1641: Required LDAP OPT_REFERRALS option

bryan.we********@gmai***** (Google Code) (Is this you? Claim this profile.)
July 3, 2011 
I'm using version 1.5 beta 1 and I'm using authentication to our corporate
LDAP server.  I had to add an LDAP option to make it work.

File: ReviewBoard-1.5beta1-py2.6.egg/reviewboard/accounts/backends.py

Methods: LDAPBackend.authenticate and LDAPBackend.get_or_create_user

Both of these methods call this ldap method: 

ldapo = ldap.initialize(settings.LDAP_URI)

But in our case, we require OPT_REFERRALS to be set:

ldapo = ldap.initialize(settings.LDAP_URI)
ldapo.set_option(ldap.OPT_REFERRALS, 0)

If adding this option doesn't break anyone else, then I recommend just
adding it.  If it's an option that others can't use, then please make this
an LDAP configuration option so I won't have to patch the code every release.

Bryan
backends.py 
import logging
import re
import sre_constants
import sys
from django.conf import settings
from django.contrib.auth.models import User
from djblets.util.misc import get_object_or_none
class NISBackend(object):
    """Authenticate against a user on an NIS server."""
    def authenticate(self, username, password):
        import crypt
        import nis
        username = username.strip()
        try:
            passwd = nis.match(username, 'passwd').split(':')
            original_crypted = passwd[1]
            new_crypted = crypt.crypt(password, original_crypted)
            if original_crypted == new_crypted:
                return self.get_or_create_user(username, passwd)
        except nis.error:
            # FIXME I'm not sure under what situations this would fail (maybe if
            # their NIS server is down), but it'd be nice to inform the user.
            pass
    def get_or_create_user(self, username, passwd=None):
        import nis
        username = username.s

 






  


 










 

  

   chipx86

  

 
 

  

    
     

   
   #1
   chipx86


  


  
What does this option do? I don't know LDAP well enough to know if it would break
other people.

For patches, we require that the patch be submitted to
http://reviews.reviewboard.org/. A full file doesn't help us much as the in-tree
version may have changed and finding out what's new in the file is hard.



  
    


   
  • 
    
    
    +NeedInfo
    
   
    • 


  


 








 

   

 
 

  

    
     

   
   #2
   bryan.we********@gmai***** (Google Code)



(Is this you? Claim this profile.)


  


  
FAQ #13 from http://www.python-ldap.org/faq.shtml

Basically we require turning off "chasing referrels" for our ldap client to work. 
The line to turn off referrals just goes immediately after each ldapo.initialize(). 
I'm sure many people would not require or want this, so it's best to add this as an
option to "Disable referrals" in the LDAP settings.  I don't know anything about LDAP
either.  LDAP in Review Board was not working for me and I had to experiment with
python-ldap and a lot of googling to figure this out.  Then when I looked at Review
Board code, it was obvious that it was missing this one line of code.  When I added
it, Review Board was able to successfully authenticate for us.  

Q: My script bound to MS Active Directory but a a search operation results in an
exception ldap.OPERATIONS_ERROR with the diagnostic messages text "In order to
perform this operation a successful bind must be completed on the connection.".
What's happening here?

A: When searching from the domain level MS AD returns referrals (search
continuations) for some objects to indicate to the client where to look for these
objects. Client-chasing of referrals is a broken concept since LDAPv3 does not
specify which credentials to use when chasing the referral. Windows clients are
supposed to simply use their Windows credentials but this does not work in general
when chasing referrals received from and pointing to arbitrary LDAP servers.
Therefore per default libldap automatically chases the referrals internally with an
anonymous access which fails with MS AD.
So best thing is to switch this behaviour off:

l = ldap.initialize('ldap://foobar')
l.set_option(ldap.OPT_REFERRALS,0)






 








 

  

   david

  

 
 

  

    
     

   
   #3
   david


  



  
    


   
  • 
    
    
    -NeedInfo
    +New
    
   
    • 



   
  • 
    
    
    -Type-Defect
    +Type-Enhancement
    +Component-Accounts
    
   
    • 


  


 








 

  

   david

  

 
 

  

    
     

   
   #4
   david


  


  
Fixed in master 74b9e7b. Thanks!



  
    


   
  • 
    
    
    -New
    +Fixed
    
   
    •