Assumption of DN doesn't work for large organizations.
Bug #363178 reported by
dragonpaw
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| repoze.who LDAP plugin |
Fix Committed
|
High
|
Gustavo Narea | ||
Bug Description
In some large organizations, the DN for a user cannot be predicted. Therefor it is common in many (most?) LDAP plugins to instead do a search for the user instead.
The attached patch shows one way of doing so. For release though, you'll probably want to make this an optional behavior based on a keyword arg when creating the Authentication plugin.
Revision history for this message
| dragonpaw (ash-dragonpaw) wrote | #1 |
Revision history for this message
| dragonpaw (ash-dragonpaw) wrote | #2 |
Revision history for this message
| Gustavo Narea (gnarea) wrote | #3 |
| Changed in repoze.who.plugins.ldap: | |
| assignee: | nobody → Gustavo Narea (gnarea) |
| importance: | Undecided → High |
| milestone: | none → 1.1 |
| status: | New → Confirmed |
| summary: |
- Assumption of DN doesn't work for large orginizations. + Assumption of DN doesn't work for large organizations. |
Revision history for this message
| Gustavo Narea (gnarea) wrote | #4 |
| Changed in repoze.who.plugins.ldap: | |
| status: | Confirmed → Fix Committed |
To post a comment you must log in.
As an added bonus, the provided patch searches for the user by either email address or uid, choosing intelligently which to use based on the presence of an '@' in the login. This would seem to resolve the blueprint you have on this project for the IIdentifier plugin. (By making it unnecessary.)
Alternatively, you could just lift the search code from here to create your IIdentifier plugin.