Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the possibility to disable ldap password stored in DB #26

Closed
Pbast opened this issue Mar 21, 2019 · 1 comment
Closed

Add the possibility to disable ldap password stored in DB #26

Pbast opened this issue Mar 21, 2019 · 1 comment
Assignees
@madmath03
Labels
enhancement New feature or request

Comments

@Pbast
Copy link

Pbast commented Mar 21, 2019

Hello,
Since release 0.4 LDAP authentication store LDAP password in DB and this way is against our security policies.
I'm a newbie in python langage but I can try to add a new setting to disable this storing.
For this could you show me pieces of code about this issue #21 ?
Thxs.
Pascal B
@Pbast Pbast added the enhancement New feature or request label Mar 21, 2019
@madmath03
Copy link
Member

Hello,

Sorry for the delay.
Here are a few tips on what should be done to develop this feature:

The password is saved in services.py so this is the only Python file you will need to update:

  • First thing to do will be to get a new attribute (LDAP_SAVE_LOGIN_PASSWORD with default to True) at the start of the file to define the expected behavior:

    taiga-contrib-ldap-auth-ext/taiga_contrib_ldap_auth_ext/services.py

    Lines 27 to 32 in 9fe8b10

    FALLBACK = getattr(settings, 'LDAP_FALLBACK', 'normal')
    SLUGIFY = getattr(settings, 'LDAP_MAP_USERNAME_TO_UID', '')
    EMAIL_MAP = getattr(settings, 'LDAP_MAP_EMAIL', '')
    NAME_MAP = getattr(settings, 'LDAP_MAP_NAME', '')
  • Then, you will need to encapsulate the code setting the user password on first login with a condition depending on the parameter you loaded earlier:

    taiga-contrib-ldap-auth-ext/taiga_contrib_ldap_auth_ext/services.py

    Lines 115 to 117 in 9fe8b10

    # Set local password to match LDAP (issues/21)
    user.set_password(password)
    user.save()
  • Then, do the same for an already existing user. You could even add an else condition to forcefully set the user password to None to ensure that the password is removed from already existing users:

    taiga-contrib-ldap-auth-ext/taiga_contrib_ldap_auth_ext/services.py

    Lines 122 to 124 in 9fe8b10

    # Set local password to match LDAP (issues/21)
    user.set_password(password)
    user.save()
  • Last but not least, update the sample configuration in the README.md to show how to disable the password synchronization : something like LDAP_SAVE_LOGIN_PASSWORD = False with a small comment and maybe link to issue

That's pretty all there is to it.

Do not hesitate to open the PR even if your work is not finished. I can help you review your code while your PR is in progress.

madmath03 added a commit that referenced this issue May 2, 2019
@madmath03
Merge pull request #27 from vinctix/feature/option_ldap_pwd
f26533d 
fix #26 add an option to save or not the ldap password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madmath03 madmath03

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@madmath03 @Pbast