Here it is, it was not a problem to import validators finally, what I did is import IS_EMAIL() actually... But I am not sure it really solved the issue... You should follow the other thread for more insight...
I make a diff with ldap_auth.py from 2.9.5 and there were not to much off sync... Hope it helps. Richard On Fri, Jan 9, 2015 at 10:31 AM, Richard Vézina <ml.richard.vez...@gmail.com > wrote: > Yes, I think it was the conclusion to which we were coming with Massimo > that were making my modification to web2py not acceptable... > > The check has to be done in LDAP contrib... The problem at this level is > to have access to web2py validators, if I remember we can't easily import > them, we have to copy them which is not DRY... > > I can attach here my actual version of ldap_auth if you want... I saw a > couple modifications pass throught PR request or on this list though, so it > may be out of date... > > But you can see what I actually do that solved this issue for me for now... > > Richard > > On Thu, Jan 8, 2015 at 6:29 PM, Carlos Hanson <car...@clanhanson.com> > wrote: > >> I'm not talking about forcing username only in all cases. Since I know >> that for this application and my LDAP server configuration, usernames are >> okay, so I think that having the option to force a particular login methon >> is useful. >> >> Then we can say login_with_email=False, or something of that nature, and >> get an error message that says logging in with email addresses is not >> allowed. >> >> I'll keep playing with it, since I need a way to prevent a user from >> accidentally creating a second account. Plus, I need to figure out why some >> account, and not all, are getting a duplicate created. That doesn't make >> sense. >> >> If I find something useful and relatively simple, I'll make another >> suggestion to get some feedback. >> >> >> On Thursday, January 8, 2015 at 2:37:15 PM UTC-8, Richard wrote: >>> >>> I think we can't restrick using only username because AD may have been >>> configure to use email address... To me, if I remember, the problem where >>> coming from ldap_auth contrib that is overly convoluted regarding the way >>> it manage login of user, transforming it from email to username to email... >>> In addition not all the variant of ldap use the same code regarding login >>> so... But it only some thoughts I didn't read the code since then and I >>> prefered to patch web2py which was making sure there were no email used as >>> login name. But I think it were not working for web2py and can't be >>> included in web2py code base. >>> >>> Richard >>> >>> >>> >>> On Thu, Jan 8, 2015 at 5:21 PM, Carlos Hanson <car...@clanhanson.com> >>> wrote: >>> >>>> I definitely like and agree with your idea about using >>>> get_or_create_user() in a login_method that intends to create (or get) a >>>> user, but that doesn't eliminate the duplicate entry problem. Perhaps, my >>>> suggestion isn't the best for eliminating it either, since it would require >>>> an update to ldap_auth. >>>> >>>> I also just realized that it is only a few users that are getting >>>> duplicate user accounts created. I am uncertain what would cause the >>>> problem in a subset of new accounts and not all, so my case just got more >>>> confusing. >>>> >>>> I can't find a way to prevent logging in with an email address. If it >>>> doesn't exist, then perhaps we just need to be able to tell >>>> get_or_create_user() to not use the full email. Then it would be more >>>> likely to find the existing user created by ldap_auth. >>>> >>>> >>>> Carlos >>>> >>>> >>>> On Thursday, January 8, 2015 at 12:01:03 PM UTC-8, Richard wrote: >>>>> >>>>> I guess any solution si welcome, I didn't have spare time to work on >>>>> this and because of the many ldap system to be tested against the change >>>>> to >>>>> be made I have been reluctante to work on this scince could be very long >>>>> to >>>>> finish the refactoring... :( >>>>> >>>>> Richard >>>>> >>>>> On Thu, Jan 8, 2015 at 2:49 PM, Carlos Hanson <car...