AC-156. Expose user_ldap_fields via API config to indicate which fields should not be editableon LDAP users. Add ldap_dn attribute to user record, prevent changing any LDAP-managed fields on LDAP users.

awx/main/models/__init__.py

@@ -35,6 +35,7 @@ from djcelery.models import TaskMeta
 
 # AWX
 from awx.main.compat import slugify
+from awx.main.fields import AutoOneToOneField
 from awx.main.utils import encrypt_field, decrypt_field
 
 __all__ = ['PrimordialModel', 'Organization', 'Team', 'Project',
@@ -1766,6 +1767,28 @@ class JobEvent(models.Model):
             if host_summary_changed:
                 host_summary.save()
 
+class Profile(models.Model):
+    '''
+    Profile model related to User object. Currently stores LDAP DN for users
+    loaded from LDAP.
+    '''
+
+    created = models.DateTimeField(
+        auto_now_add=True,
+    )
+    modified = models.DateTimeField(
+        auto_now=True,
+    )
+    user = AutoOneToOneField(
+        'auth.User',
+        related_name='profile',
+        editable=False,
+    )
+    ldap_dn = models.CharField(
+        max_length=1024,
+        default='',
+    )
+
 class AuthToken(models.Model):
     '''
     Custom authentication tokens per user with expiration and request-specific