AC-156. Expose user_ldap_fields via API config to indicate which fields should not be editableon LDAP users. Add ldap_dn attribute to user record, prevent changing any LDAP-managed fields on LDAP users.

2026-02-17 19:20:05 -03:30 · 2013-09-10 03:28:52 -04:00
parent 106023e530
commit c0ea2527ec
7 changed files with 499 additions and 2 deletions
--- a/awx/main/views.py
+++ b/awx/main/views.py
@@ -114,6 +114,16 @@ class ApiV1ConfigView(APIView):
            version=get_awx_version(),
            ansible_version=get_ansible_version(),
        )
+
+        # If LDAP is enabled, user_ldap_fields will return a list of field
+        # names that are managed by LDAP and should be read-only for users with
+        # a non-empty ldap_dn attribute.
+        if getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
+            user_ldap_fields = ['username', 'password']
+            user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
+            user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
+            data['user_ldap_fields'] = user_ldap_fields
+
        if request.user.is_superuser or request.user.admin_of_organizations.filter(active=True).count():
            data.update(dict(
                project_base_dir = settings.PROJECTS_ROOT,