Merge lp:~matt.hall/endroid/ldap into lp:endroid
Status: | Merged |
---|---|
Approved by: | Matthew Hall |
Approved revision: | 101 |
Merged at revision: | 101 |
Proposed branch: | lp:~matt.hall/endroid/ldap |
Merge into: | lp:endroid |
Diff against target: |
77 lines (+58/-5) 1 file modified
src/endroid/plugins/ldapauth.py (+58/-5) |
To merge this branch: | bzr merge lp:~matt.hall/endroid/ldap |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Phil Connell | Approve | ||
Review via email: mp+281035@code.launchpad.net |
Commit message
Enhance the ldapauth plugin to support LDAP directories that do not allow anonymous access.
Description of the change
Enhance the ldapauth plugin to support LDAP directories that do not allow anonymous access.
The Twisted ldaptor module, used by Endroid's ldapauth plugin, unfortunately doesn't already provide a suitable credential checker for this purpose, so we instead define one in the plugin. This is done by sub-classing ldaptor's existing checker, overriding the callback called once connected to the directory so that it skips the attempt to lookup the user's entry and instead proceeds straight to the authentication attempt (i.e. the LDAP bind.)
Skipping the entry look up means the name of the attribute forming the entry's relative distinguished name (e.g. "cn" or "name") must be provided to the checker some other way, so the plugin now supports an "identityrdn" config option.
This is fine to go in to get things working, but strictly speaking it's a massive hack since it relies on internal details (e.g. _connect method and semantics) of ldaptor.
An ideal outcome would be getting a patch into ldaptor upstream to implement this within ldaptor: https:/ /github. com/twisted/ ldaptor