We're updating the issue view to help you get more done. 

Improve integration with LDAP

Description

Currently there are some shortcomings in the LDAP integration.

If the configuration does not specify a `ldap_group_cn_list` value in `authentication.conf`, then no checking is done beyond an initial `ldap_bind()`. The authentication method should do an actual `ldap_search()` or other activity to validate that the user is not only bound to the LDAP server, but correctly authenticated and can access the relevant parts of the tree.

I realise there was a recent change to mark the password field as required, so that the login form does not submit without a password (change is in git but not yet released afaik). However this is merely masking the issue, not fixing it.

Additionally, upon new user creation, the user's details (first name, last name, etc) are copied from the LDAP server, which is fine. However these details are never updated after this initial process. User details should not need to be updated both in the directory and in the application, updating the directory should be enough, and the application should sync these details upon every login.

Solution:

By doing an `ldap_search()` for the user's own details at login time, both of these shortcomings can be addressed. If the `ldap_search()` fails, then the authentication can be considered to have failed. If it succeeds, then the details can be updated in the CA database.

Environment

None

Assignee

User known

Reporter

Ben New

Labels

None

Components

Affects versions

Priority

Major
Configure