[Zope] LDAPUserFolder never authorizes

Joel Burton joel@joelburton.com
Tue, 13 Aug 2002 10:25:19 -0400


On Tue, Aug 13, 2002 at 10:07:22AM -0400, Jens Vagelpohl wrote:
> from looking at the code inside _lookupuser, the following seems to happen:
> 
> - the user record is indeed found
> 
> - in the next step, when the full record is retrieved ***while binding as 
> that very same user that is being looked up*** the lookup fails.
> 
> the user record lookup is done in two steps. first, the given login name is 
> looked up to see if a matching record exists at all. this lookup will, if 
> the record exists, return the full DN for the record. it is done while 
> bound as the manager user. in the second step the authentication 
> credentials are switched to the full DN just found and the password that 
> was provided by the user. this is to make sure that access restrictions put 
> in place by the LDAP admins are not overridden and the user can only see 
> what they are supposed to see. then, under these new credentials, all 
> attributes are looked up inside the record identified by the full user DN.
>  the results of this second search are used to assemble the user object 
> zope needs.
> 
> i have a suspicion that your LDAP server access control is wrong. try to 
> replace the line in your slapd.conf that says...
> 
> access to * by anonymous write
> 
> with...
> 
> access to * by * write
> 
> i have a feeling with your existing rule only anonymous users end up having 
> any access rights.
> 
> in your first email you say that you are not very knowledgeable about LDAP.
>  IMHO that is a real problem when you are trying to work with a product 
> that assumes at least some knowledge about LDAP, such as the LDAPUserFolder.
>  i have said it before and i will say it again: working with directory 
> servers is harder than many people think. you must gain adequate knowledge 
> of LDAP and the LDAP tree structure to work this product successfully.
> 
> jens

Thanks, Jens, this works. I really appreciate your sticking with my
problem.

BTW, I did say that I wasn't very knowledgeable about LDAP -- but for
some value of "very knowledgable" :) . I have setup and administered an LDAP
server before; just never had any reason to go very deep into the
security settings. Working with directory servers *is* harder than people
think; mostly, I think, because there isn't a lot of decent
walkthroughs for how to use LDAP in a small/medium-scale setting. Let's
hope that changes.

- J.

-- 

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant