Agreed. On Tue, Sep 1, 2009 at 5:34 PM, Ahmed Soliman <ah...@farghal.com> wrote:
> > Sure flexibility is needed but what I've spotted is a 'bug', it won't > remove the flexibility, what I was suggesting about LDAP groups is the > best practice for doing such things... > > Best Regards, > > On Sep 1, 4:49 pm, Don <sam...@gmail.com> wrote: > > What happens in the case that you have no administrative access to the > > LDAP server, and asking an admin to create such a group for you is > > really not an option. LDAP only is the correct solution for you but > > may not be the case for everyone. A flexible option is always best. > > One that allows you to customize your authentication in a way that > > best fits your organization. > > > > On Sep 1, 7:07 am, Ahmed Soliman <ah...@farghal.com> wrote: > > > > > > > > > The *Correct* method of having a selected group of users authorized to > > > access your system is to use LDAP groups and that's something I intend > > > to add to web2py as currently LDAP support is really basic. > > > > > In my case, I want to authenticate only against LDAP and no > > > registration is required. > > > > > On Sep 1, 12:18 pm, Don Lee <sam...@gmail.com> wrote: > > > > > > I know it seems strange but LDAP authentication works best if you > follow the > > > > books recommendation. I spent some time trying to understand the > code. I > > > > used wingIDE to try to understand what was going on (I am new to > python). I > > > > tried only LDAP, inserting LDAP before the reference to auth, and > doing what > > > > the book recommended, which is to append LDAP. > > > > > > I think the way the code is written, LDAP should be appended. > Otherwise, > > > > anyone from your LDAP server can login and use the application, and > this may > > > > be what you want. But I would wager that most people will not want > this. > > > > In a company of 1000 people, you may only want 20 of those people to > have > > > > access to your application. Appending forces the users to register, > and it > > > > configured, allows the administrator to approve the user the before > they > > > > gain access. > > > > > > The major problem I had with appending LDAP is that the password is > checked > > > > against the local password database first. In my scenario, the user > > > > registers with no password because the LDAP server already has their > > > > password. So when I approve them, I either have to manually change > the > > > > empty password to something the user will not know or figure out a > way to > > > > automate that. Because the local empty password will be accepted. > But once > > > > I have set the password to something the user would never type, LDAP > > > > authentication works. > > > > > > *** A word of caution to anyone testing LDAP on ubuntu 9.04, > apparently > > > > there is something wrong with trying to connect to a secure LDAP > server. I > > > > could only get non-SSL connections to work. Secure connections > worked fine > > > > with RedHat. > > > > > > On Sun, Aug 30, 2009 at 4:00 PM, Ahmed Soliman <ah...@farghal.com> > wrote: > > > > > Hello Everybody, > > > > > I've seen a *possible* bug if I got things right in the > authentication > > > > > code, let me tell you about how to reproduce it first. > > > > > * > > > > > * > > > > > *steps to reproduce:* > > > > > > > 1. I use LDAP authentication (LDAP only, no local authentication > > > > > wanted) so I set my > > > > > > > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > > > > > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > > > > > > > 1. When I try to login with LDAP account things go great and the > user > > > > > is created in the authentication database as caching, next time > you login > > > > > with that user you will be able to login with any password!, the > LDAP > > > > > authentication is not even checked! > > > > > 2. When you try to login with any other unknown user in the > database, > > > > > the LDAP authentication is checked and fails as expected. > > > > > > > I'm submitting the patch against the source version and the fix is > really > > > > > simple, please review and consider for merge. > > > > > > > Note: I noticed 'self.settings.alternate_requires_registration' and > I > > > > > didn't understand its role, but it's set to False by default and > setting it > > > > > to True will cause the following > > > > > 1- Initially you won't be able to authenticate to LDAP users that > are not > > > > > already in the cache, but if they are in the cache already things > work fine > > > > > and you can't see the bug, so it's confusing what it should > 'actually' do. > > > > > > > Thanks > > > > > > > Ahmed Soliman > > > > > Software Engineer > > > > > B-Virtual Team. > > > > > > > Thebe Technology. Egypt - Belgium > > > > > 16 Nehro St. Heliopolis. Cairo > > > > > Egypt. > > > > > > >http://www.b-virtual.org > > > > >http://www.thebetechnology.com > > > > > > > GPG ID: 0xAEEE5042 > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
