On Wed, Aug 09, 2006 at 10:22:24PM -0600, Scott Paul Robertson wrote: > > Also, in the ldap setup I deal with, you must bind to the server using > > a service account before attempting a bind with the user-supplied > > credentials. The process goes something like > > > > 1. Retrieve the username and password from the user. > > 2. Bind to the directory using DN and password of service account. > > 3. Issue a search query to determine the user's DN based on their > > username. > > 4. Attempt to bind to the directory using the user's DN retrieved in > > step 3 and the password supplied by the user in step 1.. > > 5. A successful bind means that the user has been authenticated. An > > unsuccessful bind means that the credentials provided are invalid. > > > > This also seems to be the method used/needed in the second resource > > link you listed in your first post. It would be great if this method > > could be supported. It would require a few more options like > > LDAP_SERVICE_BIND_DN > > LDAP_SERVICE_BIND_PASSWORD > > and then an additional check in authenticate() (after the call to > > initialize() and before the bind with the user's DN and password) to > > see if first a bind should be attempted with the service account DN and > > password. > > > > I'll start on this tomorrow. Out of curiosity how common is this sort of > setup? I've only seen a handful of LDAP implementations, and this is new > to me. >
Ok, I've added a patch that adds two new things: 1. You can have a hash of ldap options (key: ldap.SOME_OPTION, value: 'the value') that will be applied before the initialize call. 2. An option that is a function that will be called to generate a bind string for the user. This gives a lot of flexibility in allowing for a large variety of pre-bind methods to occur, and gives a lot of flexibility. I like the idea of adding this rather than an additional method to be added into the main backend code. Let me know what you think of having that as a function you call rather than being directly in the backend. I'm not against adding it in, I just think this gives a lot more flexibility. Heck, we could add the method of pre-auth binding as a default method provided by the backend and just have users set the option to that if they want to use it. I actually like that idea, I might code that up this afternoon. :) (url: http://code.djangoproject.com/attachment/ticket/2507/backends.py.2.diff) -- Scott Paul Robertson http://spr.mahonri5.net GnuPG FingerPrint: 09ab 64b5 edc0 903e 93ce edb9 3bcc f8fb dc5d 7601
signature.asc
Description: Digital signature
