ldap: Add option to limit user access to certain realms.

This adds an option for restricting a ldap user to only be allowed to login into certain realms. This is done by configuring an attribute mapping of "org_membership" to an ldap attribute that will contain the list of subdomains the ldap user is allowed to access. This is analogous to how it's done in SAML. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2025-11-02 13:03:29 +00:00 · 2020-08-15 18:33:16 +02:00
parent e6ee1b0760
commit 209c89be10
4 changed files with 71 additions and 0 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -631,6 +631,14 @@ class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
        ldap_disabled = bool(int(account_control_value) & LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK)
        return ldap_disabled

+    def is_account_realm_access_forbidden(self, ldap_user: _LDAPUser, realm: Realm) -> bool:
+        if "org_membership" not in settings.AUTH_LDAP_USER_ATTR_MAP:
+            return False
+
+        org_membership_attr = settings.AUTH_LDAP_USER_ATTR_MAP["org_membership"]
+        allowed_orgs: List[str] = ldap_user.attrs.get(org_membership_attr, [])
+        return not is_subdomain_in_allowed_subdomains_list(realm.subdomain, allowed_orgs)
+
    @classmethod
    def get_mapped_name(cls, ldap_user: _LDAPUser) -> str:
        """Constructs the user's Zulip full_name from the LDAP data"""
@@ -767,6 +775,9 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):

        username = self.user_email_from_ldapuser(username, ldap_user)

+        if self.is_account_realm_access_forbidden(ldap_user, self._realm):
+            raise ZulipLDAPException("User not allowed to access realm")
+
        if "userAccountControl" in settings.AUTH_LDAP_USER_ATTR_MAP:  # nocoverage
            ldap_disabled = self.is_account_control_disabled_user(ldap_user)
            if ldap_disabled:
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -236,6 +236,9 @@ AUTH_LDAP_USER_ATTR_MAP = {
    ## who are disabled in LDAP/Active Directory (and reactivate users who are not).
    ## See docs for usage details and precise semantics.
    # "userAccountControl": "userAccountControl",
+    ## Restrict access to organizations using an LDAP attribute.
+    ## See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#restricting-ldap-user-access-to-specific-organizations
+    # "org_membership": "department",
 }

 ## Whether to automatically deactivate users not found in LDAP. If LDAP