Django中的AUTH_LDAP_REQUIRE_GROUP问题

Question

我正在使用OpenLDAP，我想使用django_auth_ldap将其连接到Django。我尝试了很多选项，但找不到解决方案。

我正在尝试使用已添加到ldap上的组test_group的用户test_user登录。 当我尝试不使用AUTH_LDAP_REQUIRE_GROUP="" and AUTH_LDAP_USER_FLAGS_BY_GROUP ={..} in settings.py登录时 我收到权限被拒绝的错误。

11/Oct/2018 15:58:01] "POST /accounts/login/ HTTP/1.1" 302 0 Forbidden (Permission denied): /events/timeline/ [11/Oct/2018 15:58:02] "GET /events/timeline/ HTTP/1.1" 403 22

但是当我尝试使用AUTH_LDAP_REQUIRE_GROUP and AUTH_LDAP_USER_FLAGS_BY_GROUP in settings.py登录时，得到这个...

11/Oct/2018 16:03:00] "GET /accounts/login/ HTTP/1.1" 200 1063 [11/Oct/2018 16:03:34] "POST /accounts/login/ HTTP/1.1" 200 1063

settings.py

AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com"
AUTH_LDAP_BIND_DN = 'cn=admin,dc=example,dc=com '
AUTH_LDAP_BIND_PASSWORD = ' '

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "ou=people,dc=example,dc=com,
    ldap.SCOPE_SUBTREE,
    '(uid=%(user)s)',
)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'cn=test_user,ou=people,dc=example,dc=com',
    ldap.SCOPE_SUBTREE,
    '(objectClass=posixGroup)',
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType()
AUTH_LDAP_REQUIRE_GROUP = 'cn=test_group,ou=group,dc=example,dc=com'

AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'displayName',
    'last_name': 'sn',
    'email': 'mail',
}

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active":'cn=test_user,ou=people,cn=test_group,ou=group,dc=example,dc=com,

}

AUTH_LDAP_ALWAYS_UPDATE_USER = True

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_CACHE_TIMEOUT = 3600

AUTHENTICATION_BACKENDS = (
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
)

$ ldapsearch -v -W -x -D“ cn = admin，dc = example，dc = com” -p 389 -h ldap.example.com -b“ dc = example，dc = com”

 # example.com
dn: dc=example,dc=com
dc: example
objectClass: domain

# people, example.com
dn: ou=people,dc=example,dc=com
ou: people
objectClass: organizationalUnit

# group, example.com
dn: ou=group,dc=example,dc=com
ou: group
objectClass: organizationalUnit

# test_user, people, example.com
dn: uid=test_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: apple-user
cn: test_user
sn: test_user
uid: test_user

# test_group, group, example.com
dn: cn=test_group,ou=group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: sambaIdmapEntry
objectClass: apple-group
cn: test_group
gidNumber: 1000002
sambaGroupType: 2
sambaSID: S-1-5-21-821637849-415082144-557474591-1004
displayName: test_group
memberUid: test_user

views.py

@has_permission_decorator('view_timeline')
def timeline(request):
    if not request.user.is_authenticated():
        return redirect('/accounts/login/')
    return render(request, 'home.html', {})

我在哪里误会？我还缺少其他属性配置吗？为什么我无法成功登录？

非常感谢您的帮助。