django_auth_ldap should continue to log even if the response comes from the CACHE

[Nicolas Michel]

Hello,

I find out a behavior which cannot be considered like a bug but which is still not a normal behavior in my point of view. To understand why, here is my story:

I wrote a web app for an intranet. It uses django and the django_auth_ldap. Authentication is done matching if the user/pass is correct AND if the user belongs to a pre-defined LDAP group (with AUTH_LDAP_GROUP_SEARCH).

One of my user could not log in anymore since some hours.

To analyse the cause I asked the user to try to log in on my developpement server which is configured to have the log verbosity set to the DEBUG level. Surprisingly I could not see anything in the ldap log file with a "tail -f". After some more research I found out that the user was removed by another team from the requisite LDAP group. So it was correct that the ldap module refuses the authentication. So why was nothing logged to the log file?

I think it is because I set the option AUTH_LDAP_CACHE_GROUPS to True. And when the response comes from the cache, nothing is logged, even in DEBUG mode. Restarting the web serveur (nginx, apache, uwsgi ...) make things working the first try since the cache is cleared and a request is done to the ldap server.

I think that django_auth_ldap should log everything in DEBUG mode, even if no request is done to the LDAP server and the response comes from the CACHE.

What do you think guys?

Best regards,

Nicolas

[Peter Sagerson]

Sounds like a fine idea in principle. I will just point out that we'll always emit a debug log when we check for group membership explicitly (e.g. AUTH_LDAP_REQUIRE_GROUP), but it sounds like you're doing something more subtle. Also note that we only cache simple group names, which we use for loading Django permissions. Group DNs and other attributes are always retrieved fresh when they're needed, which is normally only at authentication time.

I assume that in your scenario, you would benefit from a debug log at the point where we load group names from the cache (maybe around backend.py#795). Perhaps you'd like to give that a try and submit a patch if it solves your case.

Thanks,
Peter

> --
> You received this message because you are subscribed to the Google Groups "django-auth-ldap" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-auth-ld...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Di majo]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638