On Wed, Aug 09, 2006 at 08:00:31PM -0700, Gary Wilson wrote: > > Scathing comments are encouraged. > > line 68 of patch: > if not username and password is not Null: # we need a user/pass > Should be None ^^^^
d'oh! Figures I'd mistype something like that. > And how about moving the ldap.initialize() call after the above check > so that we don't make an unneeded connection to the ldap server. You know it was on my list, and I missed it when I was going through my cleanup today. Thanks. > Also, in the ldap setup I deal with, you must bind to the server using > a service account before attempting a bind with the user-supplied > credentials. The process goes something like > > 1. Retrieve the username and password from the user. > 2. Bind to the directory using DN and password of service account. > 3. Issue a search query to determine the user's DN based on their > username. > 4. Attempt to bind to the directory using the user's DN retrieved in > step 3 and the password supplied by the user in step 1.. > 5. A successful bind means that the user has been authenticated. An > unsuccessful bind means that the credentials provided are invalid. > > This also seems to be the method used/needed in the second resource > link you listed in your first post. It would be great if this method > could be supported. It would require a few more options like > LDAP_SERVICE_BIND_DN > LDAP_SERVICE_BIND_PASSWORD > and then an additional check in authenticate() (after the call to > initialize() and before the bind with the user's DN and password) to > see if first a bind should be attempted with the service account DN and > password. > I'll start on this tomorrow. Out of curiosity how common is this sort of setup? I've only seen a handful of LDAP implementations, and this is new to me. Thanks for the comments, Scott -- Scott Paul Robertson http://spr.mahonri5.net GnuPG FingerPrint: 09ab 64b5 edc0 903e 93ce edb9 3bcc f8fb dc5d 7601
pgpTklkBRjQxO.pgp
Description: PGP signature