@clanhanson.com> >>>>> wrote: >>>>> >>>>>> Greetings, >>>>>> >>>>>> I've been humming along quite nicely until I released a new >>>>>> application last month which is used by our entire staff rather than our >>>>>> department. Now I have run into the duplicate user problem, but I looked >>>>>> through the code and figured out why. I had forgotten that you mentioned >>>>>> it >>>>>> to me in this thread. >>>>>> >>>>>> After reviewing your suggested solution and seeing that it has not >>>>>> been implemented, I thought we might consider an alternative. Since Auth >>>>>> has get_or_create_user() and it is called by Auth.login(), isn't it >>>>>> reasonable to think that a particular login_method can also create a >>>>>> user? >>>>>> Given that ldap_auth is already doing so, I suggest that we ask the >>>>>> login_method for the user. If we get it, use it. If not, Auth can use its >>>>>> get_or_create_user(). >>>>>> >>>>>> For example, in tools.py starting at line 2467: >>>>>> >>>>>> # try alternate logins 1st as these have the >>>>>> # current version of the password >>>>>> user = None >>>>>> for login_method in settings.login_methods: >>>>>> if login_method != self and \ >>>>>> login_method(request.vars[username], >>>>>> request.vars[passfield]): >>>>>> if not self in settings.login_methods: >>>>>> # do not store password in db >>>>>> form.vars[passfield] = None >>>>>> try: >>>>>> user = login_method.get_user() >>>>>> except AttributeError: >>>>>> # login method has not implemented get_user() >>>>>> pass >>>>>> if user is None: >>>>>> user = self.get_or_create_user( >>>>>> form.vars, settings.update_fields) >>>>>> break >>>>>> >>>>>> >>>>>> >>>>>> On Friday, August 16, 2013 at 3:10:36 PM UTC-7, Richard wrote: >>>>>>> >>>>>>> Hello Carlos, >>>>>>> >>>>>>> Yes you have to pass the db, doc is pretty un clear. Also, it stop >>>>>>> working because when to tell to manage_user=True it start to check the >>>>>>> credential against Active Directory. If you read the doc carefully you >>>>>>> will >>>>>>> discrover that if there is a password in the password field it will be >>>>>>> prioritise on the AD credential. And if I remember my test, when >>>>>>> Imanage_user is activating the password is cleared on user update >>>>>>> (auth_user record is updated each time the user is login on). So, then >>>>>>> the >>>>>>> db become essential to allow ldap_auth to authentify user that was not >>>>>>> the >>>>>>> case before because it was web2py normal authenfication mecahnism which >>>>>>> was >>>>>>> a priority. >>>>>>> >>>>>>> Notice that ldap_auth contrib is not preventing logon with email as >>>>>>> username, see this thread : https://groups.google.com/d/ >>>>>>> msg/web2py/sEpOWYk0mFA/XOivgLvR0rEJ >>>>>>> >>>>>>> So, take care, because if you don't add padding, since you have >>>>>>> activate management of user, new user (duplicate user) will be added >>>>>>> with >>>>>>> email as username. Massimo is aware (see thread) I suggest a patch but >>>>>>> he >>>>>>> is still in reflexion. You can apply the patch in the mean time to >>>>>>> prevent >>>>>>> duplicated user. But it may have backward compatibility issue (I don't >>>>>>> know). There is also an other option, refactor ldap_auth and make it >>>>>>> return >>>>>>> validation error on email input as username, but it requires that we >>>>>>> don't >>>>>>> break ldap_auth. If you are in to refactor we can check what we could >>>>>>> do. >>>>>>> >>>>>>> Also, I read that manage user =True is not working properly, so >>>>>>> better leave it to false, I think. >>>>>>> >>>>>>> >>>>>>> Hope it helps. >>>>>>> >>>>>>> Richard >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Aug 16, 2013 at 1:22 PM, Carlos Hanson < >>>>>>> car...