multiple but different defined d.AUTHENTICATION_BACKENDS in settings/defaults.py

[ifrh]

In Praktomat/src/settings/defauls.py there a two places where d.AUTHENTICATION_BACKENDS is defined in different ways:

Praktomat/src/settings/defaults.py

Lines 126 to 128 in aafbeb1

	d.AUTH_BACKEND = 'django.contrib.auth.backends.AllowAllUsersModelBackend'
	d.AUTHENTICATION_BACKENDS = (d.AUTH_BACKEND,)

Praktomat/src/settings/defaults.py

Lines 374 to 377 in aafbeb1

	d.AUTHENTICATION_BACKENDS = (
	'accounts.ldap_auth.LDAPBackend',
	'django.contrib.auth.backends.ModelBackend',
	)

This could be a problem, if these settings are not overwritten via local.py, because

• The order of AUTHENTICATION_BACKENDS matters, so if the same username and password is valid in multiple backends, Django will stop processing at the first positive match.

• You can use AllowAllUsersModelBackend or AllowAllUsersRemoteUserBackend if you want to allow inactive users to authenticate.
  Changed in Django 1.10: In older versions, the ModelBackend allowed inactive users to authenticate.

Above bulletpoints are taken from Django-Docs:

1. https://docs.djangoproject.com/en/4.0/topics/auth/customizing/#authentication-backends

2. https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#authorization-for-inactive-users

[ifrh]

@hannesbraun @ratefuchs I think accounts.ldap_auth.LDAPBackend should be the first and django.contrib.auth.backends.AllowAllUsersModelBackend should be the second entry in d.AUTHENTICATION_BACKENDS.
And there is no need to mention django.contrib.auth.backends.ModelBackend inside settings/defaults.py.

[hannesbraun]

I agree with that. The ModelBackend should be replaced with the AllowAllUsersModelBackend. For the sake of simplicity, it's probably also a good idea to merge those two parts into one where the AUTHENTICATION_BACKENDS are set.