Mercurial > kallithea
annotate rhodecode/lib/auth_ldap.py @ 2920:8464d0e96e97 beta
log LDAP_BIND_DN for debugging
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Thu, 11 Oct 2012 22:11:00 +0200 |
| parents | f89bb8545a61 |
| children | a5f0bc867edc 1ec67ddcaffe |
| rev | line source |
|---|---|
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
1 # -*- coding: utf-8 -*- |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
2 """ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
3 rhodecode.controllers.changelog |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
5 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
6 RhodeCode authentication library for LDAP |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
7 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
8 :created_on: Created on Nov 17, 2010 |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
9 :author: marcink |
|
1824
89efedac4e6c
2012 copyrights
Marcin Kuzminski <marcin@python-works.com>
parents:
1792
diff
changeset
|
10 :copyright: (C) 2010-2012 Marcin Kuzminski <marcin@python-works.com> |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
11 :license: GPLv3, see COPYING for more details. |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
12 """ |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
13 # This program is free software: you can redistribute it and/or modify |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
14 # it under the terms of the GNU General Public License as published by |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
15 # the Free Software Foundation, either version 3 of the License, or |
|
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
16 # (at your option) any later version. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
17 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
18 # This program is distributed in the hope that it will be useful, |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
19 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
21 # GNU General Public License for more details. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
22 # |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
23 # You should have received a copy of the GNU General Public License |
|
1206
a671db5bdd58
fixed license issue #149
Marcin Kuzminski <marcin@python-works.com>
parents:
1203
diff
changeset
|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
25 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
26 import logging |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
27 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
28 from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \ |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
29 LdapPasswordError |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
30 from rhodecode.lib.utils2 import safe_str |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
31 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
32 log = logging.getLogger(__name__) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
33 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
34 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
35 try: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
36 import ldap |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
37 except ImportError: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
38 # means that python-ldap is not installed |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
39 pass |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
40 |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
41 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
42 class AuthLdap(object): |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
43 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
44 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
45 tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3, |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
46 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', |
| 1792 | 47 search_scope='SUBTREE', attr_login='uid'): |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
48 self.ldap_version = ldap_version |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
49 ldap_server_type = 'ldap' |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
50 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
51 self.TLS_KIND = tls_kind |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
52 |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
53 if self.TLS_KIND == 'LDAPS': |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
54 port = port or 689 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
55 ldap_server_type = ldap_server_type + 's' |
| 1792 | 56 |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
57 OPT_X_TLS_DEMAND = 2 |
| 1792 | 58 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
59 OPT_X_TLS_DEMAND) |
|
2915
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
60 # split server into list |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
61 self.LDAP_SERVER_ADDRESS = server.split(',') |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
62 self.LDAP_SERVER_PORT = port |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
63 |
|
1690
6944b1249f28
fixed issues with not unique emails when using ldap or container auth.
Marcin Kuzminski <marcin@python-works.com>
parents:
1659
diff
changeset
|
64 # USE FOR READ ONLY BIND TO LDAP SERVER |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
65 self.LDAP_BIND_DN = safe_str(bind_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
66 self.LDAP_BIND_PASS = safe_str(bind_pass) |
|
2915
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
67 _LDAP_SERVERS = [] |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
68 for host in self.LDAP_SERVER_ADDRESS: |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
69 _LDAP_SERVERS.append("%s://%s:%s" % (ldap_server_type, |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
70 host.replace(' ', ''), |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
71 self.LDAP_SERVER_PORT)) |
|
f89bb8545a61
LDAP fail-over using multiple server addresses from host field seperated by comma.
