[web2py] Ldap_auth Active Directory

[Nico de Groot]

I tried out the ldap login using an Active Directory server using the
directions from http://web2py.com/book/default/section/8/1. I had to
make some small changes to get it running when using 'username' for
login.

change 1: if @ is missing (like in the case of using 'username')
username_bare is undefined in 'con.search_ext_s(...)'. Proposed
solution: add a else: to to repair this

change 2: con.simple_bind_s(username, password) fails when username is
just a username without '@[domainname]'. As we are allready searching
the AD, I added the attribute 'distinguishedName' in
con.search_ext_s(') and used that to construct the DN. The DN can also
be used in con.simple_bind_s()

This seems to work, can anyone confirm the problem and check the
solutions?

In my test application I had to relax the FK constraints to get the
inserts in auth_table, auth_membership and auth_events working and
prevent FK constraint-errors. (I'm using MS-SQLServer 2005). Is it a
solution to commit the insert in auth_user first? See, in tools.py,
line 1078

Nico de Groot

>From gluon/contrib/login_methods/ldap_auth.py
current-----------
64          if ldap_mode == 'ad':
                # Microsoft Active Directory
                con.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
                if ldap_binddn:
                    # need to search directory with an admin account
1st
                    con.simple_bind_s(ldap_binddn, ldap_bindpw)
                else:
                    # credentials should be in the form of
usern...@domain.tld
                    con.simple_bind_s(username, password)
                if "@" in username:
                    username_bare = username.split("@")[0]
                # this will throw an index error if the account is not
found
                # in the ldap_basedn
                result = con.search_ext_s(
                    ldap_basedn, ldap.SCOPE_SUBTREE,
                    "sAMAccountName=%s" % username_bare,
["sAMAccountName","distinguishedName"])[0][1]
                if ldap_binddn:
                    # We know the user exists & is in the correct OU
                    # so now we just check the password
                    con.simple_bind_s(username, password)

proposed---------------
64:           if ldap_mode == 'ad':
                # Microsoft Active Directory
                con.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
                if ldap_binddn:
                    # need to search directory with an admin account
1st
                    con.simple_bind_s(ldap_binddn, ldap_bindpw)
                else:
                    # credentials should be in the form of
usern...@domain.tld
                    con.simple_bind_s(username, password)
                if "@" in username:
                    username_bare = username.split("@")[0]
#patch ncdg1
                else:
                    username_bare = username
#/patch ncdg1
                # this will throw an index error if the account is not
found
                # in the ldap_basedn
#patch ncdg2
                result = con.search_ext_s(
                    ldap_basedn, ldap.SCOPE_SUBTREE,
                    "sAMAccountName=%s" % username_bare,
["sAMAccountName","distinguishedName"])[0][1]
                if ldap_binddn:
                    # We know the user exists & is in the correct OU
                    # so now we just check the password
                    ldap_userdn=result["distinguishedName"][0]
                    con.simple_bind_s(ldap_userdn, password)
#/patch ncdg2