Sure flexibility is needed but what I've spotted is a 'bug', it won't remove the flexibility, what I was suggesting about LDAP groups is the best practice for doing such things...
Best Regards, On Sep 1, 4:49 pm, Don <sam...@gmail.com> wrote: > What happens in the case that you have no administrative access to the > LDAP server, and asking an admin to create such a group for you is > really not an option. LDAP only is the correct solution for you but > may not be the case for everyone. A flexible option is always best. > One that allows you to customize your authentication in a way that > best fits your organization. > > On Sep 1, 7:07 am, Ahmed Soliman <ah...@farghal.com> wrote: > > > > > The *Correct* method of having a selected group of users authorized to > > access your system is to use LDAP groups and that's something I intend > > to add to web2py as currently LDAP support is really basic. > > > In my case, I want to authenticate only against LDAP and no > > registration is required. > > > On Sep 1, 12:18 pm, Don Lee <sam...@gmail.com> wrote: > > > > I know it seems strange but LDAP authentication works best if you follow > > > the > > > books recommendation. I spent some time trying to understand the code. I > > > used wingIDE to try to understand what was going on (I am new to python). > > > I > > > tried only LDAP, inserting LDAP before the reference to auth, and doing > > > what > > > the book recommended, which is to append LDAP. > > > > I think the way the code is written, LDAP should be appended. Otherwise, > > > anyone from your LDAP server can login and use the application, and this > > > may > > > be what you want. But I would wager that most people will not want this. > > > In a company of 1000 people, you may only want 20 of those people to have > > > access to your application. Appending forces the users to register, and > > > it > > > configured, allows the administrator to approve the user the before they > > > gain access. > > > > The major problem I had with appending LDAP is that the password is > > > checked > > > against the local password database first. In my scenario, the user > > > registers with no password because the LDAP server already has their > > > password. So when I approve them, I either have to manually change the > > > empty password to something the user will not know or figure out a way to > > > automate that. Because the local empty password will be accepted. But > > > once > > > I have set the password to something the user would never type, LDAP > > > authentication works. > > > > *** A word of caution to anyone testing LDAP on ubuntu 9.04, apparently > > > there is something wrong with trying to connect to a secure LDAP server. > > > I > > > could only get non-SSL connections to work. Secure connections worked > > > fine > > > with RedHat. > > > > On Sun, Aug 30, 2009 at 4:00 PM, Ahmed Soliman <ah...@farghal.com> wrote: > > > > Hello Everybody, > > > > I've seen a *possible* bug if I got things right in the authentication > > > > code, let me tell you about how to reproduce it first. > > > > * > > > > * > > > > *steps to reproduce:* > > > > > 1. I use LDAP authentication (LDAP only, no local authentication > > > > wanted) so I set my > > > > > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > > > > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > > > > > 1. When I try to login with LDAP account things go great and the user > > > > is created in the authentication database as caching, next time you > > > > login > > > > with that user you will be able to login with any password!, the LDAP > > > > authentication is not even checked! > > > > 2. When you try to login with any other unknown user in the database, > > > > the LDAP authentication is checked and fails as expected. > > > > > I'm submitting the patch against the source version and the fix is > > > > really > > > > simple, please review and consider for merge. > > > > > Note: I noticed 'self.settings.alternate_requires_registration' and I > > > > didn't understand its role, but it's set to False by default and > > > > setting it > > > > to True will cause the following > > > > 1- Initially you won't be able to authenticate to LDAP users that are > > > > not > > > > already in the cache, but if they are in the cache already things work > > > > fine > > > > and you can't see the bug, so it's confusing what it should 'actually' > > > > do. > > > > > Thanks > > > > > Ahmed Soliman > > > > Software Engineer > > > > B-Virtual Team. > > > > > Thebe Technology. Egypt - Belgium > > > > 16 Nehro St. Heliopolis. Cairo > > > > Egypt. > > > > >http://www.b-virtual.org > > > >http://www.thebetechnology.com > > > > > GPG ID: 0xAEEE5042 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---