Active Directory `AD_MEMBERSHIP_REQ` setting is not honoured

Issue #360 resolved
Randle Taylor created an issue

The AD_MEMBERSHIP_REQ setting is not currently honoured when authenticating users.

Comments (6)

  1. Cody Crewson

    A concern. If you have a limited number of full administrators and they all leave without superuser there would be no way to add new admins to the site with this on would there? Is there some way we could query the ad account to get the default group and rights instead of relying entirely on internal and default processes?

  2. Randle Taylor reporter

    You can add a new superuser on the command line like python manage.py createsuperuser or using python manage.py shell and then using the REPL and Django User model to create a new superuser.

    "Is there some way we could query the ad account to get the default group and rights instead of relying entirely on internal and default processes?"

    Maybe! Not something I will work on in the near future but certainly open to PR's on this front.

  3. Cody Crewson

    Randle would the createsuperuser functionality work if AD_MEMBERSHIP_REQ setting was set to true?

  4. Randle Taylor reporter

    Yes, assuming you still include the django ModelBackend in AUTHENTICATION_BACKENDS setting.

    If you have

    AUTHENTICATION_BACKENDS = (
        'django.contrib.auth.backends.ModelBackend',
        'qatrack.accounts.backends.ActiveDirectoryGroupMembershipSSLBackend',
    )
    

    then QATrack+ will first try using the Django model auth backend to verify user credentials, then if that fails, will try the AD backend (or vice versa if the order of those backends is reversed)

  5. Log in to comment