we shouldn't call signal.disconnect in __del__ because it can lead to
deadlocks in Django signal dispatch code
The Signal.connect, Signal.disconnect, and Signal._live_receivers
methods all share a threading.Lock():
22a60f8d0b/django/dispatch/dispatcher.py (L49)
It's possible for this to lead to a deadlock:
1. Have code that calls Signal._live_receivers and enter the critical
path inside the shared threading.Lock()
2. Python garbage collection occurs and finds one or more LDAPBackend
objects with no more references
3. This __del__ is called, which calls Signal.disconnect
4. Code in Signal._disconnect attempts to obtain the (already held)
threading.Lock
5. Python hangs forever while attempting to garbage collect
ldap search currently fetches ALL attributes which is a waste of bandwidth resources and
woefully slow on large ldap groups when it only needs to parse the name_attr
Signed-off-by: Jijo Varghese <jijojv@gmail.com>
Previously, if the main unit tests, test_common.py was
run before running this test, it would fail.
By clearing the cache at the start of the test, we
make its behavior consistent and predictable no
matter what other tests are also being ran,
and the assertion is adjusted to match.
* LDAP params is a new field. It contains the kwargs that will be passed
to the python class specified by group type. The default for group type
is MemberDNGroupType. The required params are now those in the defaults.
* Adds pattern to easy add django-auth-ldap group types classes and to
pass parameters via AUTH_LDAP_GROUP_TYPE_PARAMS
* Adds new group type PosixUIDGroupType that accepts the attribute,
ldap_group_user_attr, on which to search for the user(s) in the group.
related to https://github.com/ansible/awx/issues/217
* Adds a configure tower in tower setting for users to configure a saml
attribute that tower will use to put users into teams and orgs.
* python-social-auth has SOCIAL_AUTH_SAML_SECURITY_CONFIG, which is
forwarded to python-saml settings configuration. This commit exposes
SOCIAL_AUTH_SAML_SECURITY_CONFIG to configure tower in tower to allow
users to set requestedAuthnContext, which will disable the requesting of
password type auth from the idp. Thus, it's up to the idp to choose
which auth to use (i.e. 2-factor).
