ldap connection authorized if the password not filled even for an unknown user

When the ldap is activated and well configured :

if the username does not exist in the ldap database and the the password is not filled, the connection is allowed by askbot
if the username exists and no password is filled, the connection is also allowed.
if the username exists and the password is filled and wrong, then the connection is refused (ldap error : invalid credentials
if the username exists and the password is well filled, the the connection is accepted.

It seems to be that ldap-python simple_bind_s method does not raised an exception included in ldap.LDAPError for the first two cases. I have just added a trace to confirm that in the fourth cases the method is called. The ldap-python doc does not give more details. I will try to investigate further next week. If you have any idea, let me know, I have a full test environment to investigate.

425

Samuel

updated 13 years ago, asked 13 years ago

Comments

The problem is that I do not have a real LDAP setup yet, tested on a mock object, which probably missed something, probably I should just install LDAP for myself.

Evgeny (13 years ago)

I think the right direction to take is to integrate the module django-auth-ldap (http://packages.python.org/django-auth-ldap/). I will test it in the coming days.

Samuel (13 years ago)

Ok, plan for this week - decouple the login system and fix the ldap issue in the builtin login system.

Evgeny (13 years ago)

Regarding the empty password issue, I have temporary modified the file deps/django_authopenid/forms.py. Now the username and password are required in the form. It works fine for both local and ldap connections, but I guess there could be a side effect with other providers.

Samuel (13 years ago)

see more comments

ldap connection authorized if the password not filled even for an unknown user savecancel

Comments

ldap connection authorized if the password not filled even for an unknown user