LDAP authentication in MoinMoin
I'm trying to get LDAP authentication running in the current stable moin.
I don't want to use unstable code, as I'm doing this for a company, so latest development or next branch (1.4 is supposed to change authentication) are out of question for me. I might follow the LDAP thing though if it works out.
Current idea to do it
- User has a working LDAP account
- When creating a new user profile or logging in, the username/password combination can be checked against LDAP
- Logging in: Go on as if we had done regular moin db pw check
- Creating: Fail: Bail out immediately, before creating profile. Pass: Go on as usually.
- No check if user comes with a cookie, only check when logging in/creating profile. I'm doing this to make a centralised company-auth easier, not to make the security of moin better.
I know this process has a few shortcomings, and is in no way perfect. It'll work though, and we can build upon this, if it ever works.
How to do it?
- Create code or separate package checking for LDAP auth
- Replace moin db pw check by LDAP pw check
- Do LDAP pw check before creating a new profile
Places
Logging in: user.py: User._validatePassword: /ValidatePassword
Creating/Changing: user.py: handleData: else branch: /CreateProfileChangePassword
New file ldap_check.py in /usr/lib/python/site-packages/MoinMoin: /LdapCheck
What I'm currently doing
- Using it. The sample code above seems to work well, although it is kind of a hack.
Other user's comments
- Hi, I'm using it as well (same setup: the users in my company already have their login and password in the corporation ldap server) and it works like a charm... Thanks for the patches !
I also wrote some LDAP-stuff for my company wiki, though a bit different from what you did. If you're interested, let's make a product out of it, i.e. configurable through the config and some scripts that help updating ldap- and wiki- users. -- FabianKreutz 2005-08-12 11:48:51
Maybe wait until 1.5 code is public and implement it for 1.5 then (will be cleaner and less work). -- ThomasWaldmann 2005-08-12 17:51:02
My LDAP server doesn't allow you to bind by common name, so I had to hack your /LdapCheck script a bit. My version does a search to find the UID and then tries to bind to that UID. It also allows the WikiName to be either the common name or the UID. I'll put it here: /LdapCheck2 -- AndrewBaumann
It is error-prone to construct the dn with wich the bind operation is done. The dn is returned directly in the search result. Also, the search scope is hardcoded as SCOPE_ONE which is not what I needed, So I made up a /LdapCheck3 which takes account of these issues. -- JorgeLeĆ³n
There was LDAP auth code added to moin--main--1.5--patch-454, maybe have a look at it.