www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Commented: (INFRA-3373) Some few improvments in the scripts
Date Wed, 19 Jan 2011 14:34:44 GMT

    [ https://issues.apache.org/jira/browse/INFRA-3373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983728#action_12983728
] 

Emmanuel Lecharny commented on INFRA-3373:
------------------------------------------

What about anonymous operations ? Any ldap operation can be done without binding (which is
different from accepting or not anonymous bind), unless you specifcally block such operations

(see http://www.openldap.org/doc/admin24/security.html, 14.3.1 note : 
"Note: Disabling the anonymous bind mechanism does not prevent anonymous access to the directory.
To require authentication to access the directory, one should instead specify "require authc".
" )

> Some few improvments in the scripts
> -----------------------------------
>
>                 Key: INFRA-3373
>                 URL: https://issues.apache.org/jira/browse/INFRA-3373
>             Project: Infrastructure
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: LDAP
>            Reporter: Emmanuel Lecharny
>            Priority: Minor
>
> While looking at the selfserve/lib/ss2config.py, I saw a few places that can be improved.
Those are just suggestions, I don't saw anything wrong otherwise.
> 1) Disconnection
> def do_pw_reset(availid, pw1, pw2, hextoken, remoteip):
>   ...
>   lh_passwd(lh, availid, pw1)
>   lh = None # TODO: better way to disconnect?
>  lh.unbind() is probably what you want to use here, unless you want to reuse the connection,
and then the next bind will kill the previous session automatically.
> Same for do_details_change, do_pw_reset, 
> 2) Bind as user
> def bind_as_user(availid, pw):
>   ...
>   try:
>     validate_existence(availid)
>     lh.bind_s(USER_DN_T % availid, [pw, ''][pw is None])
> The call to validate_existence is a duplication of effort, and will create two ldap connections,
plus send a second request to the server. If the user does not exist in the server, the bind
will fail.
> 3) Check for the user existence in send_email
> def send_email(availid, lookup, remoteip, base_url):
>   logger.info('emailing availid=%s remoteip=%s', availid, remoteip)
>   cn = validate_existence(availid, True)
> I don't know if the ldap server allow anonymous binds, but if so, there is no need to
bind to search for an entry. You can simply issue a search and get back the entry.
> Here, it would be more efficient to do a search without doing any bind.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message