Mercurial > kallithea
annotate rhodecode/lib/auth_ldap.py @ 700:07fd56c36bfe beta
added basic ldap auth lib
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Tue, 16 Nov 2010 09:31:40 +0100 |
parents | |
children | 6602bf1c5546 |
rev | line source |
---|---|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
1 import logging |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
2 logging.basicConfig(level=logging.DEBUG) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
3 log = logging.getLogger('ldap') |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
4 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
5 #============================================================================== |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
6 # LDAP |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
7 #Name = Just a description for the auth modes page |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
8 #Host = DepartmentName.OrganizationName.local/ IP |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
9 #Port = 389 default for ldap |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
10 #LDAPS = no set True if You need to use ldaps |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
11 #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
12 #Password = <password> |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
13 #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
14 # |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
15 #On-the-fly user creation = yes |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
16 #Attributes |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
17 # Login = sAMAccountName |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
18 # Firstname = givenName |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
19 # Lastname = sN |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
20 # Email = mail |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
21 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
22 #============================================================================== |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
23 class UsernameError(Exception):pass |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
24 class PasswordError(Exception):pass |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
25 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
26 LDAP_USE_LDAPS = False |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
27 ldap_server_type = 'ldap' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
28 LDAP_SERVER_ADDRESS = '192.168.2.56' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
29 LDAP_SERVER_PORT = '389' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
30 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
31 LDAP_BIND_DN = '' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
32 LDAP_BIND_PASS = '' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
33 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
34 if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
35 LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
36 LDAP_SERVER_ADDRESS, |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
37 LDAP_SERVER_PORT) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
38 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
39 BASE_DN = "ou=people,dc=server,dc=com" |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
40 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
41 def authenticate_ldap(username, password): |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
42 """Authenticate a user via LDAP and return his/her LDAP properties. |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
43 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
44 Raises AuthenticationError if the credentials are rejected, or |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
45 EnvironmentError if the LDAP server can't be reached. |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
46 """ |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
47 try: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
48 import ldap |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
49 except ImportError: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
50 raise Exception('Could not import ldap make sure You install python-ldap') |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
51 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
52 from rhodecode.lib.helpers import chop_at |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
53 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
54 uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
55 dn = "uid=%s,%s" % (uid, BASE_DN) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
56 log.debug("Authenticating %r at %s", dn, LDAP_SERVER) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
57 if "," in username: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
58 raise UsernameError("invalid character in username: ,") |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
59 try: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
60 #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
61 server = ldap.initialize(LDAP_SERVER) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
62 server.protocol = ldap.VERSION3 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
63 server.simple_bind_s(dn, password) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
64 properties = server.search_s(dn, ldap.SCOPE_SUBTREE) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
65 if not properties: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
66 raise ldap.NO_SUCH_OBJECT() |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
67 except ldap.NO_SUCH_OBJECT, e: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
68 log.debug("LDAP says no such user '%s' (%s)", uid, username) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
69 raise UsernameError() |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
70 except ldap.INVALID_CREDENTIALS, e: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
71 log.debug("LDAP rejected password for user '%s' (%s)", uid, username) |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
72 raise PasswordError() |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
73 except ldap.SERVER_DOWN, e: |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
74 raise EnvironmentError("can't access authentication server") |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
75 return properties |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
76 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
77 |
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
78 print authenticate_ldap('test', 'test') |