@Massimo: I suggest you forward the private mail I sent to you to Fran as I don't know his mail and he can contact me back, @MišoLietavec: I totally agree, LDAP authentication currently is very basic
I would also suggest that we add control to authentication layers, something like 'Sufficient, Required, Optional' a Sufficient auth_login is enough to break the loop and decide that the user is authenticated, Required means that if must be true to authenticate this user but we will check the rest if it returned True and we will break immediately if it's False, Optional means that it doesn't matter whether this method returned True or False, it won't affect the final decision. This works like PAM in Linux, so a user will add an authentication layer like auth.settings.login_methods.append( (ABC_Auth(), Auth.Sufficient) ) or it can be an attribute in the authentication object itself. On Sep 6, 12:00 am, MišoLietavec <frca...@gmail.com> wrote: > Hi, Ahmed, > > I should add that Your patch is for the file gluon/tools.py > and, probably, the last line should be: > > > elif self.settings.alternate_requires_registration: > > Works for me. My opinion is, that the present shape of ldap_auth.py should be > rethinked. There are so many scenarios, that the "mode" parameter is > not appropriate way for doing things in general. For example, in our > institution, login name is used for login and DN for LDAP > authorization. The search cannot be performed without special > non-annonymous binding. > > 2009/8/30 Ahmed Soliman <ah...@farghal.com>: > > > > > Hello Everybody, > > I've seen a *possible* bug if I got things right in the authentication code, > > let me tell you about how to reproduce it first. > > steps to reproduce: > > > I use LDAP authentication (LDAP only, no local authentication wanted) so I > > set my > > > auth.settings.login_methods = ldap_auth(server=ldapConfig.server, > > base_dn=ldapConfig.basedn, mode=ldapConfig.searchattr)] > > > When I try to login with LDAP account things go great and the user is > > created in the authentication database as caching, next time you login with > > that user you will be able to login with any password!, the LDAP > > authentication is not even checked! > > When you try to login with any other unknown user in the database, the LDAP > > authentication is checked and fails as expected. > > > I'm submitting the patch against the source version and the fix is really > > simple, please review and consider for merge. > > Note: I noticed 'self.settings.alternate_requires_registration' and I didn't > > understand its role, but it's set to False by default and setting it to True > > will cause the following > > 1- Initially you won't be able to authenticate to LDAP users that are not > > already in the cache, but if they are in the cache already things work fine > > and you can't see the bug, so it's confusing what it should 'actually' do. > > Thanks > > Ahmed Soliman > > Software Engineer > > B-Virtual Team. > > > Thebe Technology. Egypt - Belgium > > 16 Nehro St. Heliopolis. Cairo > > Egypt. > > >http://www.b-virtual.org > >http://www.thebetechnology.com > > > GPG ID: 0xAEEE5042 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