Raoul Thill <raoul.thill@gmail.com>
parents:
2681
diff
changeset
|
72 self.LDAP_SERVER = str(', '.join(s for s in _LDAP_SERVERS)) |
|
2681
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
73 self.BASE_DN = safe_str(base_dn) |
|
8e10ce55531d
ldap requires only string attributes, fixes #435 ldap-does-not-work-with-non-latin-symbols
Marcin Kuzminski <marcin@python-works.com>
parents:
1976
diff
changeset
|
74 self.LDAP_FILTER = safe_str(ldap_filter) |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
75 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
76 self.attr_login = attr_login |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
77 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
78 def authenticate_ldap(self, username, password): |
| 1792 | 79 """ |
| 80 Authenticate a user via LDAP and return his/her LDAP properties. | |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
81 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
82 Raises AuthenticationError if the credentials are rejected, or |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
83 EnvironmentError if the LDAP server can't be reached. |
|
1203
6832ef664673
source code cleanup: remove trailing white space, normalize file endings
Marcin Kuzminski <marcin@python-works.com>
parents:
1185
diff
changeset
|
84 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
85 :param username: username |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
86 :param password: password |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
87 """ |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
88 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
89 from rhodecode.lib.helpers import chop_at |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
90 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
91 uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
92 |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
93 if not password: |
| 1792 | 94 log.debug("Attempt to authenticate LDAP user " |
| 95 "with blank password rejected.") | |
|
1659
40db9e086773
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
Shawn K. O'Shea <shawn@eth0.net>
parents:
1579
diff
changeset
|
96 raise LdapPasswordError() |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
97 if "," in username: |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
98 raise LdapUsernameError("invalid character in username: ,") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
99 try: |
| 1792 | 100 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'): |
| 101 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, | |
|
1579
9b80fb893e7f
fix for issue #277,
Marcin Kuzminski <marcin@python-works.com>
parents:
1444
diff
changeset
|
102 '/etc/openldap/cacerts') |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
103 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
104 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
105 ldap.set_option(ldap.OPT_TIMEOUT, 20) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
106 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
107 ldap.set_option(ldap.OPT_TIMELIMIT, 15) |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
108 if self.TLS_KIND != 'PLAIN': |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
109 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
110 server = ldap.initialize(self.LDAP_SERVER) |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
111 if self.ldap_version == 2: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
112 server.protocol = ldap.VERSION2 |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
113 else: |
|
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
114 server.protocol = ldap.VERSION3 |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
115 |
|
1290
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
116 if self.TLS_KIND == 'START_TLS': |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
117 server.start_tls_s() |
|
74685a31cc43
Enable start_tls connection encryption.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1287
diff
changeset
|
118 |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
119 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: |
|
2920
8464d0e96e97
log LDAP_BIND_DN for debugging
Marcin Kuzminski <marcin@python-works.com>
parents:
2915
diff
changeset
|
120 log.debug('Trying simple_bind with password and given DN: %s' |
|
8464d0e96e97
log LDAP_BIND_DN for debugging
Marcin Kuzminski <marcin@python-works.com>
parents:
2915
diff
changeset
|
121 % self.LDAP_BIND_DN) |
|
794
22eca93bea97
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)
Marcin Kuzminski <marcin@python-works.com>
parents:
775
diff
changeset
|
122 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) |
|
700
07fd56c36bfe
added basic ldap auth lib
Marcin Kuzminski <marcin@python-works.com>
parents:
diff
changeset
|
123 |
| 1792 | 124 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
125 username) |
| 1792 | 126 log.debug("Authenticating %r filter %s at %s", self.BASE_DN, |
| 127 filter_, self.LDAP_SERVER) | |
| 1170 | 128 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, |
| 1792 | 129 filter_) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
130 |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
131 if not lobjects: |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
132 raise ldap.NO_SUCH_OBJECT() |
|
775
aaf2fc59a39a
fixes #77 and adds extendable base Dn with custom uid specification
Marcin Kuzminski <marcin@python-works.com>
parents:
739
diff
changeset
|
133 |
|
1287
28060f0ac6c6
Fetch entry after successful bind for being able to read its attributes.
"Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
parents:
1206
diff
changeset
|
134 for (dn, _attrs) in lobjects: |
|
1444
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
135 if dn is None: |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
136 continue |
|
d17aa79768f0
AD fix when search could return empty dn
Marcin Kuzminski <marcin@python-works.com>
parents:
1292
diff
changeset
|
137 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
138 try: |
| 1792 | 139 log.debug('Trying simple bind with %s' % dn) |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
140 server.simple_bind_s(dn, password) |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
141 attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
142 '(objectClass=*)')[0][1] |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
143 break |
|
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
144 |
| 1792 | 145 except ldap.INVALID_CREDENTIALS: |
| 1976 | 146 log.debug( |
| 147 "LDAP rejected password for user '%s' (%s): %s" % ( | |
| 148 uid, username, dn | |
| 149 ) | |
| 150 ) | |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
151 |
|
1185
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
152 else: |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
153 log.debug("No matching LDAP objects for authentication " |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
154 "of '%s' (%s)", uid, username) |
|
597bc7077f18
applied patch from issue #138
Marcin Kuzminski <marcin@python-works.com>
parents:
1170
diff
changeset
|
155 raise LdapPasswordError() |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
156 |
| 1792 | 157 except ldap.NO_SUCH_OBJECT: |
| 1976 | 158 log.debug("LDAP says no such user '%s' (%s)" % (uid, username)) |
|
713
1bb0fcdec895
fixed #72 show warning on removal when user still is owner of existing repositories
Marcin Kuzminski <marcin@python-works.com>
parents:
705
diff
changeset
|
159 raise LdapUsernameError() |
| 1792 | 160 except ldap.SERVER_DOWN: |
|
1292
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
161 raise LdapConnectionError("LDAP can't access " |
|
c0335c1dee36
added some fixes to LDAP form re-submition, new simples ldap-settings getter.
Marcin Kuzminski <marcin@python-works.com>
parents:
1290
diff
changeset
|
162 "authentication server") |
|
705
9e9f1b919c0c
implements #60, ldap configuration and authentication.
Marcin Kuzminski <marcin@python-works.com>
parents:
701
diff
changeset
|
163 |
|
991
b232a36cc51f
Improve LDAP authentication
Thayne Harbaugh <thayne@fusionio.com>
parents:
902
diff
changeset
|
164 return (dn, attrs) |