Set password of LDAP-logged-in user in database

Having a local password is needed to make changing passwords easier. In order to catch password changes in a universal way and forward them to backends (like LDAP, in this case), getting the old password first is necessary to authenticate as that user to LDAP.

We buy the small insecurity of having a hash of the password in the Django database in order to not require it to have global admin permissions on the LDAP directory.

Advances #354 (closed) and #353 (closed)

aleksis/core/settings.py

@@ -234,7 +234,7 @@ if _settings.get("ldap.uri", None):
     )
 
     # Enable Django's integration to LDAP
-    AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
+    AUTHENTICATION_BACKENDS.append("aleksis.core.util.ldap.LDAPBackend")
 
     AUTH_LDAP_SERVER_URI = _settings.get("ldap.uri")
 
@@ -243,6 +243,13 @@ if _settings.get("ldap.uri", None):
         AUTH_LDAP_BIND_DN = _settings.get("ldap.bind.dn")
         AUTH_LDAP_BIND_PASSWORD = _settings.get("ldap.bind.password")
 
+    # Keep local password for users to be required to proveide their old password on change
+    AUTH_LDAP_SET_USABLE_PASSWORD = True
+
+    # Keep bound as the authenticating user
+    # Ensures proper read permissions, and ability to change password without admin
+    AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
+
     # The TOML config might contain either one table or an array of tables
     _AUTH_LDAP_USER_SETTINGS = _settings.get("ldap.users.search")
     if not isinstance(_AUTH_LDAP_USER_SETTINGS, list):