Peter Herndon wrote: > On Mon, Feb 22, 2010 at 9:40 AM, andreas schmid <a.schmi...@gmail.com> wrote: > > >> im experiencing strange problems now. the user is able to authenticate >> against ldap only if in the active directory the displayName == username >> why this? i dont get any error or traceback, the user only isnt able to >> get logged in >> >> > > If users were able to authenticate, and are now not able to > authenticate, what changed? i was thinkin the authentication over ldap group was working because i testet it only whith a testuser which had sAMAccountName == displayName but now im figuring that if thats not equal it desnt work as expected. the app is still in development and i didnt work on it for a few days.
> At my place of work, I've learned to > expect changes in Active Directory every so often -- my AD admins are > not that great at notifying users of impending changes. These changes > occasionally cause breakage elsewhere. > > If not in AD, did something else in your environment change? > > The normal way ldap-groups works is that sAMAccountName is the field > used to identify a user in AD (line 106 in > ldap-groups/accounts/backends.py), and is used as the source of their > django.contrib.auth.models.User username. So, if you go changing > someone's username via the admin, or otherwise edit the username data > in your db, then the username won't match the sAMAccountName, and they > won't be able to log in to that account. i found this problem by working with the system admin and try different settings and we figured out what i wrote above. > Similarly, if their > sAMAccountName changes in AD, and they log in to your site with the > new name, they will effectively have created a second account in your > db. If you have resources tied to an account in Django (saved > bookmarks, tags, uploads, etc.), the user won't have access to those > resources any longer, as they're on a new account. > > I realize that sAMAccountName is not the same as displayName. I > wonder if you were mistaking the occasional coincidence between > displayName and sAMAccountName? nope > Or did you edit the app to use > displayName? Perhaps you could post more details about your issue, > including code. > > Also, you may want to instrument the LDAP code. Either log the > results from the LDAP calls to a file, or drop in some print > statements and run via runserver, and see what messages your LDAP > environment produces. Useful bits to log will be lines 82, 106, and > 132 in ldap-groups/accounts/backends.py. > > i started to log a bit today and will go on tomorrow and post what i will get or the solution if i will find it. > ---Peter > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
