Group restriction not working with One-Time Password

[fcollonval]

When using OTP, it is not possible to activate the group filter. The reason is the reuse of the authenticated connection to search for the groups:

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Line 443 in 65b234a

found = conn.search(

Reuse of:

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Line 382 in 65b234a

conn = self.get_connection(userdn, password)

We solved the problem by creating anonymous connection for querying groups. I don't know if this is a general solution. But if so, I'll be happy to push a PR from our fork.

[consideRatio]

This sounds related to the situation in #183, where sometimes maybe the user connection isn't allowed to see group membership.

[consideRatio]

I understand that the bind operation triggers a OTP request to the user, which will only happen once following #270.

• Is search() on that connection object triggering another OTP request?
• Why can't it be used to do search()?

Note that #183 sounds related, because then the user bound connection didn't have sufficient details to get information about the groups.