Scott Paul Robertson wrote:
> On Tue, Aug 01, 2006 at 12:08:25PM -0700, Scott Paul Robertson wrote:
> > I'm actually doing LDAP auth with something I wrote myself, which I feel
> > is a little more general than the mentioned code (not that I'm
> > opinionated or anything). I'll be posting it in a day or so once it's
> > cleaned up a bit more. During OSCON I mentioned to Adrian that I'd be
> > willing to work on one that would make it into django.
> >
>
> I've finished the code for a backend that works with LDAP. It pulls all
> the needed variables from your settings.py file, and covers everything
> that I could think of. I don't have an ssl based ldap server to test
> with, but I think if you want ssl you only have to have the uri be
> ldaps:// instead of ldap://.
I believe ssl with RedHat EL works out of the box since in sets
TLS_CACERTDIR /etc/openldap/cacerts
in /etc/openldap/ldap.conf. My gentoo box needed the ca-certificates
package and I set this up in my python code using
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/usr/share/ca-certificates')
but I think you could alternatively set TLS_CACERTDIR in
/etc/openldap/ldap.conf.
> Scathing comments are encouraged.
line 68 of patch:
if not username and password is not Null: # we need a user/pass
Should be None ^^^^
And how about moving the ldap.initialize() call after the above check
so that we don't make an unneeded connection to the ldap server.
Also, in the ldap setup I deal with, you must bind to the server using
a service account before attempting a bind with the user-supplied
credentials. The process goes something like
1. Retrieve the username and password from the user.
2. Bind to the directory using DN and password of service account.
3. Issue a search query to determine the user's DN based on their
username.
4. Attempt to bind to the directory using the user's DN retrieved in
step 3 and the password supplied by the user in step 1..
5. A successful bind means that the user has been authenticated. An
unsuccessful bind means that the credentials provided are invalid.
This also seems to be the method used/needed in the second resource
link you listed in your first post. It would be great if this method
could be supported. It would require a few more options like
LDAP_SERVICE_BIND_DN
LDAP_SERVICE_BIND_PASSWORD
and then an additional check in authenticate() (after the call to
initialize() and before the bind with the user's DN and password) to
see if first a bind should be attempted with the service account DN and
password.
Gary Wilson
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
