Option to Save Password

37 views
Skip to first unread message

Clinton

unread,
Oct 2, 2012, 1:54:40 PM10/2/12
to django-auth-ldap
I am using this backend to authenticate against my clients' Active
Directory servers. To protect against any future outages, I would like
to store the users' passwords in the auth_user table. I was able to
accomplish this by modifying _LDAPUser in the following ways:

* Pass in password parameter
* Call self._user.set_password(password) after the call to
get_or_create_user()
* Remove the call to self._user.set_unusable_password()

My questions for the group are as follows:

1. What are the downsides of doing this? I am aware of potential
syncing issues and the obvious security risk (e.g. if my server is
compromised, the users' passwords are at the mercy of SHA-256).
2. Is there a simpler method to accomplish this task, or should I
submit a patch with the appropriate settings variables?

I apologize in advance if this question has already been posed. The
only mention of saving passwords I found was a note at the end of the
user objects section of the compiled docs (http://packages.python.org/
django-auth-ldap/#user-objects).

Thanks,
Clinton

Peter Sagerson

unread,
Oct 3, 2012, 3:01:26 AM10/3/12
to django-a...@googlegroups.com
I wouldn't worry about putting passwords in Django per se; the User model is good at storing passwords. I would say that the real risks are all operational. I think the biggest issue you'll face with this kind of setup is, as you say, syncing. When the same information is kept in two places, they always diverge eventually. Presumably the directory has other client applications, which means that someday someone will forget that the two databases need to be synchronized (or not even know about the Django one), make a change only to the LDAP database, and leave a user more access than they intended.

If you're willing to allow LDAP-based users to authenticate against a cached password, then there is nothing you can do on the LDAP server to disable a user's account. You can delete a user, disable them, change group membership, change their password, whatever, and Django will simply fall back to the ModelBackend with the last-known password. The only way for this to work correctly is to immediately mirror every relevant change in the LDAP directory into the Django models. In which case, why is LDAP involved at all?

Essentially, django.contrib.auth has no way to express the idea of fallback-on-error/stop-on-failure. These sorts of complicated relationships could probably be expressed in something like PAM. In Django, if LDAP is authoritative, I think you pretty much have to rely on the server being available.

Di majo

unread,
May 12, 2024, 2:02:16 PM5/12/24
to django-auth-ldap
MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7529 555638
Reply all
Reply to author
Forward
0 new messages