Feature: Support for multiple AUTH_LDAP_REQUIRE_GROUP from environment variables #1297
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related Issue: netbox-community/netbox-chart#210
New Behavior
We can configure multiple
AUTH_LDAP_REQUIRE_GROUP
via 2 environments variables:AUTH_LDAP_REQUIRE_GROUP_DN
(already exists)AUTH_LDAP_REQUIRE_GROUP_DN_SEPARATOR
(new)Contrast to Current Behavior
As of now, we have to use an
ldap/extra.py
file to configure multipleAUTH_LDAP_REQUIRE_GROUP
withLDAPGroupQuery
.Discussion: Benefits and Drawbacks
Why
AUTH_LDAP_REQUIRE_GROUP_DN_SEPARATOR
?Building an
LDAPGroupQuery
withAUTH_LDAP_REQUIRE_GROUP
straight from a whitespace' '
separated list environment variable (like inconfiguration.py
) will break existing configuration if people use a group containing a whitespace in its DN. It may become a nightmare to workaround, if you are not owner of an LDAP parent OU containing a whitespace character. This situation applies to any separator character.That's why I opted for the
AUTH_LDAP_REQUIRE_GROUP_DN_SEPARATOR
. By default it is empty, so theAUTH_LDAP_REQUIRE_GROUP_DN
environment variable will be used as a string (current behavior is preserved). IfAUTH_LDAP_REQUIRE_GROUP_DN_SEPARATOR
is not empty, then we use its value to splitAUTH_LDAP_REQUIRE_GROUP_DN
into a list, and build an OR'edLDAPGroupQuery
from it.Benefits:
Drawbacks: None?
Changes to the Wiki
Maybe add an example in wiki/LDAP:
Proposed Release Note Entry
Add support for configuring multiple
AUTH_LDAP_REQUIRE_GROUP
via environment variables.Double Check
develop
branch.