"Manual activation of external account" not working for LDAP

Issue #78 resolved
Denis Blanchette created an issue

We are currently considering a switch from Rhodecode 1.6.0 to Kallithea 0.1.

I set up LDAP plugin. I went in Admin -> Permissions and set "External auth account activation" to "Manual activation of external account"

I log in with an Active Directory user that does not exist in the database yet and it goes to the main page. In Rhodecode 1.6.0 it would have stayed in the login page until an Administrator had activated the newly created account.

This could allow access to repositories to users in our company that have Active Directory accounts but are not allowed to see the code.

I set up default permissions to None, but it would be better to have users deactivated by default.

I tried the same scenario with an installation of kallithea using the latest changeset in default branch at the time of writing (bfc304687f1cb11b243f2bd157f7e782f50d196f).

Thank you very much for any help

Comments (8)

  1. Mads Kiilerich

    A possible workaround / somewhat unrelated comment in that area:

    You could/should configure the LDAP Search Filter to an ldap group of users that are allowed access, such as:

  2. Denis Blanchette reporter

    Thank you for this idea. Unfortunately, I was not able to have it working with the following error :

    2015-01-23 10:01:15.467 ERROR [kallithea.lib.auth_modules.auth_ldap] Traceback (
    most recent call last):
      File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
    py", line 330, in auth
        (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
      File "S:\Kallithea\Env\lib\site-packages\kallithea\lib\auth_modules\auth_ldap.
    py", line 162, in authenticate_ldap
        raise LdapPasswordError()

    I checked the password several times. It works with all the same settings, but without a search filter. My filter is (&(objectCategory=Person)(sAMAccountName=*)(memberOf=OU=R&D,OU=TEST Users,OU=TEST,OU=ORG))

    For the time being, I will make sure that the default user has no rights.

  3. Mads Kiilerich

    I don't know why the filter doesn't work for you. It is as if it finds the wrong user. You can perhaps experiment using ldapsearch.

  4. Mads Kiilerich

    By the way: I can see you have been successful in getting it up and running on Windows. Please consider updating the documentation for windows installation!

  5. Log in to comment