Mercurial > kallithea
annotate rhodecode/lib/auth_ldap.py @ 2031:82a88013a3fd
merge 1.3 into stable
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Sun, 26 Feb 2012 17:25:09 +0200 |
| parents | 95c3e33ef32e a76e9bacbedc |
| children | 63e58ef80ef1 |
| rev | line source |
|---|---|
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
1 # -*- coding: utf-8 -*- |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
2 """ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
3 rhodecode.controllers.changelog |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
5 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
6 RhodeCode authentication library for LDAP |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
7 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
8 :created_on: Created on Nov 17, 2010 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
9 :author: marcink |
|
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1792
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
12 """ |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
17 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
21 # GNU General Public License for more details. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
22 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
25 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
26 import logging |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
27 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
28 from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
29 LdapPasswordError |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
30 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
31 log = logging.getLogger(__name__) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
32 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
33 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
34 try: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
35 import ldap |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
36 except ImportError: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
37 # means that python-ldap is not installed |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
38 pass |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
39 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
40 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
41 class AuthLdap(object): |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
42 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
43 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
44 tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3, |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
45 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', |
| 1792 | 46 search_scope='SUBTREE', attr_login='uid'): |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
47 self.ldap_version = ldap_version |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
48 ldap_server_type = 'ldap' |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
49 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
50 self.TLS_KIND = tls_kind |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
51 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
52 if self.TLS_KIND == 'LDAPS': |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
53 port = port or 689 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
54 ldap_server_type = ldap_server_type + 's' |
| 1792 | 55 |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
56 OPT_X_TLS_DEMAND = 2 |
| 1792 | 57 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
58 OPT_X_TLS_DEMAND) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
59 self.LDAP_SERVER_ADDRESS = server |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
60 self.LDAP_SERVER_PORT = port |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
61 |
|
1690
6944b1249f28
fixed issues with not unique emails when using ldap or container auth.
Marcin Kuzminski <marcin@python-works.com>
parents:
1659
diff
changeset
|
62 # USE FOR READ ONLY BIND TO LDAP SERVER |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
63 self.LDAP_BIND_DN = bind_dn |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
64 self.LDAP_BIND_PASS = bind_pass |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
65 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
66 self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
67 self.LDAP_SERVER_ADDRESS, |
|
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
68 self.LDAP_SERVER_PORT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
69 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
70 self.BASE_DN = base_dn |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
71 self.LDAP_FILTER = ldap_filter |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
72 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
73 self.attr_login = attr_login |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
74 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
75 def authenticate_ldap(self, username, password): |
| 1792 | 76 """ |
| 77 Authenticate a user via LDAP and return his/her LDAP properties. | |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
78 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
79 Raises AuthenticationError if the credentials are rejected, or |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
80 EnvironmentError if the LDAP server can't be reached. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
81 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
82 :param username: username |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
83 :param password: password |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
84 """ |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
85 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
86 from rhodecode.lib.helpers import chop_at |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
87 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
88 uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
89 |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
90 if not password: |
| 1792 | 91 log.debug("Attempt to authenticate LDAP user " |
| 92 "with blank password rejected.") | |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
93 raise LdapPasswordError() |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
94 if "," in username: |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
95 raise LdapUsernameError("invalid character in username: ,") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
96 try: |
| 1792 | 97 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'): |
| 98 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, | |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
99 '/etc/openldap/cacerts') |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
100 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
101 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
102 ldap.set_option(ldap.OPT_TIMEOUT, 20) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
103 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
104 ldap.set_option(ldap.OPT_TIMELIMIT, 15) |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
105 if self.TLS_KIND != 'PLAIN': |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
106 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
107 server = ldap.initialize(self.LDAP_SERVER) |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
108 if self.ldap_version == 2: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
109 server.protocol = ldap.VERSION2 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
110 else: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
111 server.protocol = ldap.VERSION3 |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
112 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
113 if self.TLS_KIND == 'START_TLS': |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
114 server.start_tls_s() |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
115 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
116 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: |
|
794
22eca93bea97
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)
Marcin Kuzminski <marcin@python-works.com>
parents:
775
diff
changeset
|
117 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
118 |
| 1792 | 119 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
120 username) |
| 1792 | 121 log.debug("Authenticating %r filter %s at %s", self.BASE_DN, |
| 122 filter_, self.LDAP_SERVER) | |
| 1170 | 123 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, |
| 1792 | 124 filter_) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
125 |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
126 if not lobjects: |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
127 raise ldap.NO_SUCH_OBJECT() |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
128 |
|
1287
28060f0ac6c6
Fetch entry after successful bind for being able to read its attributes.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1206
diff
changeset
|
129 for (dn, _attrs) in lobjects: |
|
1444
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
130 if dn is None: |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
131 continue |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
132 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
133 try: |
| 1792 | 134 log.debug('Trying simple bind with %s' % dn) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
135 server.simple_bind_s(dn, password) |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
136 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
137 '(objectClass=*)')[0][1] |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
138 break |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
139 |
| 1792 | 140 except ldap.INVALID_CREDENTIALS: |
| 1976 | 141 log.debug( |
| 142 "LDAP rejected password for user '%s' (%s): %s" % ( | |
| 143 uid, username, dn | |
| 144 ) | |
| 145 ) | |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
146 |
|
1185
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
147 else: |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
148 log.debug("No matching LDAP objects for authentication " |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
149 "of '%s' (%s)", uid, username) |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
150 raise LdapPasswordError() |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
151 |
| 1792 | 152 except ldap.NO_SUCH_OBJECT: |
| 1976 | 153 log.debug("LDAP says no such user '%s' (%s)" % (uid, username)) |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
154 raise LdapUsernameError() |
| 1792 | 155 except ldap.SERVER_DOWN: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
156 raise LdapConnectionError("LDAP can't access " |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
157 "authentication server") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
158 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
159 return (dn, attrs) |