Prefer local users

[danielpanteleit]

Currently, we have a local user created with devpi user -c ... that we use for read-only access via pip.conf (as https://user:pass@devpi...) on our systems. For those accesses the LDAP lookup is unnecessary, and it seems to take a lot of time when installing a somewhat large requirements file, because the lookup is done at least twice for one package (i.e. to find a suitable version and the download itself)

Previously we had a setup with additional HTTP basic auth in the reverse proxy, but that was a little hacky, so I tried to streamline the setup.

Would it be possible to prefer local users before looking them up in LDAP? Or maybe add an ignore list to the configuration file for usernames that should not be looked up via LDAP?

[fschulze]

One way of solving that would be using devpi-tokens. They will be tried before devpi-ldap.

Adding an ignore list to the config would certainly be something useful. I can give pointers on how to do that if you are interested in creating a PR.

[danielpanteleit]

Thanks for pointing me to devpi-token. That is exactly what we need and it works great. This way we can also restrict access further to pkg_read. And the tokens also work as password replacements in pip.conf.