I know it seems strange but LDAP authentication works best if you follow the books recommendation. I spent some time trying to understand the code. I used wingIDE to try to understand what was going on (I am new to python). I tried only LDAP, inserting LDAP before the reference to auth, and doing what the book recommended, which is to append LDAP.
I think the way the code is written, LDAP should be appended. Otherwise, anyone from your LDAP server can login and use the application, and this may be what you want. But I would wager that most people will not want this. In a company of 1000 people, you may only want 20 of those people to have access to your application. Appending forces the users to register, and it configured, allows the administrator to approve the user the before they gain access. The major problem I had with appending LDAP is that the password is checked against the local password database first. In my scenario, the user registers with no password because the LDAP server already has their password. So when I approve them, I either have to manually change the empty password to something the user will not know or figure out a way to automate that. Because the local empty password will be accepted. But once I have set the password to something the user would never type, LDAP authentication works. *** A word of caution to anyone testing LDAP on ubuntu 9.04, apparently there is something wrong with trying to connect to a secure LDAP server. I could only get non-SSL connections to work. Secure connections worked fine with RedHat. On Sun, Aug 30, 2009 at 4:00 PM, Ahmed Soliman <ah...@farghal.com> wrote: > Hello Everybody, > I've seen a *possible* bug if I got things right in the authentication > code, let me tell you about how to reproduce it first. > * > * > *steps to reproduce:* > > 1. I use LDAP authentication (LDAP only, no local authentication > wanted) so I set my > > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > > 1. When I try to login with LDAP account things go great and the user > is created in the authentication database as caching, next time you login > with that user you will be able to login with any password!, the LDAP > authentication is not even checked! > 2. When you try to login with any other unknown user in the database, > the LDAP authentication is checked and fails as expected. > > > I'm submitting the patch against the source version and the fix is really > simple, please review and consider for merge. > > Note: I noticed 'self.settings.alternate_requires_registration' and I > didn't understand its role, but it's set to False by default and setting it > to True will cause the following > 1- Initially you won't be able to authenticate to LDAP users that are not > already in the cache, but if they are in the cache already things work fine > and you can't see the bug, so it's confusing what it should 'actually' do. > > Thanks > > Ahmed Soliman > Software Engineer > B-Virtual Team. > > Thebe Technology. Egypt - Belgium > 16 Nehro St. Heliopolis. Cairo > Egypt. > > http://www.b-virtual.org > http://www.thebetechnology.com > > GPG ID: 0xAEEE5042 > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
