#11501: User authentication via LDAP
---------------------------+------------------------------------------------
Reporter: rmartinjak | Owner: jason, mpatel, was
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: notebook | Keywords: notebook, auth, ldap
Work_issues: | Upstream: N/A
Reviewer: | Author: Robin Martinjak
Merged: | Dependencies:
---------------------------+------------------------------------------------
Comment(by ijstokes):
Copied over from discussion on sage-notebook.
1. Which python-ldap instructions from Rado are you referring to? I had
trouble easy_installing python-ldap with Sage 4.7, and had to download it,
configure setup.cfg by hand, and compile it. I had to get a recent
version of OpenLDAP and BerkeleyDB for this to work. If those steps are
not required, I'd love to know what I did wrong.
2. Why did you do:
class ExtAuthUserManager(OpenIDUserManager):
It would seem to me that this should be reversed. ExtAuthUserManager
should be the generic class, and OpenIDUserManager should turn into an
OpenIDAuth otion in the _auth_methods dict.
3. I would suggest making a list of _auth_methods keys which can be
ordered so it is predictable which auth_method is being used first,
second, etc.
4. It doesn't seem very nice to have OpenID-specific references anywhere
inside ExtAuthUserManager. (__init__ and a few OpenID specific methods).
5. Can you point me at some details of how the "conf" system works? Where
does this come from on disk? What is passed to the constructor?
6. I would have the conf file specify the full URL to the LDAP host,
rather than have "host" and "port" configs. We use:
ldaps://hostname
which is impossible to configure for in your current code: it is fixed
with "ldap".
7. Please can you provide an example configuration file? In particular,
I'm interested in:
result = self._ldap_search("(%s=%s)" %
(self._conf['ldap_username_attrib'], username), attrlist)
My best guess is that "ldap_username_attrib" will typically be "uid", but
I can tell you that in our LDAP server the same user may have multiple
entries for different LDAP namespaces. We have one namespace for system
users, and another for web portal users, so my username ijstokes shows up
twice:
uid=ijstokes,cn=users,cn=portal,dc=nebiogrid,dc=org
uid=ijstokes,cn=users,cn=accounts,dc=nebiogrid,dc=org
Plus on a big LDAP server this is an expensive search. The admin will
know where users are kept, and the search should be limited just to that
part of the LDAP tree. In my LDAP implementation, I did a synchronous
search as follows:
results =
self._ldap_con.search_s("uid=%s,cn=users,cn=portal,dc=nebiogrid,dc=org" %
username, ldap.SCOPE_BASE, attrlist=['uid','cn','mail'])
8. I think you should just setup the LDAP connection once in the
constructor. I *think* Python LDAP will manage the connection
intelligently.
9. check_password seems a bit convoluted -- it does two binds: once to get
the DN, and once to check the password. I'd prefer the model above.
10. Sage stores a little bit of additional per-user state:
suspended/active and worksheet timeouts or auto-save (can't remember).
TTBOMK the OpenID system gets around this by creating a Sage user when
someone authenticates for the first time. Do you inherit the same
behavior? I can't see where this happens.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/11501#comment:3>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
