Originally created by: ifreeman
The use case I had in mind when using ldap auth was for an enterprise environment where there is already an existing ldap server containing existing user accounts. Users would register by providing their ldap credentials and Allura would authenticate them against ldap and then automatically provision their account. Even better if all this would happen simply by logging in (bypassing registration altogether).
But it seems the ldap plugin author had a different use case in mind: a local ldap server that is only managing accounts for this Allura instance. When registering an account on Allura, an admin account on the ldap server is used to create a new ldap object for the username in the domain. It is not possible to register an account without the ldap's admin account.
I believe the existing functionality to be contrary to the wishes of most enterprise installations.
I propose the attached patch to ./Allura/allura/lib/plugin.py to accomplish the following:
- Add a new registration.method = ldap to repurpose the existing behavior (creating a new ldap account upon allura registration, error if exists in ldap)
- Repurpose the existing registration.method = local configuration to be used in conjunction with auth.method = ldap as follows:
1. authenticate against ldap with an existing user
2. create local account in allura with the provided and ldap-authenticated username
3. use ldap to authenticate future logins
This being my first experience with python and this project I have not yet found the best way I should extend widgets/auth_widgets.py to be able to display errors to the user on the registration page. There are a great number of error conditions that should not be throwing exceptions (for such common occurances as an invalid password). Can any of you point me in the right direction/take it from here?
Log in to post a comment.