[auth] Allow to use user attributes if auth by ldap bind

README.rst

@@ -423,16 +423,18 @@ Only useful if you are using the ldap authentication backend:
     The hashed password in the database is compared to the hexadecimal digest of the clear
     password hashed with the corresponding algorithm.
   * ``"plain"``, the password in the database must be in clear.
-  * ``"bind``, the user credentials are used to bind to the ldap database and retreive the user
+  * ``"bind"``, the user credentials are used to bind to the ldap database and retreive the user
     attribute. In this mode, the settings ``CAS_LDAP_PASSWORD_ATTR`` and ``CAS_LDAP_PASSWORD_CHARSET``
-    are ignored, and it is the ldap server that performs the password check. The counterpart is that
+    are ignored, and it is the ldap server that performs the password check.
-    the user attributes are only available upon user password check and so are cached for later
-    use. All the other modes directly fetch the user attributes from the database whenever they
-    are needed. This mean that is you use this mode, there can be some differences between the
-    attributes in database and the cached ones if changes happen in the database after the user
-    authentiates. See the parameter ``CAS_TGT_VALIDITY`` to force user to reauthenticate periodically.
 
   The default is ``"ldap"``.
+* ``CAS_LDAP_ATTRS_VIEW``: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to
+  ``"bind"``. If ``0`` the user attributes are retrieved by connecting to the ldap as ``CAS_LDAP_USER``.
+  If ``1`` the user attributes are retrieve then the user authenticate using the user credentials and
+  are cached for later use. It means there can be some differences between the attributes in database
+  and the cached ones. See the parameter ``CAS_TGT_VALIDITY`` to force user to reauthenticate
+  periodically.
+  The default is ``0``.
 * ``CAS_LDAP_PASSWORD_CHARSET``: Charset the LDAP users passwords was hashed with. This is needed to
   encode the user submitted password before hashing it for comparison. The default is ``"utf-8"``.
 

cas_server/auth.py

@@ -394,8 +394,9 @@ class LdapAuthUser(DBAuthUser):  # pragma: no cover
             :raises NotImplementedError: if the password check method in `CAS_LDAP_PASSWORD_CHECK`
                 do not allow to fetch the attributes without the user credentials.
         """
-        if settings.CAS_LDAP_PASSWORD_CHECK == "bind":
+        if settings.CAS_LDAP_PASSWORD_CHECK == "bind" and settings.CAS_LDAP_ATTRS_VIEW == 1:
-            raise NotImplementedError()
+            user = UserAttributes.objects.get(username=self.username)
+            return user.attributs
         else:
             return super(LdapAuthUser, self).attributs()
 

cas_server/default_settings.py

@@ -165,10 +165,17 @@ CAS_LDAP_USERNAME_ATTR = "uid"
 CAS_LDAP_PASSWORD_ATTR = "userPassword"
 #: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
 #: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
-#: ``"hex_sha512"``, ``"plain"``.
+#: ``"hex_sha512"``, ``"plain"``, ``"bind"``.
 CAS_LDAP_PASSWORD_CHECK = "ldap"
 #: charset the LDAP users passwords was hash with
 CAS_LDAP_PASSWORD_CHARSET = "utf-8"
+#: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to ``"bind"``.
+#: * if ``0`` the user attributes are retrieved by connecting to the ldap as
+#:   ``CAS_LDAP_USER``.
+#: * if ``1`` the user attributes are retrieve then the user authenticate using
+#:   the user credentials. These attributes are then cached for the session.
+#: The default is ``0``.
+CAS_LDAP_ATTRS_VIEW = 0
 
 
 #: Username of the test user.