@clanhanson.com> wrote: >>>>>>> >>>>>>>> I am using ldap_auth. The following example shows an error I >>>>>>>> received after adding manage_user=True. It is unclear to me why this >>>>>>>> is a >>>>>>>> problem. >>>>>>>> >>>>>>>> >>> ldap_auth_aux = ldap_auth(mode='ad', >>>>>>>> ... server='my.domain.controller', >>>>>>>> ... base_dn='ou=Users,dc=domain,dc=com', >>>>>>>> ... filterstr='objectClass=*', >>>>>>>> ... manage_user=True, >>>>>>>> ... user_firstname_attrib='givenName', >>>>>>>> ... user_lastname_attrib='sn', >>>>>>>> ... user_mail_attrib='mail') >>>>>>>> >>> import logging >>>>>>>> >>> logger = logging.getLogger('web2py.auth.ldap_auth') >>>>>>>> >>> logger.setLevel(logging.DEBUG) >>>>>>>> >>>>>>>> >>> ldap_auth_aux('chanson', '********') >>>>>>>> DEBUG:web2py.auth.ldap_auth:mode: [ad] manage_user: [True] >>>>>>>> custom_scope: [subtree] manage_groups: [False] >>>>>>>> INFO:web2py.auth.ldap_auth:[my.domain.controller] Initialize ldap >>>>>>>> connection >>>>>>>> INFO:web2py.auth.ldap_auth:[chanson] Manage user data >>>>>>>> Traceback (most recent call last): >>>>>>>> File "<console>", line 1, in <module> >>>>>>>> File "/srv/www/web2py/gluon/contrib/login_methods/ldap_auth.py", >>>>>>>> line 421, in ldap_auth_aux >>>>>>>> user_in_db = db(db.auth_user.email == username) >>>>>>>> AttributeError: 'NoneType' object has no attribute 'auth_user' >>>>>>>> >>>>>>>> >>> ldap_auth_aux('chanson', '********', db=db) >>>>>>>> DEBUG:web2py.auth.ldap_auth:mode: [ad] manage_user: [True] >>>>>>>> custom_scope: [subtree] manage_groups: [False] >>>>>>>> INFO:web2py.auth.ldap_auth:[my.domain.controller] Initialize ldap >>>>>>>> connection >>>>>>>> INFO:web2py.auth.ldap_auth:[chanson] Manage user data >>>>>>>> True >>>>>>>> >>> db.commit() >>>>>>>> >>>>>>>> >>>>>>>> The Traceback in the error ticket showed one of the following prior >>>>>>>> to the error on line 421 in ldap_auth_aux: >>>>>>>> >>>>>>>> - File "/srv/www/web2py/gluon/tools.py", line 2123, in login >>>>>>>> - File "/srv/www/web2py/gluon/tools.py", line 2144, in login >>>>>>>> >>>>>>>> The interesting code is the following: >>>>>>>> >>>>>>>> login_method(request.vars[username], >>>>>>>> request.vars[passfield]): >>>>>>>> >>>>>>>> db is not passed to the function. The function definition of >>>>>>>> ldap_auth_aux has db=db, but the function is defined in ldap_auth which >>>>>>>> defaults to db=None. I am not sure how it worked before. My solution >>>>>>>> is to >>>>>>>> add db=db to my login_methods definition: >>>>>>>> >>>>>>>> auth.settings.login_methods = [ >>>>>>>> ldap_auth(...as usual..., >>>>>>>> manage_user=True, >>>>>>>> user_firstname_attrib='givenName', >>>>>>>> user_lastname_attrib='sn', >>>>>>>> user_mail_attrib='mail', >>>>>>>> db=db >>>>>>>> ) >>>>>>>> ] >>>>>>>> >>>>>>>> >>>>>>>> I also noticed that the user_xxx_attrib values are case sensitive. >>>>>>>> For example, I use givenName for the user_firstname_attrib. Searching >>>>>>>> ldap >>>>>>>> is case insensitive, so I think the results should not be, but the >>>>>>>> results >>>>>>>> create a dictionary which has case sensitive keys. In my case, if I use >>>>>>>> givenname, which is the norm for me when I interact with ldap, line >>>>>>>> 665 of >>>>>>>> ldap_auth.py throws an exception and my first_name in the auth_user >>>>>>>> table >>>>>>>> gets created or updated to None, depending on whether the user exists >>>>>>>> or >>>>>>>> not. >>>>>>>> >>>>>>>> I don't know if this needs to be changed necessarily. I think it >>>>>>>> would be better to be case insensitive, since searches are that way, >>>>>>>> but if >>>>>>>> not, at a minimum the documentation should say it that the case of the >>>>>>>> attribute should match the schema definition. >>>>>>>> >>>>>>>> I'm not sure how to resolve the db=db issue above other than the >>>>>>>> way I did, since I am unclear why it worked before I added >>>>>>>> manage_user=True. >>>>>>>> >>>>>>>> Carlos Hanson >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "web2py-users" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to web2py+un...@googlegroups.com. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>> Resources: >>>>>> - http://web2py.com >>>>>> - http://web2py.com/book (Documentation) >>>>>> - http://github.com/web2py/web2py (Source code) >>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "web2py-users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to web2py+un...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web2py+un...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
ldap_auth.py_mod_RV
Description: Binary data