ldap: Add option to limit user access to certain realms.

This adds an option for restricting a ldap user to only be allowed to login into certain realms. This is done by configuring an attribute mapping of "org_membership" to an ldap attribute that will contain the list of subdomains the ldap user is allowed to access. This is analogous to how it's done in SAML. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2025-11-02 13:03:29 +00:00 · 2020-08-15 18:33:16 +02:00
parent e6ee1b0760
commit 209c89be10
4 changed files with 71 additions and 0 deletions
--- a/docs/production/authentication-methods.md
+++ b/docs/production/authentication-methods.md
@@ -284,6 +284,34 @@ details.

 [upstream-ldap-groups]: https://django-auth-ldap.readthedocs.io/en/latest/groups.html#limiting-access

+### Restricting LDAP user access to specific organizations
+
+If you're hosting multiple Zulip organizations, you can restrict which
+users have access to which organizations.
+This is done by setting `org_membership` in `AUTH_LDAP_USER_ATTR_MAP` to the name of
+the LDAP attribute which will contain a list of  subdomains that the
+user should be allowed to access.
+
+For the root subdomain, `www` in the list will work, or any other of
+`settings.ROOT_SUBDOMAIN_ALIASES`.
+
+For example, with `org_membership` set to `department`, a user with
+the following attributes will have access to the root and `engineering` subdomains:
+```
+...
+department: engineering
+department: www
+...
+```
+
+```eval_rst
+.. warning::
+    Restricting access using this mechanism only affects authentication via LDAP,
+    and won't prevent users from accessing the organization using any other
+    authentication backends that are enabled for the organization.
+```
+
+
 ### Troubleshooting

 Most issues with LDAP authentication are caused by misconfigurations of