Friedrich Weber

I see your point about not wanting to document the system inside the system, but nevertheless, I feel like a "notes" field for policies might actually be a nice feature!

It seems like flask-sqlalchemy is responsible for making the path of the token database absolute: https://github.com/mitsuhiko/flask-sqlalchemy/blob/50944e77522d4aa005fc3c833b5a2042280686d3/flask_sqlalchemy/__init__.py#L865 The Audit and SQLIdResolver connections do not use flask-sqlalchemy, which is why the behavior...

Hi @globin, thank you for the idea! But a regex would also work for you? This shouldn't be too hard to implement.

Thanks a lot for sharing your experience! This is indeed very useful information :) I'll keep this issue open so we can see what we can do about the LDAP...

Yep: We could include the app marker in the user DN template, e.g. ``uid=${uid},ou=people,dc=example,dc=com,dc=App-someApp``. The LDAP proxy could then simply chop off the last component when receiving the bind request....

With f64e93c applied, the LDAP proxy seems to be able to handle >3000 bind requests with invalid DNs. However, it still fails with EMFILE at some point. We should also...

* If the incoming bind request has invalid credentials, the LDAP proxy seems to properly close the connection to the LDAP backend * However, if it fails due to some...

I think 6b73309 has fixed the issue mentioned above (i.e. that the connection between LDAP proxy and backend persists if the DN is malformed). There seem to be cases in...

As the rebind interval in owncloud is now configurable, I'm setting this to low priority. However, this could still be interesting e.g. for odoo.

Well, actually, we can differentiate the two situations, somewhat indirectly: * If we set ``bind-service-account=true``, ``allow-search=true`` and do not set up any DNs in ``passthrough-binds``, we only allow situation (1)...