django-python3-ldap Search Users belonging to Specific Group in Active Directory

Question

I have django-python3-ldap included in my Django project, and I have it pointed at an Active Directory server. It connects to the AD server and returns a the username, first name, and hashed password to the auth_user table. How do I limit the search to only users in a specific AD group?

Here are the relevant settings:

LDAP_AUTH_SEARCH_BASE = "OU=******,DC=ad,DC=******,DC=org"
LDAP_AUTH_USER_FIELDS = {
     "username": "samaccountname",
     "first_name": "givenname",
     "last_name": "surname",
     "email": "EmailAddress",
}
LDAP_AUTH_OBJECT_CLASS = "User"
LDAP_AUTH_USER_LOOKUP_FIELDS = ("username",)
LDAP_AUTH_FORMAT_USERNAME = "django_python3_ldap.utils.format_username_active_directory"
LDAP_AUTH_ACTIVE_DIRECTORY_DOMAIN = "AD"
LDAP_AUTH_FORMAT_SEARCH_FILTERS = "django_python3_ldap.utils.format_search_filters"

I believe I need to use LDAP_AUTH_FORMAT_SEARCH_FILTERS to "and" conditions to the original search base, but I'm not sure exactly how to do so. I assume I need to write a custom format_search_filter , but I don't intuitively understand how it would cross-check with AD groups.

Answer 1

How to do the filtering with this particular package is documented here . Right in the example, it shows how you can filter using group membership. The following would limit the search to the AD group "foo"

# settings.py
LDAP_AUTH_FORMAT_SEARCH_FILTERS = "path.to.your.custom_format_search_filters"

# path/to/your/module.py
from django_python3_ldap.utils import format_search_filters

def custom_format_search_filters(ldap_fields):
    # Add in simple filters.
    ldap_fields["memberOf"] = "foo"
    # Call the base format callable.
    search_filters = format_search_filters(ldap_fields)
    return search_filters

You could alternatively (or additionally) apply rules using usual LDAP filtering syntax...

search_filters.append("(|(memberOf=groupA)(memberOf=GroupB))")

You can read up more on filtering syntax here and many other places.