1641: Required LDAP OPT_REFERRALS option
- Fixed
- Review Board
bryan.we********@gmai***** (Google Code) (Is this you? Claim this profile.) | |
July 3, 2011 |
I'm using version 1.5 beta 1 and I'm using authentication to our corporate LDAP server. I had to add an LDAP option to make it work. File: ReviewBoard-1.5beta1-py2.6.egg/reviewboard/accounts/backends.py Methods: LDAPBackend.authenticate and LDAPBackend.get_or_create_user Both of these methods call this ldap method: ldapo = ldap.initialize(settings.LDAP_URI) But in our case, we require OPT_REFERRALS to be set: ldapo = ldap.initialize(settings.LDAP_URI) ldapo.set_option(ldap.OPT_REFERRALS, 0) If adding this option doesn't break anyone else, then I recommend just adding it. If it's an option that others can't use, then please make this an LDAP configuration option so I won't have to patch the code every release. Bryan
What does this option do? I don't know LDAP well enough to know if it would break other people. For patches, we require that the patch be submitted to http://reviews.reviewboard.org/. A full file doesn't help us much as the in-tree version may have changed and finding out what's new in the file is hard.
-
+ NeedInfo
FAQ #13 from http://www.python-ldap.org/faq.shtml Basically we require turning off "chasing referrels" for our ldap client to work. The line to turn off referrals just goes immediately after each ldapo.initialize(). I'm sure many people would not require or want this, so it's best to add this as an option to "Disable referrals" in the LDAP settings. I don't know anything about LDAP either. LDAP in Review Board was not working for me and I had to experiment with python-ldap and a lot of googling to figure this out. Then when I looked at Review Board code, it was obvious that it was missing this one line of code. When I added it, Review Board was able to successfully authenticate for us. Q: My script bound to MS Active Directory but a a search operation results in an exception ldap.OPERATIONS_ERROR with the diagnostic messages text "In order to perform this operation a successful bind must be completed on the connection.". What's happening here? A: When searching from the domain level MS AD returns referrals (search continuations) for some objects to indicate to the client where to look for these objects. Client-chasing of referrals is a broken concept since LDAPv3 does not specify which credentials to use when chasing the referral. Windows clients are supposed to simply use their Windows credentials but this does not work in general when chasing referrals received from and pointing to arbitrary LDAP servers. Therefore per default libldap automatically chases the referrals internally with an anonymous access which fails with MS AD. So best thing is to switch this behaviour off: l = ldap.initialize('ldap://foobar') l.set_option(ldap.OPT_REFERRALS,0)