The *Correct* method of having a selected group of users authorized to access your system is to use LDAP groups and that's something I intend to add to web2py as currently LDAP support is really basic.
In my case, I want to authenticate only against LDAP and no registration is required. On Sep 1, 12:18 pm, Don Lee <sam...@gmail.com> wrote: > I know it seems strange but LDAP authentication works best if you follow the > books recommendation. I spent some time trying to understand the code. I > used wingIDE to try to understand what was going on (I am new to python). I > tried only LDAP, inserting LDAP before the reference to auth, and doing what > the book recommended, which is to append LDAP. > > I think the way the code is written, LDAP should be appended. Otherwise, > anyone from your LDAP server can login and use the application, and this may > be what you want. But I would wager that most people will not want this. > In a company of 1000 people, you may only want 20 of those people to have > access to your application. Appending forces the users to register, and it > configured, allows the administrator to approve the user the before they > gain access. > > The major problem I had with appending LDAP is that the password is checked > against the local password database first. In my scenario, the user > registers with no password because the LDAP server already has their > password. So when I approve them, I either have to manually change the > empty password to something the user will not know or figure out a way to > automate that. Because the local empty password will be accepted. But once > I have set the password to something the user would never type, LDAP > authentication works. > > *** A word of caution to anyone testing LDAP on ubuntu 9.04, apparently > there is something wrong with trying to connect to a secure LDAP server. I > could only get non-SSL connections to work. Secure connections worked fine > with RedHat. > > > > On Sun, Aug 30, 2009 at 4:00 PM, Ahmed Soliman <ah...@farghal.com> wrote: > > Hello Everybody, > > I've seen a *possible* bug if I got things right in the authentication > > code, let me tell you about how to reproduce it first. > > * > > * > > *steps to reproduce:* > > > 1. I use LDAP authentication (LDAP only, no local authentication > > wanted) so I set my > > > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > > > 1. When I try to login with LDAP account things go great and the user > > is created in the authentication database as caching, next time you login > > with that user you will be able to login with any password!, the LDAP > > authentication is not even checked! > > 2. When you try to login with any other unknown user in the database, > > the LDAP authentication is checked and fails as expected. > > > I'm submitting the patch against the source version and the fix is really > > simple, please review and consider for merge. > > > Note: I noticed 'self.settings.alternate_requires_registration' and I > > didn't understand its role, but it's set to False by default and setting it > > to True will cause the following > > 1- Initially you won't be able to authenticate to LDAP users that are not > > already in the cache, but if they are in the cache already things work fine > > and you can't see the bug, so it's confusing what it should 'actually' do. > > > Thanks > > > Ahmed Soliman > > Software Engineer > > B-Virtual Team. > > > Thebe Technology. Egypt - Belgium > > 16 Nehro St. Heliopolis. Cairo > > Egypt. > > >http://www.b-virtual.org > >http://www.thebetechnology.com > > > GPG ID: 0xAEEE5042 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
