Replace openldap with pure Python version

[EliAndrewC]

Our openldap library is not Python 3 compatible, so we should migrate to an LDAP library that is.

[ftobia]

I can't find any good pure python ldap modules. There are a few but they're either abandoned, not on pypi, not on github, don't have a functioning website, or some combination of all of them.

It might be less work to think about making authentication pluggable than to foster an ldap library.

[robdennis]

I mean, I was looking at this one: https://pypi.python.org/pypi/python3-ldap

but it may still be easier to be pluggable. In practice I'd only use OAuth or OpenID anyway

[ftobia]

If that library is indeed python 3 compatible, then let's go with it.

[hozn]

My only question is whether it supported client certs and validation of server certs; it looks like it does (https://subversion.assembla.com/svn/python3-ldap/trunk/python3-ldap/ldap3/core/tls.py), so I say go for it.

[robdennis]

taking ownership of this due to the discussion coming out of #62

I'll confess to not having any idea on how to actually test this in a repeatable, travis-type way. And for fun, we never wrote any tests for ldap auth before.

the "doing it right" steps:

• actually figure out how to test this
• write tests for python-ldap on python 2
• sub in python3-ldap, confirm tests still work
• confirm tests still work on 3

The "welp, no less certain than it was before" steps:

• sub in python3-ldap, working to make sure that the configuration is switched to be the new way
• have @EliAndrewC or @hozn point it at the same ldap servers we used before

I'm going to assume that the "doing it right" step is a requirement, but if @EliAndrewC can test it in his "spare time" that does make this a lot simpler.

[robdennis]

http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ this seems pretty interesting? I'm out of town on my work laptop, so I'll try to connect to with an actual ldap browser at home and see. This would satisfy my first bullet assuming travis can reach out to this domain.

[EliAndrewC]

I'm okay with a "no less certain than it was before" approach here. We currently have ticket #31 for pluggable authentication, which should probably include some tests. For now there's literally one function which does anything with ldap, so I'm okay with a manual test to make sure it works. In particular, the only 2 things we really need to ensure are

• in rewriting that function to use the new ldap module, does it still authentication or fail authentication in the way we expect?
• in rewriting that function to use the new ldap module, are we still properly setting our client cert? (I'm not even sure offhand if we're validating the server's cert; I certainly hope so since we're sending them credentials, but I didn't actually write this portion of the code and I haven't checked.)