This is a pretix plugin that can be used to verify the user provided mails
against an ldap server. This does not verify the users password.
WARNING: This does verify that the user registering is the owner of the mail address.
- Install python-ldap (
pip install python-ldap) - Install pretix-ldap-mails (
pip install pretix-ldap-mails) - Configure in admin settings
- Enable the plugin for your event.
To run the plugin in your local dev installation
pip install python-ldap
python setup.py develop
make
Afterwards restart the development server
You need a local dev setup
python setup.py sdist
twine upload dist/*.tar.gz
While we use a function of python-ldap to sanitize user input there might still be a possible exploit by inserting
custom code into the ldap query. You should definitely use a read only user for ldap. User data should not be exposed
as we do not print user data to the end user.
Via a brutforcing attack this opens up the user to find valid mail adresses in your ldap. This is not different to a password reset feature telling you that it has (not) found an mail address.