On Sat, Aug 12, 2006 at 10:09:28AM +0200, [EMAIL PROTECTED] wrote: > for sure I understand now why you need a second search on update_user() and > with the defaults for mk_pre_auth_bind those two searches should be the same. > > A security question about get_ldap_user() > > def get_ldap_user(l, username): > """ > Helper method, makes a user object and call update_user to populate > """ > > user = User(username=username, password='Made by LDAP') > LDAPBackend.update_user(l, user) > return user > > Is setting password to 'Made by LDAP' opening a backdoor ? > If somebody accidently remove the LDAP-Support or uses both DB and LDAP, can > this open a security hole ? > > I would prever to use a random choose password. >
That is a good point, if you have both backends working, this would present a problem. I'll go ahead and have it generate a random password in there instead. Scott -- Scott Paul Robertson http://spr.mahonri5.net GnuPG FingerPrint: 09ab 64b5 edc0 903e 93ce edb9 3bcc f8fb dc5d 7601
pgpEw6dDODQuN.pgp
Description: PGP signature
