From 498298c12d063cbfb6120309eda941896cb83bf6 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sun, 5 Jul 2020 15:57:28 +0200 Subject: [PATCH] [auth] Allow to use user attributes if auth by ldap bind --- README.rst | 16 +++++++++------- cas_server/auth.py | 5 +++-- cas_server/default_settings.py | 9 ++++++++- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/README.rst b/README.rst index 87b663f..d582721 100644 --- a/README.rst +++ b/README.rst @@ -423,16 +423,18 @@ Only useful if you are using the ldap authentication backend: The hashed password in the database is compared to the hexadecimal digest of the clear password hashed with the corresponding algorithm. * ``"plain"``, the password in the database must be in clear. - * ``"bind``, the user credentials are used to bind to the ldap database and retreive the user + * ``"bind"``, the user credentials are used to bind to the ldap database and retreive the user attribute. In this mode, the settings ``CAS_LDAP_PASSWORD_ATTR`` and ``CAS_LDAP_PASSWORD_CHARSET`` - are ignored, and it is the ldap server that performs the password check. The counterpart is that - the user attributes are only available upon user password check and so are cached for later - use. All the other modes directly fetch the user attributes from the database whenever they - are needed. This mean that is you use this mode, there can be some differences between the - attributes in database and the cached ones if changes happen in the database after the user - authentiates. See the parameter ``CAS_TGT_VALIDITY`` to force user to reauthenticate periodically. + are ignored, and it is the ldap server that performs the password check. The default is ``"ldap"``. +* ``CAS_LDAP_ATTRS_VIEW``: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to + ``"bind"``. If ``0`` the user attributes are retrieved by connecting to the ldap as ``CAS_LDAP_USER``. + If ``1`` the user attributes are retrieve then the user authenticate using the user credentials and + are cached for later use. It means there can be some differences between the attributes in database + and the cached ones. See the parameter ``CAS_TGT_VALIDITY`` to force user to reauthenticate + periodically. + The default is ``0``. * ``CAS_LDAP_PASSWORD_CHARSET``: Charset the LDAP users passwords was hashed with. This is needed to encode the user submitted password before hashing it for comparison. The default is ``"utf-8"``. diff --git a/cas_server/auth.py b/cas_server/auth.py index 0e07d74..24f3881 100644 --- a/cas_server/auth.py +++ b/cas_server/auth.py @@ -394,8 +394,9 @@ class LdapAuthUser(DBAuthUser): # pragma: no cover :raises NotImplementedError: if the password check method in `CAS_LDAP_PASSWORD_CHECK` do not allow to fetch the attributes without the user credentials. """ - if settings.CAS_LDAP_PASSWORD_CHECK == "bind": - raise NotImplementedError() + if settings.CAS_LDAP_PASSWORD_CHECK == "bind" and settings.CAS_LDAP_ATTRS_VIEW == 1: + user = UserAttributes.objects.get(username=self.username) + return user.attributs else: return super(LdapAuthUser, self).attributs() diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py index 744a6f7..8cd092c 100644 --- a/cas_server/default_settings.py +++ b/cas_server/default_settings.py @@ -165,10 +165,17 @@ CAS_LDAP_USERNAME_ATTR = "uid" CAS_LDAP_PASSWORD_ATTR = "userPassword" #: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``, #: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``, -#: ``"hex_sha512"``, ``"plain"``. +#: ``"hex_sha512"``, ``"plain"``, ``"bind"``. CAS_LDAP_PASSWORD_CHECK = "ldap" #: charset the LDAP users passwords was hash with CAS_LDAP_PASSWORD_CHARSET = "utf-8" +#: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to ``"bind"``. +#: * if ``0`` the user attributes are retrieved by connecting to the ldap as +#: ``CAS_LDAP_USER``. +#: * if ``1`` the user attributes are retrieve then the user authenticate using +#: the user credentials. These attributes are then cached for the session. +#: The default is ``0``. +CAS_LDAP_ATTRS_VIEW = 0 #: Username of the test user.