On 10/08/06, Scott Paul Robertson <[EMAIL PROTECTED]> wrote: > On Wed, Aug 09, 2006 at 08:00:31PM -0700, Gary Wilson wrote: > > > Scathing comments are encouraged. > > > > line 68 of patch: > > if not username and password is not Null: # we need a user/pass > > Should be None ^^^^ > > d'oh! Figures I'd mistype something like that. > > > And how about moving the ldap.initialize() call after the above check > > so that we don't make an unneeded connection to the ldap server. > > You know it was on my list, and I missed it when I was going through my > cleanup today. Thanks. > > > Also, in the ldap setup I deal with, you must bind to the server using > > a service account before attempting a bind with the user-supplied > > credentials. The process goes something like > > > > 1. Retrieve the username and password from the user. > > 2. Bind to the directory using DN and password of service account. > > 3. Issue a search query to determine the user's DN based on their > > username. > > 4. Attempt to bind to the directory using the user's DN retrieved in > > step 3 and the password supplied by the user in step 1.. > > 5. A successful bind means that the user has been authenticated. An > > unsuccessful bind means that the credentials provided are invalid. > > > > This also seems to be the method used/needed in the second resource > > link you listed in your first post. It would be great if this method > > could be supported. It would require a few more options like > > LDAP_SERVICE_BIND_DN > > LDAP_SERVICE_BIND_PASSWORD > > and then an additional check in authenticate() (after the call to > > initialize() and before the bind with the user's DN and password) to > > see if first a bind should be attempted with the service account DN and > > password. > > > > I'll start on this tomorrow. Out of curiosity how common is this sort of > setup? I've only seen a handful of LDAP implementations, and this is new > to me. >
My LDAP setup does a similar thing. In fact my old (pre-magic removal) LDAP auth code did it but I hadn't gotten around to rewriting it. Thanks for saving me the effort! > Thanks for the comments, > Scott > > -- > Scott Paul Robertson > http://spr.mahonri5.net > GnuPG FingerPrint: 09ab 64b5 edc0 903e 93ce edb9 3bcc f8fb dc5d 7601 > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---