Description
When using auth = [auth.moin_cookie, auth.ldap_login] and logging in with a non-LDAP account, I get redirected to UserPreferences and the message "Sorry, wrong password." is shown. However, the login does actually succeed. So the "wrong password" message is pretty misguiding.
Everything is however working correct when only using auth = [auth.moin_cookie] or auth = [auth.ldap_login], so I suppose this is related to the LDAP authentication.
Steps to reproduce
- setup a moin instance with both cookie and ldap authentication
- set auth = [auth.moin_cookie, auth.ldap_login]
- login with a moin_cookie account (or create a new one, same problem happening)
Example
Component selection
- general, or probably the LDAP authentication module
Details
MoinMoin Version |
Release 1.5.7 [Revision release] |
OS and Version |
Linux 2.6.5-7.244-smp |
Python Version |
2.5 (r25:51908, Mar 15 2007, 15:21:11) [GCC 3.3.3 (SuSE Linux)] |
Server Setup |
wikifarm, cgi, apache2, MS Active Directory Service |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
English |
Workaround
Discussion
(Filed by DieterVanUytvanck, who is subscribed to this page as well)
Try auth = [auth.ldap_login, auth.moin_cookie].
I tried this, and the LDAP login still works, but the other (moin_cookie) accounts don't work anymore at all. I get the "wrong password" message and the login does not succeed. If I use auth = [auth.moin_cookie] it works fine however. -- DieterVanUytvanck 2007-03-27 11:35:52
- The current 1.5 ldap stuff is made in a way that ldap is authoritative. So if ldap says no to a user, he is vetoed to get in. The cookie stuff is just used for session purposes.
Thanks, that makes sense. So then I suppose that auth = [auth.moin_cookie, auth.ldap_login] would be the correct order for a combination of the standard and LDAP login. Is it because of the authoritative LDAP I get an unjustified "wrong password" when providing a correct one (using the cookie,ldap order)?
- I think the main problem in 1.5 is that moin_login and moin_session is not separate (as in upcoming 1.6). For doing what you want, you maybe could change the ldap_login code to NOT veto the user if he is not in the directory, but just continue with the next auth method. Putting cookie stuff first might not work because you need the cookie for keeping the session for ldap auth.
Thank you very much for the quick reply :). Indeed changing auth.py such that non-LDAP users are not veto'ed did the job. For the record, I'm attaching the diff. fix_cookie_and_ldap.diff
Plan
- Priority:
Assigned to: JohannesBerg
- Status: fixed in 1.6/1.7 by the auth/session separation