[GH-ISSUE #504] Role based access control with LDAP. #375

New issue

Open

opened 2026-02-27 16:39:03 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 16:39:03 +03:00

Owner

Originally created by @GusevVictor on GitHub (Feb 17, 2015).
Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/504

Dear all, I have the question about role base access control to webvirtmgr.

So, I'm new in the project, and I try to setup ldap base login (I use samba4 as a my production ldap server). We LOVE OpenSource :)

I have created the following config for me (I hope it will be good for other peolpe as an expample). It is suitable for webvirtmgr v 4.8.9:

/home/webvirtmgr/webvirtmgr/webvirtmgr/local/local_settings.py

import os

DEBUG = False
TEMPLATE_DEBUG = DEBUG

import ldap
from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
)

AUTH_LDAP_GLOBAL_OPTIONS = {
  ldap.OPT_X_TLS_REQUIRE_CERT: False,
}

AUTH_LDAP_SERVER_URI = "ldap://domainctrl"
AUTH_LDAP_BIND_DN = "CN=xxx,CN=Users,DC=company,DC=ru"
AUTH_LDAP_BIND_PASSWORD = "xxx"
AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=Users,DC=company,DC=ru",
    ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=Users,DC=company,DC=ru",
    ldap.SCOPE_SUBTREE, "(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": ["CN=kvm,CN=Users,DC=company,DC=ru"],
}


TIME_JS_REFRESH = 2000
ALLOWED_HOSTS = ['*']
TIME_ZONE = 'Europe/Moscow'
LANGUAGE_CODE = 'ru-RU'
SITE_ID = 1
USE_I18N = True
USE_L10N = True
USE_TZ = True

After that, you can login to webvirtmgr if you belong to kvm group.

So, my question is about:

#    "is_staff": "CN=kvm,CN=Users,DC=company,DC=ru",
#    "is_superuser": "CN=kvm,CN=Users,DC=company,DC=ru"

I have seen that is doesn't matter with this settings.

Can I have some group with a poor privileged? For example access to "$vm1" or "$vm2"? Or just allow to reboot machine without destroy it, and so on?

I have an understand about hard to implement that, but maybe.

And my second question is about: How I can add my example to setup section of documentation? It is so hard for new people to setup LDAP implement in django. I think it will be good for other gays.

And my last question is about: How can I debug LDAP and other settings? I have setup in my local_settings.py without success

import ldap, logging
from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType

logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)

After that I have setup a path for log file in: gunicorn.conf.py: logfile = ... Without succes too. So I cannot see any logs in /var/log/supervisor about LDAP. So, how can I debug LDAP settings? I just use tcpdump for that now :) .

Thank for all. I hope my post will help you with a basic ldap setup.

Originally created by @GusevVictor on GitHub (Feb 17, 2015). Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/504 Dear all, I have the question about role base access control to webvirtmgr. So, I'm new in the project, and I try to setup ldap base login (I use samba4 as a my production ldap server). We LOVE OpenSource :) I have created the following config for me (I hope it will be good for other peolpe as an expample). It is suitable for webvirtmgr v 4.8.9: ``` /home/webvirtmgr/webvirtmgr/webvirtmgr/local/local_settings.py ``` ``` import os DEBUG = False TEMPLATE_DEBUG = DEBUG import ldap from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', ) AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: False, } AUTH_LDAP_SERVER_URI = "ldap://domainctrl" AUTH_LDAP_BIND_DN = "CN=xxx,CN=Users,DC=company,DC=ru" AUTH_LDAP_BIND_PASSWORD = "xxx" AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=Users,DC=company,DC=ru", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)") AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=Users,DC=company,DC=ru", ldap.SCOPE_SUBTREE, "(objectClass=group)" ) AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": ["CN=kvm,CN=Users,DC=company,DC=ru"], } TIME_JS_REFRESH = 2000 ALLOWED_HOSTS = ['*'] TIME_ZONE = 'Europe/Moscow' LANGUAGE_CODE = 'ru-RU' SITE_ID = 1 USE_I18N = True USE_L10N = True USE_TZ = True ``` After that, you can login to webvirtmgr if you belong to kvm group. So, my question is about: ``` # "is_staff": "CN=kvm,CN=Users,DC=company,DC=ru", # "is_superuser": "CN=kvm,CN=Users,DC=company,DC=ru" ``` I have seen that is doesn't matter with this settings. Can I have some group with a poor privileged? For example access to "$vm1" or "$vm2"? Or just allow to reboot machine without destroy it, and so on? I have an understand about hard to implement that, but maybe. And my second question is about: How I can add my example to setup section of documentation? It is so hard for new people to setup LDAP implement in django. I think it will be good for other gays. And my last question is about: How can I debug LDAP and other settings? I have setup in my local_settings.py without success ``` import ldap, logging from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType logger = logging.getLogger('django_auth_ldap') logger.addHandler(logging.StreamHandler()) logger.setLevel(logging.DEBUG) ``` After that I have setup a path for log file in: gunicorn.conf.py: logfile = ... Without succes too. So I cannot see any logs in /var/log/supervisor about LDAP. So, how can I debug LDAP settings? I just use tcpdump for that now :) . Thank for all. I hope my post will help you with a basic ldap setup.