Merge lp:~casedeg/graphite/ldap-fix into lp:graphite
| Status: | Needs review |
|---|---|
| Proposed branch: | lp:~casedeg/graphite/ldap-fix |
| Merge into: | lp:graphite |
| Diff against target: |
39 lines (+15/-1) 2 files modified
webapp/graphite/account/ldapBackend.py (+4/-1) webapp/graphite/local_settings.py.example (+11/-0) |
| To merge this branch: | bzr merge lp:~casedeg/graphite/ldap-fix |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| graphite-dev | Pending | ||
|
Review via email:
|
|||
Description of the change
We had issues hooking up graphite to LDAP because our LDAP directory doesn't allow anonymous browsing and a R/O account with a hardcoded password is frowned up by the admins.
Therefore, I created a change that allows you to configure the LDAP backend so that the user's own credentials are used for the initial bind() call. This is also how I remember (vaguely, it's been a while ago since I toyed with LDAP ;-)) how LDAP auth should be done.
Unmerged revisions
- 951. By Cees de Groot
-
Add the possibility to bind to LDAP with the user's account.
This patch interprets LDAP_BASE_USER and LDAP_BASE_PASS, looking
for a "%s" in the configured values. If encountered, the %s is
expanded with the user's entered username or password, respecitely.In this way, you can bind using the user's credentials to the
LDAP server, which is arguably more secure than hardcoding a
special LDAP R/O account and password or allowing anonymous
browsing.The patch is fully backwards compatible.
Also in the patch, a start_tls_s() call. This should work against
any recently up-to-date LDAP server and helps to further prop
up security.
