Active Directory `AD_MEMBERSHIP_REQ` setting is not honoured

Randle Taylor reporter

changed status to open

2018-10-15T13:33:51+00:00

Cody Crewson

A concern. If you have a limited number of full administrators and they all leave without superuser there would be no way to add new admins to the site with this on would there? Is there some way we could query the ad account to get the default group and rights instead of relying entirely on internal and default processes?

2018-12-24T17:33:18+00:00

Randle Taylor reporter

You can add a new superuser on the command line like python manage.py createsuperuser or using python manage.py shell and then using the REPL and Django User model to create a new superuser.

"Is there some way we could query the ad account to get the default group and rights instead of relying entirely on internal and default processes?"

Maybe! Not something I will work on in the near future but certainly open to PR's on this front.

2019-01-02T16:31:53+00:00

Cody Crewson

Randle would the createsuperuser functionality work if AD_MEMBERSHIP_REQ setting was set to true?

2019-01-02T16:50:57+00:00

Randle Taylor reporter

Yes, assuming you still include the django ModelBackend in AUTHENTICATION_BACKENDS setting.

If you have

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
    'qatrack.accounts.backends.ActiveDirectoryGroupMembershipSSLBackend',
)

then QATrack+ will first try using the Django model auth backend to verify user credentials, then if that fails, will try the AD backend (or vice versa if the order of those backends is reversed)

2019-01-02T16:56:54+00:00

Randle Taylor reporter

changed status to resolved

Improve Active Directory backend

Adds logging, a new AD->QAT group map, and resolves issue ~~#360~~ so that AD_MEMBERSHIP_REQ should now be honoured.

→ <<cset fa55b1bc2b24>>

2020-08-27T23:49:45+00:00

Comments (6)