Skip to content
Snippets Groups Projects
Select Git revision
  • 1268-add-specific-availability-planning-frontend
  • check/update-pyproject-toml
  • check/update-builddeps-package-json
  • check/update-tox-ini
  • master default protected
  • 1331-add-person-to-availability-event-meta
  • 1307-free-busy-feed-does-not-handle-recurrences-and-date-ranges-correctly
  • 1314-fix-handling-of-end-datetime-in-calendar-events-query
  • migrate-crud-to-vue-3-and-generalize
  • 1182-migration-to-vue-3-and-vuetify-3
  • 1330-dav-implement-dtstamp
  • 1328-dav-introduce-caching
  • 1297-freebusy-calendar-does-not-work-over-caldav
  • renovate/qrcode-8.x
  • renovate/ipython-9.x
  • renovate/django-guardian-3.x
  • renovate/graphene-django-3.x
  • feature/object-routes
  • stable/4.0.0
  • fix/migrations-leftovers
  • 4.1.0.dev0 protected
  • 4.0.3 protected
  • 4.0.2 protected
  • 4.0.1 protected
  • 4.0.0 protected
  • 4.0.0.dev16 protected
  • 3.2.2 protected
  • 3.1.7 protected
  • 4.0.0.dev15 protected
  • 4.0.0.dev14 protected
  • 4.0.0.dev13 protected
  • 4.0.0.dev12 protected
  • 4.0.0.dev11 protected
  • 3.2.1 protected
  • 3.1.6 protected
  • 4.0.0.dev10 protected
  • 4.0.0.dev9 protected
  • 4.0.0.dev8 protected
  • 4.0.0.dev7 protected
  • 4.0.0.dev6 protected
40 results
Blame Permalink
  • Nik | Klampfradler's avatar
    f92f9bbe
    Set password of LDAP-logged-in user in database · f92f9bbe
    Nik | Klampfradler authored 
    Having a local password is needed to make changing passwords easier. In
order to catch password changes in a universal way and forward them to
backends (like LDAP, in this case), getting the old password first is
necessary to authenticate as that user to LDAP.

We buy the small insecurity of having a hash of the password in the
Django database in order to not require it to have global admin permissions
on the LDAP directory.

In addition, we fail early by raising PermissionDenied if LDAP cannot
authenticate the user, so as to not allow logins with ghost users that
were removed in LDAP or changed their password there.
    Verified
    f92f9bbe
    History
    Set password of LDAP-logged-in user in database
    Nik | Klampfradler authored 
    Having a local password is needed to make changing passwords easier. In
order to catch password changes in a universal way and forward them to
backends (like LDAP, in this case), getting the old password first is
necessary to authenticate as that user to LDAP.

We buy the small insecurity of having a hash of the password in the
Django database in order to not require it to have global admin permissions
on the LDAP directory.

In addition, we fail early by raising PermissionDenied if LDAP cannot
authenticate the user, so as to not allow logins with ghost users that
were removed in LDAP or changed their password there.