On Aug 30, 9:00 pm, Ahmed Soliman <ah...@farghal.com> wrote: > I've seen a *possible* bug if I got things right in the authentication code, > let me tell you about how to reproduce it first. > *steps to reproduce:* > 1. I use LDAP authentication (LDAP only, no local authentication wanted) > so I set my > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > 1. When I try to login with LDAP account things go great and the user is > created in the authentication database as caching, next time you login with > that user you will be able to login with any password!, the LDAP > authentication is not even checked!
I can't reproduce this. I am using mode=ad but I don't see that this should change things? I didn't write mode=ldapConfig.searchattr > 2. When you try to login with any other unknown user in the database, the > LDAP authentication is checked and fails as expected. At least ;) > I'm submitting the patch against the source version and the fix is really > simple, please review and consider for merge. I tried the patch out but this gave me a problem: * auth.settings.alternate_requires_registration is ignored NB Patches are beter submitted in 'unified' format: diff -u gluon/tools.py.1110 gluon/tools.py > tools.patch > Note: I noticed 'self.settings.alternate_requires_registration' and I didn't > understand its role, but it's set to False by default and setting it to True > will cause the following > 1- Initially you won't be able to authenticate to LDAP users that are not > already in the cache, but if they are in the cache already things work fine > and you can't see the bug, so it's confusing what it should 'actually' do. It's there so that if not all LDAP users should be able to access the application, then you can restrict who can access. > The *Correct* method of having a selected group of users authorized to > access your system is to use LDAP groups I agree that this would be the most common use-case, but as Don points out, sometimes this may not be possible. It's off by default anyway, so the only thing that gets in your way is that it makes this bit of the code harder to maintain... > that's something I intend to add to web2py as currently LDAP support is > really basic. Great - please do :) I agree that the LDAP support is currently very basic... > I would also suggest that we add control to authentication layers, > something like 'Sufficient, Required, Optional' Look forward to seeing this :) Best Wishes, Fran. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
