Propagate LDAP errors instead of silently ignoring, send more ldap_error signals #379
Conversation
I would do that because it’s simpler, and the reported issue can easily cause data loss and confusion in systems using the library. |
|
Thanks, this response is encouraging. I can probably find time tomorrow to improve this PR further and add tests. |
|
Pushed tests and documentation updates for |
|
Hi! No pressure, it would be helpful to have some indication: do you feel like this is close to ready, or still needs a more thorough review? When might you be able to do a complete review (days? weeks?) |
|
Hi! I’ve been off the past week, and will be busy catching up and with somewhat urgent stuff at work. I’ll try to give this patch a thorough review in the upcoming weeks. At a glance, it looks mostly fine 🙌. |
|
Thanks for the update. You can go ahead and squash the commits. |
…ror signals * LDAPError exceptions are now propagated from the `LDAPSearch.execute()` method, which is used internally in many code paths. It's now possible to distinguish errors from empty results. * In particular `NestedMemberDNGroupType` no longer returns partial results when faced with errors, but also propagate the results. * When `MIRROR_GROUPS` or `MIRROR_GROUPS_EXCEPT` is enabled, then an error during group mirroring will fail authentication. Previously it could mirror a partial set of groups or remove all groups. * The `ldap_error` Django signal is now sent for more situations -- previously it only reported errors from authentication, but nothing else.
49b416b to
42a7eb7
Compare
|
Ah sorry, I missed your last comment. Squashed now. (By the way, is there any reason you don't use GitHub's "Squash and merge" feature?) |
|
No big reason. It’s kind of nice to let the author have their say in the wording of the final commit message. 🤷 |
|
I’m thinking of setting the following section in the release note for this commit, please let me know if you see possible improvements. Breaking changesAn The library now systematically sends the See #378 for details. |
django-auth-ldap: 4.8.0 -> 5.1.0 django-filter: 24.2 -> 24.3 structlog: 24.1.0 -> 24.4.0 rich: 13.7.1 -> 13.9.4 gunicorn: 22.0.0 -> 23.0.0 idna: 3.7 -> 3.10 sentry-sdk: 2.3.1 -> 2.8.0 tzdata: 2024.1 -> 2024.2 Changes to `django-auth-ldap` warrant an extra look at the ldap auth code, as per django-auth-ldap/django-auth-ldap#379.
django-auth-ldap: 4.8.0 -> 5.1.0 django-filter: 24.2 -> 24.3 structlog: 24.1.0 -> 24.4.0 rich: 13.7.1 -> 13.9.4 gunicorn: 22.0.0 -> 23.0.0 idna: 3.7 -> 3.10 sentry-sdk: 2.3.1 -> 2.8.0 tzdata: 2024.1 -> 2024.2 Changes to `django-auth-ldap` warrant an extra look at the ldap auth code, as per django-auth-ldap/django-auth-ldap#379.
Before I add tests and put more effort in this PR, I would like some indication that I'm on the right track. Please let me know, what you think.
Fixes #378.
LDAPSearch.execute()method, which is used internally in many code paths. It's now possible to distinguish errors from empty results.NestedMemberDNGroupTypeno longer returns partial results when faced with errors -- fixes Intermittent errors from LDAP cause django-auth-ldap to return partial groups list #378.MIRROR_GROUPSorMIRROR_GROUPS_EXCEPTis enabled, then an error during group mirroring will fail authentication. Previously it could mirror a partial set of groups or remove all groups.ldap_errorDjango signal is now sent for more situations -- previously it only reported errors from authentication, but nothing else.django-auth-ldapversions.