Resolve "Login with local Django accounts and LDAP password changes are mutually exclusive"
Merged
requested to merge 470-login-with-local-django-accounts-and-ldap-password-changes-are-mutually-exclusive into master
- Dec 25, 2021
-
-
Nik | Klampfradler authoredThis is only set if LDAP is enabled on the site being migrated, to ensure the change in 42f5708d does not leave existing sites vulnerable to users authenticating with shadow copies created before the change.
-
Nik | Klampfradler authored
-
Nik | Klampfradler authored
-
Nik | Klampfradler authored
This fixes #470, where local Django accoutns were generally locked if LDAP accoutns were used together with password handling to protect against deleted/locked LDAP users being able to still login using a shadow copy of their account in the Django database. The fix introduces user account attributes, and the LDAP authentication code keeps a record of users who used to authenticate with LDAP in the past. If a suer is known to have been using LDAP in the past, they are denied if they cannot be authenticated in the future; if a user tries to authenticate who has not used LDAP in the past, they are allowed in.
-