Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to reload DN when using user-bind and DN-template #347

Merged
merged 1 commit into from Aug 8, 2023
Merged

Allow to reload DN when using user-bind and DN-template #347

merged 1 commit into from Aug 8, 2023

Conversation

sevdog
Copy link
Contributor

@sevdog sevdog commented Aug 4, 2023

This resolves #346, this problem may arise when interacting with Microsoft AD in some configurations in which it is not possible to derive the distinguishedName DN from any part of userPrincipalName UPN (ie: when UPN is a substring of DN).

In example the following there is no way with simple templates to infer these DNs from given UPNs

dn = cn=alice user,ou=people,ou=users,dc=example,dc=com
userPrincipalName = a.user@example.com

dn = cn=albert user,ou=people,ou=users,dc=example,dc=com
userPrincipalName = a.user2@example.com

dn = cn=alice user 2,ou=people,ou=users,dc=example,dc=com
userPrincipalName = a.user3@example.com

Using a simple template there is no way to say which one could be with just the username a.user, also is not guessable how the username is expanded in the DN due to name clash handling.

francoisfreitag
francoisfreitag approved these changes Aug 8, 2023
View reviewed changes
Copy link
Collaborator

@francoisfreitag francoisfreitag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, the patch looks great. Happy to include it 🙏

Could you please edit the commit message to:

Allow to reload DN when using user-bind and DN-template

Useful when interacting with Microsoft AD, which may rely on User
Principal Name instead of the Distinguished Name as the attribute to
identify a user.

(feel free to rephrase)

tests/tests.py

self.assertEqual(user.username, "charlie")
self.assertEqual(user.first_name, "Charlie")
self.assertEqual(user.last_name, "Cooper")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.assertEqual(user.last_name, "Cooper")
self.assertEqual(user.last_name, "Cooper")
self.assertEqual(user.ldap_user.dn, "cn=charlie_cooper,ou=people,o=test")

@sevdog
Allow to reload DN when using user-bind and DN-template
adb0774 
Useful when interacting with Microsoft AD, which may rely on User
Principal Name instead of the Distinguished Name as the attribute to
identify a user.
@sevdog
Copy link
Contributor Author

sevdog commented Aug 8, 2023

Thank you @francoisfreitag, I have edited the commit message and also added the test line.

@francoisfreitag francoisfreitag merged commit 77e3257 into django-auth-ldap:master Aug 8, 2023
19 checks passed
@sevdog sevdog deleted the rebind-dn branch August 10, 2023 06:55
@renovate renovate bot mentioned this pull request Nov 10, 2023
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@francoisfreitag francoisfreitag francoisfreitag approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow to reload DN after LDAP login when using BIND_AS_AUTHENTICATING_USER
2 participants
@sevdog @francoisfreitag