Mercurial > kallithea
annotate rhodecode/lib/auth_ldap.py @ 2882:12fce5e499d5 beta
obfuscate password in logs for engine connection string
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Sat, 29 Sep 2012 19:16:00 +0200 |
| parents | 8e10ce55531d |
| children | 63e58ef80ef1 f89bb8545a61 |
| rev | line source |
|---|---|
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
1 # -*- coding: utf-8 -*- |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
2 """ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
3 rhodecode.controllers.changelog |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
5 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
6 RhodeCode authentication library for LDAP |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
7 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
8 :created_on: Created on Nov 17, 2010 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
9 :author: marcink |
|
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1792
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
12 """ |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
17 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
21 # GNU General Public License for more details. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
22 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
25 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
26 import logging |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
27 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
28 from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
29 LdapPasswordError |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
30 from rhodecode.lib.utils2 import safe_str |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
31 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
32 log = logging.getLogger(__name__) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
33 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
34 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
35 try: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
36 import ldap |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
37 except ImportError: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
38 # means that python-ldap is not installed |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
39 pass |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
40 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
41 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
42 class AuthLdap(object): |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
43 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
44 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
45 tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3, |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
46 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', |
| 1792 | 47 search_scope='SUBTREE', attr_login='uid'): |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
48 self.ldap_version = ldap_version |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
49 ldap_server_type = 'ldap' |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
50 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
51 self.TLS_KIND = tls_kind |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
52 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
53 if self.TLS_KIND == 'LDAPS': |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
54 port = port or 689 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
55 ldap_server_type = ldap_server_type + 's' |
| 1792 | 56 |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
57 OPT_X_TLS_DEMAND = 2 |
| 1792 | 58 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
59 OPT_X_TLS_DEMAND) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
60 self.LDAP_SERVER_ADDRESS = server |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
61 self.LDAP_SERVER_PORT = port |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
62 |
|
1690
6944b1249f28
fixed issues with not unique emails when using ldap or container auth.
Marcin Kuzminski <marcin@python-works.com>
parents:
1659
diff
changeset
|
63 # USE FOR READ ONLY BIND TO LDAP SERVER |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
64 self.LDAP_BIND_DN = safe_str(bind_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
65 self.LDAP_BIND_PASS = safe_str(bind_pass) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
66 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
67 self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
68 self.LDAP_SERVER_ADDRESS, |
|
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
69 self.LDAP_SERVER_PORT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
70 |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
71 self.BASE_DN = safe_str(base_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
72 self.LDAP_FILTER = safe_str(ldap_filter) |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
73 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
74 self.attr_login = attr_login |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
75 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
76 def authenticate_ldap(self, username, password): |
| 1792 | 77 """ |
| 78 Authenticate a user via LDAP and return his/her LDAP properties. | |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
79 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
80 Raises AuthenticationError if the credentials are rejected, or |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
81 EnvironmentError if the LDAP server can't be reached. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
82 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
83 :param username: username |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
84 :param password: password |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
85 """ |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
86 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
87 from rhodecode.lib.helpers import chop_at |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
88 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
89 uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
90 |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
91 if not password: |
| 1792 | 92 log.debug("Attempt to authenticate LDAP user " |
| 93 "with blank password rejected.") | |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
94 raise LdapPasswordError() |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
95 if "," in username: |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
96 raise LdapUsernameError("invalid character in username: ,") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
97 try: |
| 1792 | 98 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'): |
| 99 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, | |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
100 '/etc/openldap/cacerts') |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
101 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
102 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
103 ldap.set_option(ldap.OPT_TIMEOUT, 20) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
104 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
105 ldap.set_option(ldap.OPT_TIMELIMIT, 15) |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
106 if self.TLS_KIND != 'PLAIN': |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
107 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
108 server = ldap.initialize(self.LDAP_SERVER) |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
109 if self.ldap_version == 2: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
110 server.protocol = ldap.VERSION2 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
111 else: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
112 server.protocol = ldap.VERSION3 |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
113 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
114 if self.TLS_KIND == 'START_TLS': |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
115 server.start_tls_s() |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
116 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
117 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: |
|
794
22eca93bea97
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)
Marcin Kuzminski <marcin@python-works.com>
parents:
775
diff
changeset
|
118 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
119 |
| 1792 | 120 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
121 username) |
| 1792 | 122 log.debug("Authenticating %r filter %s at %s", self.BASE_DN, |
| 123 filter_, self.LDAP_SERVER) | |
| 1170 | 124 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, |
| 1792 | 125 filter_) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
126 |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
127 if not lobjects: |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
128 raise ldap.NO_SUCH_OBJECT() |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
129 |
|
1287
28060f0ac6c6
Fetch entry after successful bind for being able to read its attributes.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1206
diff
changeset
|
130 for (dn, _attrs) in lobjects: |
|
1444
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
131 if dn is None: |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
132 continue |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
133 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
134 try: |
| 1792 | 135 log.debug('Trying simple bind with %s' % dn) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
136 server.simple_bind_s(dn, password) |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
137 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
138 '(objectClass=*)')[0][1] |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
139 break |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
140 |
| 1792 | 141 except ldap.INVALID_CREDENTIALS: |
| 1976 | 142 log.debug( |
| 143 "LDAP rejected password for user '%s' (%s): %s" % ( | |
| 144 uid, username, dn | |
| 145 ) | |
| 146 ) | |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
147 |
|
1185
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
148 else: |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
149 log.debug("No matching LDAP objects for authentication " |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
150 "of '%s' (%s)", uid, username) |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
151 raise LdapPasswordError() |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
152 |
| 1792 | 153 except ldap.NO_SUCH_OBJECT: |
| 1976 | 154 log.debug("LDAP says no such user '%s' (%s)" % (uid, username)) |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
155 raise LdapUsernameError() |
| 1792 | 156 except ldap.SERVER_DOWN: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
157 raise LdapConnectionError("LDAP can't access " |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
158 "authentication server") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
159 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
160 return (dn, attrs) |