Scott Paul Robertson wrote: > On Tue, Aug 01, 2006 at 12:08:25PM -0700, Scott Paul Robertson wrote: > > I'm actually doing LDAP auth with something I wrote myself, which I feel > > is a little more general than the mentioned code (not that I'm > > opinionated or anything). I'll be posting it in a day or so once it's > > cleaned up a bit more. During OSCON I mentioned to Adrian that I'd be > > willing to work on one that would make it into django. > > > > I've finished the code for a backend that works with LDAP. It pulls all > the needed variables from your settings.py file, and covers everything > that I could think of. I don't have an ssl based ldap server to test > with, but I think if you want ssl you only have to have the uri be > ldaps:// instead of ldap://.
I believe ssl with RedHat EL works out of the box since in sets TLS_CACERTDIR /etc/openldap/cacerts in /etc/openldap/ldap.conf. My gentoo box needed the ca-certificates package and I set this up in my python code using ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/usr/share/ca-certificates') but I think you could alternatively set TLS_CACERTDIR in /etc/openldap/ldap.conf. > Scathing comments are encouraged. line 68 of patch: if not username and password is not Null: # we need a user/pass Should be None ^^^^ And how about moving the ldap.initialize() call after the above check so that we don't make an unneeded connection to the ldap server. Also, in the ldap setup I deal with, you must bind to the server using a service account before attempting a bind with the user-supplied credentials. The process goes something like 1. Retrieve the username and password from the user. 2. Bind to the directory using DN and password of service account. 3. Issue a search query to determine the user's DN based on their username. 4. Attempt to bind to the directory using the user's DN retrieved in step 3 and the password supplied by the user in step 1.. 5. A successful bind means that the user has been authenticated. An unsuccessful bind means that the credentials provided are invalid. This also seems to be the method used/needed in the second resource link you listed in your first post. It would be great if this method could be supported. It would require a few more options like LDAP_SERVICE_BIND_DN LDAP_SERVICE_BIND_PASSWORD and then an additional check in authenticate() (after the call to initialize() and before the bind with the user's DN and password) to see if first a bind should be attempted with the service account DN and password. Gary Wilson --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---