Roundup Tracker - Issues

Message7885

Author asavchuk
Recipients asavchuk, rouilj
Date 2023-12-14.20:27:05
Message-id <1702585627.57.0.263140702446.issue2551307@roundup.psfhosted.org>
In-reply-to 
>   does ldap3 work with python2? It's ok if it doesn't but makes integration a little tricky.

Yes, it does: "ldap3 can be used with any Python version starting from 2.6, including all Python 3 versions. It also works with PyPy and PyPy3". 

https://ldap3.readthedocs.io/en/latest/

I think the extension in general should work with python2, but some imports need to be fixed.

>  if it becomes a standard part of the trackers, init() should do nothing (leaving default login in place) unless the LDAP uri is configured. This way it can just hang out and do nothing by default.

I think another option needs to be added to the global configuration that explicitly enables LDAP authentication. If the administrator chooses LDAP authentication, they must also specify the LDAP server. If they don't specify it, then this is just a misconfiguration.

> it looks like you only support the User and Admin role? IIUC the User role is added if the user is a member of a group listed in `user_groups` and similarly Admin role for admin_groups. Do you have ideas on handling more roles?

I think there are two different ways to solve this problem. 

On the one hand, if a user has the Admin role, they can manually assign roles to other users. The User role in this case should be set only if the user does not have roles, i.e. this is a new user who is not a member of admin_groups.

But I don't like this idea because if we already have a directory server, all permissions need to be checked against the entries.

On the other hand, we can get a list of available roles and check the roles associated with LDAP groups. This is preferable, but it is not entirely clear what this should look like in the configuration file. Maybe you have some ideas?

> it doesn't look like it falls back to native (db) based auth if ldap fails (server down, network issue). Am I correct?

Yes, this was done intentionally. We should only have one valid user base. If something is not working properly, it's the administrator's job. We do not attempt to use AnyDBM if the PostgreSQL server is down.

> have you thought about authenticating API access (REST, XML-RPC) against LDAP?

No, unfortunately.
History
Date User Action Args
2023-12-14 20:27:07asavchuksetmessageid: <1702585627.57.0.263140702446.issue2551307@roundup.psfhosted.org>
2023-12-14 20:27:07asavchuksetrecipients: + asavchuk, rouilj
2023-12-14 20:27:07asavchuklinkissue2551307 messages
2023-12-14 20:27:05asavchukcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020