Can you please email this to me as an attachment?
On May 18, 10:25 am, Nico de Groot <[email protected]> wrote: > I tried out the ldap login using an Active Directory server using the > directions fromhttp://web2py.com/book/default/section/8/1. I had to > make some small changes to get it running when using 'username' for > login. > > change 1: if @ is missing (like in the case of using 'username') > username_bare is undefined in 'con.search_ext_s(...)'. Proposed > solution: add a else: to to repair this > > change 2: con.simple_bind_s(username, password) fails when username is > just a username without '@[domainname]'. As we are allready searching > the AD, I added the attribute 'distinguishedName' in > con.search_ext_s(') and used that to construct the DN. The DN can also > be used in con.simple_bind_s() > > This seems to work, can anyone confirm the problem and check the > solutions? > > In my test application I had to relax the FK constraints to get the > inserts in auth_table, auth_membership and auth_events working and > prevent FK constraint-errors. (I'm using MS-SQLServer 2005). Is it a > solution to commit the insert in auth_user first? See, in tools.py, > line 1078 > > Nico de Groot > > From gluon/contrib/login_methods/ldap_auth.py > current----------- > 64 if ldap_mode == 'ad': > # Microsoft Active Directory > con.set_option(ldap.OPT_PROTOCOL_VERSION, 3) > if ldap_binddn: > # need to search directory with an admin account > 1st > con.simple_bind_s(ldap_binddn, ldap_bindpw) > else: > # credentials should be in the form of > [email protected] > con.simple_bind_s(username, password) > if "@" in username: > username_bare = username.split("@")[0] > # this will throw an index error if the account is not > found > # in the ldap_basedn > result = con.search_ext_s( > ldap_basedn, ldap.SCOPE_SUBTREE, > "sAMAccountName=%s" % username_bare, > ["sAMAccountName","distinguishedName"])[0][1] > if ldap_binddn: > # We know the user exists & is in the correct OU > # so now we just check the password > con.simple_bind_s(username, password) > > proposed--------------- > 64: if ldap_mode == 'ad': > # Microsoft Active Directory > con.set_option(ldap.OPT_PROTOCOL_VERSION, 3) > if ldap_binddn: > # need to search directory with an admin account > 1st > con.simple_bind_s(ldap_binddn, ldap_bindpw) > else: > # credentials should be in the form of > [email protected] > con.simple_bind_s(username, password) > if "@" in username: > username_bare = username.split("@")[0] > #patch ncdg1 > else: > username_bare = username > #/patch ncdg1 > # this will throw an index error if the account is not > found > # in the ldap_basedn > #patch ncdg2 > result = con.search_ext_s( > ldap_basedn, ldap.SCOPE_SUBTREE, > "sAMAccountName=%s" % username_bare, > ["sAMAccountName","distinguishedName"])[0][1] > if ldap_binddn: > # We know the user exists & is in the correct OU > # so now we just check the password > ldap_userdn=result["distinguishedName"][0] > con.simple_bind_s(ldap_userdn, password) > #/patch ncdg2
