如何使用django-python3-ldap从Active Directory组中在Django模型中创建组和权限？

Question

I have two groups that I have created in django. I created billing_users and billing_admins. I also have two groups of users in ldap, internalBilling-admin and internalBilling-users.

I currently have django-python3-ldap authentication working. But I have to log into Django and manually set the user as a is_staff and is_superuser to allow the user to login into the admin the default admin console. In addition, I have to assign them to the group that they belong to.

Question 1: Is there a way that I can have the flags automatically set based on the Django group they belong to?

Question 2: Is there a way that I can have the Active Directory user's group set the Django group set the user in the proper Django group using django-python3-ldap?

The author states the following:

The LDAP_AUTH_CLEAN_USER_DATA and LDAP_AUTH_SYNC_USER_RELATIONS settings are your friends here. Check out the docs here:

https://github.com/etianen/django-python3-ldap#available-settings

But I don't understand how LDAP_AUTH_CLEAN_USER_DATA and LDAP_AUTH_SYNC_USER_RELATIONS work because there are no examples of it being implemented.

Answer 1

The author confirmed that this is the correct way to do this https://github.com/etianen/django-python3-ldap/issues/74#issuecomment-304396431

def sync_all_user_group_relations(user, data):

    ldap_groups = list(data.get('memberOf', ()))
    for group in ldap_groups:
        if group == 'CN=InternalBilling-Users,OU=ABC-Users,OU=Groups,DC=abc,DC=abc,DC=com':
            g = Group.objects.get(name='Billing clerks')
            user.is_staff=True
            user.save()
            g.user_set.add(user)
        elif group == 'CN=InternalBilling-Admin,OU=ABC-Users,OU=Groups,DC=abc,DC=abc,DC=com':
            g = Group.objects.get(name='Billing admins')
            user.is_staff=True
            user.save()
            g.user_set.add(user)