 
+    def test_denied_group(self):
+        self._init_settings(
+            AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
+            AUTH_LDAP_GROUP_SEARCH=LDAPSearch('ou=groups,o=test', self.mock_ldap.SCOPE_SUBTREE),
+            AUTH_LDAP_GROUP_TYPE=MemberDNGroupType(member_attr='member'),
+            AUTH_LDAP_DENY_GROUP="cn=active_gon,ou=groups,o=test"
+        )
+
+        alice = self.backend.authenticate(username='alice', password='password')
+        bob = self.backend.authenticate(username='bob', password='password')
+
+        self.assert_(alice is None)
+        self.assert_(bob is not None)
+        self.assertEqual(self.mock_ldap.ldap_methods_called(),
+            ['initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s', 'initialize', 'simple_bind_s', 'simple_bind_s', 'compare_s'])
+
     def test_group_dns(self):
         self._init_settings(
             AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',

File docs/conf.py

View file
  • Ignore whitespace
 # The short X.Y version.
 version = '1.0'
 # The full version, including alpha/beta/rc tags.
-release = '1.0.14'
+release = '1.0.15'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

File docs/index.rst

View file
  • Ignore whitespace
 
 The simplest use of groups is to limit the users who are allowed to log in. If
 :ref:`AUTH_LDAP_REQUIRE_GROUP` is set, then only users who are members of that
-group will successfully authenticate::
+group will successfully authenticate. :ref:`AUTH_LDAP_DENY_GROUP` is the
+reverse: if given, members of this group will be rejected.
+
+.. code-block:: python
 
     AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=groups,dc=example,dc=com"
+    AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=groups,dc=example,dc=com"
 
 More advanced uses of groups are covered in the next two sections.
 
     )
     AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
 
-    # Only users in this group can log in.
+    # Simple group restrictions
     AUTH_LDAP_REQUIRE_GROUP = "cn=enabled,ou=django,ou=groups,dc=example,dc=com"
+    AUTH_LDAP_DENY_GROUP = "cn=disabled,ou=django,ou=groups,dc=example,dc=com"
 
     # Populate the Django user from the LDAP directory.
     AUTH_LDAP_USER_ATTR_MAP = {
 ``LDAPObject.set_option()``. Keys are ``ldap.OPT_*`` constants.
 
 
-.. _AUTH_LDAP_GROUP_CACHE_TIMEOUT:
+.. _AUTH_LDAP_DENY_GROUP:
 
-AUTH_LDAP_GROUP_CACHE_TIMEOUT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+AUTH_LDAP_DENY_GROUP
+~~~~~~~~~~~~~~~~~~~~~~~
 
 Default: ``None``
 
-If :ref:`AUTH_LDAP_CACHE_GROUPS` is ``True``, this is the cache timeout for
-group memberships. If ``None``, the global cache timeout will be used.
+The distinguished name of a group; authentication will fail for any user
+that belongs to this group.
 
 
 .. _AUTH_LDAP_FIND_GROUP_PERMS:
 ``ldap.OPT_*`` constants.
 
 
+.. _AUTH_LDAP_GROUP_CACHE_TIMEOUT:
+
+AUTH_LDAP_GROUP_CACHE_TIMEOUT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Default: ``None``
+
+If :ref:`AUTH_LDAP_CACHE_GROUPS` is ``True``, this is the cache timeout for
+group memberships. If ``None``, the global cache timeout will be used.
+
+
 .. _AUTH_LDAP_GROUP_SEARCH:
 
 AUTH_LDAP_GROUP_SEARCH
 
 Default: ``None``
 
-The distinguished name of a group that a user must belong to in order to
-successfully authenticate.
+The distinguished name of a group; authentication will fail for any user that
+does not belong to this group.
 
 
 .. _AUTH_LDAP_SERVER_URI:

File setup.py

View file
  • Ignore whitespace
 
 setup(
     name="django-auth-ldap",
-    version="1.0.14",
+    version="1.0.15",
     description="Django LDAP authentication backend",
     long_description="""This is a Django authentication backend that authenticates against an LDAP service. Configuration can be as simple as a single distinguished name template, but there are many rich configuration options for working with users, groups, and permissions.