For 1 you already have this opportunity as you example is mostly the same
as :
auth.settings.login_methods = \
[auth,
ldap_auth(...)]
So web2py will try authenticate user against web2py data, if it fails it
will try the AD.
2) There's the tricky part... The simplest would be to inform your user on
the registration page to contact you if they are member of the staff, so
you create their account for them, so no web2py password would be
requires... If this is not acceptable you customize the registration form some
how and avoid asking for creating a password for the user member of the
staff. The simplest way would be to create a first form asking if the
person is member of the staff and depending of the answer directing on the
right form. Finally you could create a synching AD/web2py users module, so
all the possible staff member get their account create into web2py and you
can even manage the access to your app from the AD like that by creating a
AD group for which you grant access to your app. I did just that
recently... It a lot of work :)
3) To avoid that situation, you have to leave the password field of
auth_user table empty for the user that need to be granted access against
AD.
NOTE: If you use AD think to use ldapS connection over port 636 (LDAP +
SSL) to avoid clear text authenication credentials flowing over your LAN.
This could be achieve like this depending if the SSL certificate is self
sign or not your config migth tweaks a bit, read the ldap_auth.py module
for guidance on the available switches...
auth.settings.login_methods = \
[auth,
ldap_auth(mode='ad',
#
-----------------------------------------------------------------------
# To unlock LDAPS with self-signed certificate this line
should be
# present in ldap_auth.py :
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER)
# This line should be inside : ldap_auth()
# Ref:
https://onemoretech.wordpress.com/2015/06/25/connecting-to-ldap-over-self-signed-tls-with-python/
# Ref:
http://bneijt.nl/blog/post/connecting-to-ldaps-with-self-signed-cert-using-python/
# Ref:
https://mail.python.org/pipermail/python-ldap/2015q4/003631.html
port=636,
secure=True,
self_signed_certificate=True,
....)]
Good luck
Richard
On Thu, Mar 15, 2018 at 6:10 AM, Johann Spies <[email protected]>
wrote:
> I am trying out ldap authentication after I have last used it in 2006.
>
> My ldap knowledge is minimal.
>
> After reading the documentation in the book and in ldap_auth.py I
> have a few questions about authentication and ldap.
>
> Background: Only a few users (probably not more than 5 or 6) will use
> this app as logged in users.
>
> All of them (or maybe except one or two) will not be staff members of
> our university. Staff members and students can be authenticated
> against the Active Directory (AD) of the university. The others not.
>
> We will only allow specific people to authenticate. Registration of
> users will not be available through the user webinterface.
>
> As I understand the documentation web2py will work through the list
> (auth.settings.login_methods) trying the next method if the previous
> authentication method fails.
>
> I do not have any admin-function as far as the AD is concerned. So
> I can do nothing there that have an effect on our authentication
> except query the AD through LDAP.
>
>
> In the model:
>
> from gluon.contrib.login_methods.ldap_auth import ldap_auth
> auth.settings.login_methods.append(ldap_auth(
> mode='ad', server='ouradserver',
> base_dn='ou=Users,dc=stb,dc=sun,dc=ac,dc=za,O=SU',
> manage_user=True,
> user_firstname_attrib='cn:1',
> user_lastname_attrib='cn:2',
> user_mail_attrib='mail'))
>
> My auth.settings.login_methods:
> [<gluon.tools.Auth at 0x7f3ca5e470b8>,
> <function gluon.contrib.login_methods.ldap_auth.ldap_auth.<locals>.
> ldap_auth_aux>]
>
>
>
> Now my questions:
>
>
>
> 1. Is it possible to combine the normal auth and ldap methods in such
> a way that staff members authenticate against AD and the others
> against the local auth-table?
>
> 2. How do I manage the user registration if the answer on 1 is "Yes".
>
> 3. I have tested the system with myself as user on both the local and
> the AD. If my local password is different from that on the AD, I can
> login with the local password. That should not be. How do I get it
> that if the username is local and on the AD the last will override the
> first?
>
> Regards
> Johann
>
> --
> Because experiencing your loyal love is better than life itself,
> my lips will praise you. (Psalm 63:3)
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
