Mercurial > kallithea
annotate rhodecode/lib/auth_ldap.py @ 3960:5293d4bbb1ea
Merged dev into stable/default/master branch
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Fri, 07 Jun 2013 00:31:11 +0200 |
| parents | 3563bb7b4b82 |
| children |
| rev | line source |
|---|---|
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
1 # -*- coding: utf-8 -*- |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
2 """ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
3 rhodecode.controllers.changelog |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
5 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
6 RhodeCode authentication library for LDAP |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
7 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
8 :created_on: Created on Nov 17, 2010 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
9 :author: marcink |
|
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1792
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
12 """ |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
17 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
21 # GNU General Public License for more details. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
22 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
25 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
26 import logging |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
27 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
28 from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \ |
|
3632
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
2920
diff
changeset
|
29 LdapPasswordError, LdapImportError |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
30 from rhodecode.lib.utils2 import safe_str |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
31 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
32 log = logging.getLogger(__name__) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
33 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
34 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
35 try: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
36 import ldap |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
37 except ImportError: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
38 # means that python-ldap is not installed |
|
3632
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
2920
diff
changeset
|
39 ldap = None |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
40 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
41 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
42 class AuthLdap(object): |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
43 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
44 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
45 tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3, |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
46 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', |
| 1792 | 47 search_scope='SUBTREE', attr_login='uid'): |
|
3632
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
2920
diff
changeset
|
48 if ldap is None: |
|
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
2920
diff
changeset
|
49 raise LdapImportError |
|
1ec67ddcaffe
ldap: handle more elegantly that python-ldap isn't installed when trying to use ldap
Mads Kiilerich <madski@unity3d.com>
parents:
2920
diff
changeset
|
50 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
51 self.ldap_version = ldap_version |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
52 ldap_server_type = 'ldap' |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
53 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
54 self.TLS_KIND = tls_kind |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
55 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
56 if self.TLS_KIND == 'LDAPS': |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
57 port = port or 689 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
58 ldap_server_type = ldap_server_type + 's' |
| 1792 | 59 |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
60 OPT_X_TLS_DEMAND = 2 |
| 1792 | 61 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
62 OPT_X_TLS_DEMAND) |
|
2915
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
63 # split server into list |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
64 self.LDAP_SERVER_ADDRESS = server.split(',') |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
65 self.LDAP_SERVER_PORT = port |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
66 |
|
1690
6944b1249f28
fixed issues with not unique emails when using ldap or container auth.
Marcin Kuzminski <marcin@python-works.com>
parents:
1659
diff
changeset
|
67 # USE FOR READ ONLY BIND TO LDAP SERVER |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
68 self.LDAP_BIND_DN = safe_str(bind_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
69 self.LDAP_BIND_PASS = safe_str(bind_pass) |
|
2915
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
70 _LDAP_SERVERS = [] |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
71 for host in self.LDAP_SERVER_ADDRESS: |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
72 _LDAP_SERVERS.append("%s://%s:%s" % (ldap_server_type, |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
73 host.replace(' ', ''), |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
74 self.LDAP_SERVER_PORT)) |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
75 self.LDAP_SERVER = str(', '.join(s for s in _LDAP_SERVERS)) |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
76 self.BASE_DN = safe_str(base_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
77 self.LDAP_FILTER = safe_str(ldap_filter) |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
78 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
79 self.attr_login = attr_login |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
80 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
81 def authenticate_ldap(self, username, password): |
| 1792 | 82 """ |
| 83 Authenticate a user via LDAP and return his/her LDAP properties. | |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
84 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
85 Raises AuthenticationError if the credentials are rejected, or |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
86 EnvironmentError if the LDAP server can't be reached. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
87 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
88 :param username: username |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
89 :param password: password |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
90 """ |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
91 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
92 from rhodecode.lib.helpers import chop_at |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
93 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
94 uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
95 |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
96 if not password: |
| 1792 | 97 log.debug("Attempt to authenticate LDAP user " |
| 98 "with blank password rejected.") | |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
99 raise LdapPasswordError() |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
100 if "," in username: |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
101 raise LdapUsernameError("invalid character in username: ,") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
102 try: |
| 1792 | 103 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'): |
| 104 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, | |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
105 '/etc/openldap/cacerts') |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
106 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
107 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
108 ldap.set_option(ldap.OPT_TIMEOUT, 20) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
109 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
110 ldap.set_option(ldap.OPT_TIMELIMIT, 15) |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
111 if self.TLS_KIND != 'PLAIN': |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
112 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
113 server = ldap.initialize(self.LDAP_SERVER) |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
114 if self.ldap_version == 2: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
115 server.protocol = ldap.VERSION2 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
116 else: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
117 server.protocol = ldap.VERSION3 |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
118 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
119 if self.TLS_KIND == 'START_TLS': |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
120 server.start_tls_s() |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
121 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
122 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: |
|
2920
8464d0e96e97
log LDAP_BIND_DN for debugging
Marcin Kuzminski <marcin@python-works.com>
parents:
2915
diff
changeset
|
123 log.debug('Trying simple_bind with password and given DN: %s' |
|
8464d0e96e97
log LDAP_BIND_DN for debugging
Marcin Kuzminski <marcin@python-works.com>
parents:
2915
diff
changeset
|
124 % self.LDAP_BIND_DN) |
|
794
22eca93bea97
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)
Marcin Kuzminski <marcin@python-works.com>
parents:
775
diff
changeset
|
125 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
126 |
| 1792 | 127 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
128 username) |
| 1792 | 129 log.debug("Authenticating %r filter %s at %s", self.BASE_DN, |
| 130 filter_, self.LDAP_SERVER) | |
| 1170 | 131 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, |
| 1792 | 132 filter_) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
133 |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
134 if not lobjects: |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
135 raise ldap.NO_SUCH_OBJECT() |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
136 |
|
1287
28060f0ac6c6
Fetch entry after successful bind for being able to read its attributes.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1206
diff
changeset
|
137 for (dn, _attrs) in lobjects: |
|
1444
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
138 if dn is None: |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
139 continue |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
140 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
141 try: |
| 1792 | 142 log.debug('Trying simple bind with %s' % dn) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
143 server.simple_bind_s(dn, password) |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
144 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
145 '(objectClass=*)')[0][1] |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
146 break |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
147 |
| 1792 | 148 except ldap.INVALID_CREDENTIALS: |
| 1976 | 149 log.debug( |
| 150 "LDAP rejected password for user '%s' (%s): %s" % ( | |
| 151 uid, username, dn | |
| 152 ) | |
| 153 ) | |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
154 |
|
1185
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
155 else: |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
156 log.debug("No matching LDAP objects for authentication " |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
157 "of '%s' (%s)", uid, username) |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
158 raise LdapPasswordError() |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
159 |
| 1792 | 160 except ldap.NO_SUCH_OBJECT: |
| 1976 | 161 log.debug("LDAP says no such user '%s' (%s)" % (uid, username)) |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
162 raise LdapUsernameError() |
| 1792 | 163 except ldap.SERVER_DOWN: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
164 raise LdapConnectionError("LDAP can't access " |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
165 "authentication server") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
166 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
167 return (dn, attrs) |