-
Nik | Klampfradler authoredHaving a local password is needed to make changing passwords easier. In order to catch password changes in a universal way and forward them to backends (like LDAP, in this case), getting the old password first is necessary to authenticate as that user to LDAP. We buy the small insecurity of having a hash of the password in the Django database in order to not require it to have global admin permissions on the LDAP directory. In addition, we fail early by raising PermissionDenied if LDAP cannot authenticate the user, so as to not allow logins with ghost users that were removed in LDAP or changed their password there.
Nik | Klampfradler authoredHaving a local password is needed to make changing passwords easier. In order to catch password changes in a universal way and forward them to backends (like LDAP, in this case), getting the old password first is necessary to authenticate as that user to LDAP. We buy the small insecurity of having a hash of the password in the Django database in order to not require it to have global admin permissions on the LDAP directory. In addition, we fail early by raising PermissionDenied if LDAP cannot authenticate the user, so as to not allow logins with ghost users that were removed in LDAP or changed their password there.
Loading