Mapping LDAP users to Django users with Django Auth Ldap

I'm using Django 1.3 and Django Auth Ldap 1.0.6. and I'm trying to have the users who have a special status on the LDAP Server (admins) have the same status in my Django application.

These are my current settings:

AUTH_LDAP_SERVER_URI = 'ldap://path.to.server'

AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
AUTH_LDAP_USER_DN_TEMPLA开发者_如何学编程TE = 'uid=%(user)s,cn=users,dc=server,dc=location,dc=lan'
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
                             'cn=groups,dc=server,dc=location,dc=lan',
                             ldap.SCOPE_SUBTREE,
                             '(objectClass=groupOfNames)',
)
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
}
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    #'is_active': 'cn=groups,dc=server,dc=location,dc=lan',
    #'is_staff': 'cn=admin,cn=groups,dc=server,dc=location,dc=lan',
    #'is_superuser': 'cn=admin,cn=groups,dc=server,dc=location,dc=lan',
}
AUTH_LDAP_ALWAYS_UPDATE_USER = True
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_FIND_GROUPS_PERMS = True

Permissions aren't updated. If I uncomment the values in FLAGS_BY_GROUP, I can't authenticate any more (the error message says that the user and password don't match). I tried without the last setting with the same results.

Any ideas are highly appreciated.

If you set AUTH_LDAP_GROUP_SEARCH, you also need to set AUTH_LDAP_GROUP_TYPE. Since you're apparently using groupOfNames for grouping, you need AUTH_LDAP_GROUP_TYPE = GroupOfNamesType().

Everything else looks okay, although it's unlikely that you need both AUTH_LDAP_MIRROR_GROUPS and AUTH_LDAP_FIND_GROUPS_PERMS. It's probably not hurting anything, but those are meant to be alternatives.

In general, logging is your friend in cases like this.

With the help of psagers' tips, I managed to find the answer to my issue. First, I'm using Open Directory, so I need to use AUTH_LDAP_GROUP_TYPE = PosixGroupType(name_attr='cn') instead of GroupOfNamesType(). Second, mapping the 'is_active' flag to the entire 'groups' container doesn't make sense, because I can't login when I use it, so I took it out.