Merge branch '389-allow-using-django-local-accounts-in-addition-to-ldap-accounts' into 'master'

Resolve "Allow using Django-local accounts in addition to LDAP accounts" Closes #388 und #389 See merge request !501

Merge branch '389-allow-using-django-local-accounts-in-addition-to-ldap-accounts' into 'master'
72bcb568 · Jonathan Weth · 62ce6f82 · 6b514d1e · 72bcb568 · 72bcb568
Commit 72bcb568 authored 4 years ago by Jonathan Weth
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -291,7 +291,7 @@ if _settings.get("ldap.uri", None):
        AUTH_LDAP_BIND_PASSWORD = _settings.get("ldap.bind.password")

    # Keep local password for users to be required to proveide their old password on change
-    AUTH_LDAP_SET_USABLE_PASSWORD = True
+    AUTH_LDAP_SET_USABLE_PASSWORD = _settings.get("ldap.handle_passwords", True)

    # Keep bound as the authenticating user
    # Ensures proper read permissions, and ability to change password without admin

--- a/aleksis/core/util/ldap.py
+++ b/aleksis/core/util/ldap.py
@@ -20,13 +20,13 @@ class LDAPBackend(_LDAPBackend):
        Django database in order to not require it to have global admin permissions
        on the LDAP directory.
        """
-        user = ldap_user.authenticate(password)
-
-        if not user:
-            # Fail early and do not try other backends
-            raise PermissionDenied("LDAP failed to authenticate user")
+        user = super().authenticate_ldap_user(ldap_user, password)

        if self.settings.SET_USABLE_PASSWORD:
+            if not user:
+                # Fail early and do not try other backends
+                raise PermissionDenied("LDAP failed to authenticate user")
+
            # Set a usable password so users can change their LDAP password
            user.set_password(password)
            user.save()