FreeLists / dokuwiki / [dokuwiki] Re: Mixed / chained authentication (LDAP + plain)

[Grant Gardner <grant@xxxxxxxxxxxxxxxxxx>]

DennisV wrote:
> > Hi. This intrigued me so I wrote something really simple -
> > http://wiki.splitbrain.org/wiki:tips:chainedauth
> Thanks a lot!
>
> I tried it and it seems to work with ldap:plain as well. One small
> problem I found that it gives an error when you try to log on using a
> non-existing user. I solved it by replacing:
>
>  function checkPass($user,$pass) {
>    return $this->getAuthFromUser($user)->checkPass($user,$pass);
>  }
>
> with
>
>  function checkPass($user,$pass) {
>    $result = false;
>    $auth = $this->getAuthFromUser($user);
>    if($auth != null) {
>      $result = $auth->checkPass($user,$pass);
>    }
>    return $result;
>  }
>
> I did notice something else however. If I turn LDAP debug on:
> $conf['auth']['ldap']['debug']         = true;
> I notice a lot of calls to the LDAP after logging on. 3 in the page
> header and 1 where the admin button is located. Consequent page clicks
> have an LDAP call on each page near the admin button. This doesn't
> happen when using pure LDAP authentication. Is there any way to
> optimize this?
>
> Regards,
> Dennis
Oops. Leaving the null check out was poor. Sorry. There might be a few 
more of these...
The multiple calls will be the "canDo" checks. eg The one near admin is 
checking whether it should display the Profile button.
In a normal backend these are fixed properties but in the chained case 
whether or not the Profile button can  be displayed depends on which 
auth backend the current user belongs to. In your case users in the ldap 
store can't update their profile but users in the plain store probably 
can. I'll try and find a way to see if this can be cached somehow.
Cheers,
       Grant
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist