changeset 3097:a94959a2aae7

Some python-ldap packages may not be built with TLS support. Let's make sure ldap.TLS_AVAIL exists before we try to use it. Add a configuration directive to only do one bind to the LDAP server. This is useful if you bind as the user the first time. In my case I was unable to bind as a user to the DN that contained the users' email, givenname, etc. fields.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 23 Feb 2008 02:10:14 +0100
parents 8d21b13482e3
children a67e104828d1
files MoinMoin/auth/ldap_login.py MoinMoin/config/multiconfig.py wiki/config/more_samples/ldap_smb_farmconfig.py
diffstat 3 files changed, 10 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/auth/ldap_login.py	Sat Feb 23 01:52:53 2008 +0100
+++ b/MoinMoin/auth/ldap_login.py	Sat Feb 23 02:10:14 2008 +0100
@@ -60,7 +60,7 @@
                 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, cfg.ldap_timeout)
 
                 starttls = cfg.ldap_start_tls
-                if ldap.TLS_AVAIL:
+                if hasattr(ldap, 'TLS_AVAIL') and ldap.TLS_AVAIL:
                     for option, value in (
                         (ldap.OPT_X_TLS_CACERTDIR, cfg.ldap_tls_cacertdir),
                         (ldap.OPT_X_TLS_CACERTFILE, cfg.ldap_tls_cacertfile),
@@ -121,9 +121,10 @@
                     return CancelLogin(_("Invalid username or password."))
 
                 dn, ldap_dict = lusers[0]
-                if verbose: request.log("LDAP: DN found is %r, trying to bind with pw" % dn)
-                l.simple_bind_s(dn, password.encode(coding))
-                if verbose: request.log("LDAP: Bound with dn %r (username: %r)" % (dn, username))
+                if not cfg.ldap_bindonce:
+                    if verbose: request.log("LDAP: DN found is %r, trying to bind with pw" % dn)
+                    l.simple_bind_s(dn, password.encode(coding))
+                    if verbose: request.log("LDAP: Bound with dn %r (username: %r)" % (dn, username))
 
                 if cfg.ldap_email_callback is None:
                     if cfg.ldap_email_attribute:
--- a/MoinMoin/config/multiconfig.py	Sat Feb 23 01:52:53 2008 +0100
+++ b/MoinMoin/config/multiconfig.py	Sat Feb 23 02:10:14 2008 +0100
@@ -386,6 +386,9 @@
     ldap_tls_keyfile = ''
     ldap_tls_require_cert = 0 # 0 == ldap.OPT_X_TLS_NEVER (needed for self-signed certs)
 
+    ldap_bindonce = False # set to True to only do one bind.  Useful if
+                          # configured to bind as the user on the first attempt
+
     log_reverse_dns_lookups = True  # if we do reverse dns lookups for logging hostnames
                                     # instead of just IPs
     log_timing = False              # update <data_dir>/timing.log?
--- a/wiki/config/more_samples/ldap_smb_farmconfig.py	Sat Feb 23 01:52:53 2008 +0100
+++ b/wiki/config/more_samples/ldap_smb_farmconfig.py	Sat Feb 23 02:10:14 2008 +0100
@@ -105,6 +105,8 @@
     ldap_coding = 'utf-8' # coding used for ldap queries and result values
     ldap_timeout = 10 # how long we wait for the ldap server [s]
     ldap_verbose = True # if True, put lots of LDAP debug info into the log
+    ldap_bindonce = False # set to True to only do one bind.  Useful if
+                          # configured to bind as the user on the first attempt
     cookie_lifetime = 1 # 1 hour after last access ldap login is required again
     user_autocreate = True