We're updating the issue view to help you get more done. 

Improve integration with LDAP


Currently there are some shortcomings in the LDAP integration.

If the configuration does not specify a `ldap_group_cn_list` value in `authentication.conf`, then no checking is done beyond an initial `ldap_bind()`. The authentication method should do an actual `ldap_search()` or other activity to validate that the user is not only bound to the LDAP server, but correctly authenticated and can access the relevant parts of the tree.

I realise there was a recent change to mark the password field as required, so that the login form does not submit without a password (change is in git but not yet released afaik). However this is merely masking the issue, not fixing it.

Additionally, upon new user creation, the user's details (first name, last name, etc) are copied from the LDAP server, which is fine. However these details are never updated after this initial process. User details should not need to be updated both in the directory and in the application, updating the directory should be enough, and the application should sync these details upon every login.


By doing an `ldap_search()` for the user's own details at login time, both of these shortcomings can be addressed. If the `ldap_search()` fails, then the authentication can be considered to have failed. If it succeeds, then the details can be updated in the CA database.




User known


Ben New




Affects versions