Description

May be not a bug may be it belongs only on the kind of definition of the ldap server I do use.

I have had the problem that I was not able to use a ldap server for auth today. I tried to figure out where my problem is located and I got the idea to fix it by using this patch. Currently I do have some open questions which may be we better discuss.

I have not much experience with ldap and I did used a setup defined by http://www.kania-online.de/workshop/ldapsamba-suse-10.3-LAM.pdf (it is in german but it is very good described to setup ldap for account managment (a replacement for that php modul would be great))

Based on that tutorial I have setup some accounts. Afterwards I was not able to get one account logged in while the web interface worked.

googles code search was quite helpful to figure out how it could be solved.

   1 # http://www.google.de/search?q=ldap+account+python&ie=UTF-8&oe=UTF-8
   2 # http://www.google.com/codesearch/url?hl=de&ct=rpc&url=http://www.mechanicalcat.net/tech/roundup/wiki/LDAPLogin&usg=AFQjCNEjPS5TfSiQi69KY0eBAAmbJgRvzw
   3 import ldap
   4 ldap_server = 'ldap://127.0.0.1:389'
   5 ldap_base = 'dc=home,dc=stka'
   6 user_name = 'ReimarBauer'
   7 password = 'mysecretpass'
   8 ok = False
   9 ldap_connect = ldap.initialize(ldap_server)
  10 try:
  11     ldap_search = ldap_connect.search_s(ldap_base, ldap.SCOPE_SUBTREE,'uid=%s' % user_name)
  12     ldap_dn, attrs = ldap_search[0][0], ldap_search[0][1]
  13     print attrs
  14 except:
  15     name = user_name
  16     print 'Unknown LDAP account "%(name)s"' % locals()
  17 
  18 try:
  19     ldap_connect.bind_s(ldap_dn, password)
  20     ok = True
  21 except:
  22     print 'Invalid password !'
  23 
  24 if ok:
  25     print "Success"

based on that I do have changed the ldap_login.py

   1 diff -r dfb257df7fe3 MoinMoin/auth/ldap_login.py
   2 --- a/MoinMoin/auth/ldap_login.py	Mon Feb 04 14:35:21 2008 +0100
   3 +++ b/MoinMoin/auth/ldap_login.py	Sat Feb 09 00:41:07 2008 +0100
   4 @@ -19,7 +19,6 @@ import ldap
   5  import ldap
   6  
   7  from MoinMoin import user
   8 -
   9  
  10  def ldap_login(request, **kw):
  11      """ get authentication data from form, authenticate against LDAP (or Active
  12 @@ -72,6 +71,7 @@ def ldap_login(request, **kw):
  13                          ldap.set_option(option, value)
  14  
  15              server = cfg.ldap_uri
  16 +            ldap_base = cfg.ldap_base
  17              if verbose: request.log("LDAP: Trying to initialize %r." % server)
  18              l = ldap.initialize(server)
  19              if verbose: request.log("LDAP: Connected to LDAP server %r." % server)
  20 @@ -88,7 +88,20 @@ def ldap_login(request, **kw):
  21              # you can use %(username)s and %(password)s here to get the stuff entered in the form:
  22              ldap_binddn = cfg.ldap_binddn % locals()
  23              ldap_bindpw = cfg.ldap_bindpw % locals()
  24 -            l.simple_bind_s(ldap_binddn.encode(coding), ldap_bindpw.encode(coding))
  25 +            # searching if the user is defined in subtree of ldap_base
  26 +            try:
  27 +                ldap_search = l.search_s(ldap_base, ldap.SCOPE_SUBTREE, 'uid=%s' % ldap_binddn.encode(coding))
  28 +                ldap_dn, attrs = ldap_search[0][0], ldap_search[0][1]
  29 +            # ToDo find the right exception 
  30 +            except:
  31 +                request.log("LDAP: invalid credentials (wrong password?) for dn %r (username: %r)" % (server, ldap_binddn))
  32 +            # check if the given password belongs to the user
  33 +            try:
  34 +                l.bind_s(ldap_dn, ldap_bindpw.encode(coding))
  35 +            except:
  36 +                request.log("LDAP: invalid credentials (wrong password?) for dn %r (username: %r)" % (server, ldap_binddn))
  37 +
  38 +            #l.simple_bind_s(ldap_binddn.encode(coding), ldap_bindpw.encode(coding))
  39              if verbose: request.log("LDAP: Bound with binddn %r" % ldap_binddn)
  40  
  41              # you can use %(username)s here to get the stuff entered in the form:
ldap_login.py.patch

my wikiconfig.py

    from MoinMoin.auth.ldap_login import ldap_login
    from MoinMoin.auth import moin_session
    auth = [ldap_login, moin_session]

    import ldap
    ldap_uri = 'ldap://127.0.0.1:389' 
    ldap_base = 'dc=home,dc=stka'
    user_form_disable = ['name', 'aliasname', 'email', ]
    user_form_remove = ['password', 'password2', ]

Currently I do wonder a bit about this amount of code in ldap_login.py. If we do disable these formfields or try to remove them what kind of info do we excpect to fill into the userpref form?

We do have in this approach in attrs all data we can get for a user, so we could quite shorten the ldap_login if that is the way to go.

-- ReimarBauer 2008-02-08 23:17:10

Steps to reproduce

  1. do this...

Example

Component selection

Details

MoinMoin Version

1.6

OS and Version

Python Version

Server Setup

Server Details

Language you are using the wiki in (set in the browser/UserPreferences)

Workaround

Discussion

Bug report lacks focus and clarity. What is the bug? What exactly is fixed by the patch? Why?

Plan


CategoryMoinMoinNoBug

MoinMoin: MoinMoinBugs/ldap_auth (last edited 2008-05-01 22:53:08 by ThomasWaldmann)