set_password delegation to auth backend

[Roman]

Recently I've implemented LDAP auth backend by myself and was confused by not being able to add change_password/set_password functionality without adding custom User model. Actually I think it is very common to delegate password validation to some external service, like LDAP, SMTP, HTTP, etc. while keeping User model as is. Also, providing custom user model will force all applications to reference settings.AUTH_USER_MODEL which is definitely correct, but forcing to do even correct thing does not look nice for me.

So, the thing I want to discuss is support of some special methods on auth backends like

""" user is for User model instance previously returned by this backend's authenticate method """
def set_password(self, user, new_password):
    pass

""" user is for User model instance previously returned by this backend's authenticate method """
def change_password(self, user, old_password, new_password):
    pass

User model to call auth backend methods if defined.

So do I miss anything? Is my proposal correct?

[Tim Graham]

When logging in, we iterate through settings.AUTHENTICATION_BACKENDS until we find one that successfully authenticates a user. It's not so clear how a similar scheme for changing passwords might work. Changing the API for User.set_password() to delegate to the auth backend seems complicated and I believe there are ​other LDAP backends that are working without this change. You might try looking at their code to see if they handle this issue in any way. Any API proposal like this needs to be discussed on the DevelopersMailingList first, so please try there if you still think this is a good idea.