Re: django and LDAP support

Fri, 11 Aug 2006 12:45:28 -0700 

On Fri, Aug 11, 2006 at 07:46:19PM +0200, [EMAIL PROTECTED] wrote:
> I came back to your LDAPSupport. The pre_auth_bind is a little bit tricky 
> evan with mk_pre_auth_bind, but I got it (after a while :)
> 

Ok, I've done some cleaning with mk_pre_auth_bind. It should be a lot
clearer how to use it, and easier.

> And there seems a problem with pre_auth_bind() and update_user():
> 
> You let construct somebody a pre_auth_bind() which search for the dn of a 
> user, but on the other side you construct in update_user() always your own 
> search.
> 
> If pre_auth_bind() returns a valid user-dn, this would be the same dn for 
> updating the user object.
> 
> I would asume that update_user() call the ldap-object by the dn directly (if 
> a user-object as a dn-attribute, which needs to be stored!) or if the 
> user-object is new the update_user() should use the same search which is done 
> in the custom pre_auth_bind().
> 

I would love to not have to do two searches. Unfortunately the only way
in ldap to get attributes is by a search, even if you have the dn
already. I could require an LDAP_BIND_STRING_FUNC to return a bind
string and a hash of attributes, but that reduces flexibility in my
opinion. If the person generates a bind string without interfacing to
ldap, I shouldn't expect them to produce a list of attributes and values
for me.

I've made it so you specify a setting LDAP_SEARCH_FILTER that is used
to search, so previous where the search would be:
    '%s=%s' % settings.LDAP_BIND_ATTR, username
it is now:
    filter = settings.LDAP_SEARCH_FILTER % username
This allows the search filter to be the same in update_user() and the
pre_auth_bind().

By setting some default values for mk_pre_auth_bind() it should be easy
to use:
    LDAP_BIND_STRING_FUNC = mk_pre_auth_bind('dn=Me,dc=example,dc=com,
            'pass')
which defaults to:
    LDAP_BIND_STRING_FUNC = mk_pre_auth_bind('dn=Me,dc=example,dc=com,
            'pass', LDAP_SEARCHDN, LDAP_SCOPE, LDAP_SEARCH_FILTER)

I think that gives you the functionality you want, and makes it a lot
easier in general. I've submitted the updated patch.

Let me know if there's anything else,
Scott

-- 
Scott Paul Robertson
http://spr.mahonri5.net
GnuPG FingerPrint: 09ab 64b5 edc0 903e 93ce edb9 3bcc f8fb dc5d 7601

Attachment: signature.asc
Description: Digital signature

Reply via email to