Mercurial > kallithea
comparison rhodecode/lib/auth_ldap.py @ 701:6602bf1c5546 beta
ldap two phase auth fix
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Tue, 16 Nov 2010 15:52:20 +0100 |
parents | 07fd56c36bfe |
children | 9e9f1b919c0c |
comparison
equal
deleted
inserted
replaced
700:07fd56c36bfe | 701:6602bf1c5546 |
---|---|
23 class UsernameError(Exception):pass | 23 class UsernameError(Exception):pass |
24 class PasswordError(Exception):pass | 24 class PasswordError(Exception):pass |
25 | 25 |
26 LDAP_USE_LDAPS = False | 26 LDAP_USE_LDAPS = False |
27 ldap_server_type = 'ldap' | 27 ldap_server_type = 'ldap' |
28 LDAP_SERVER_ADDRESS = '192.168.2.56' | 28 LDAP_SERVER_ADDRESS = 'myldap.com' |
29 LDAP_SERVER_PORT = '389' | 29 LDAP_SERVER_PORT = '389' |
30 | 30 |
31 #USE FOR READ ONLY BIND TO LDAP SERVER | |
31 LDAP_BIND_DN = '' | 32 LDAP_BIND_DN = '' |
32 LDAP_BIND_PASS = '' | 33 LDAP_BIND_PASS = '' |
33 | 34 |
34 if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' | 35 if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' |
35 LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, | 36 LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
36 LDAP_SERVER_ADDRESS, | 37 LDAP_SERVER_ADDRESS, |
37 LDAP_SERVER_PORT) | 38 LDAP_SERVER_PORT) |
38 | 39 |
39 BASE_DN = "ou=people,dc=server,dc=com" | 40 BASE_DN = "ou=people,dc=server,dc=com" |
41 AUTH_DN = "uid=%s,%s" | |
40 | 42 |
41 def authenticate_ldap(username, password): | 43 def authenticate_ldap(username, password): |
42 """Authenticate a user via LDAP and return his/her LDAP properties. | 44 """Authenticate a user via LDAP and return his/her LDAP properties. |
43 | 45 |
44 Raises AuthenticationError if the credentials are rejected, or | 46 Raises AuthenticationError if the credentials are rejected, or |
50 raise Exception('Could not import ldap make sure You install python-ldap') | 52 raise Exception('Could not import ldap make sure You install python-ldap') |
51 | 53 |
52 from rhodecode.lib.helpers import chop_at | 54 from rhodecode.lib.helpers import chop_at |
53 | 55 |
54 uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) | 56 uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) |
55 dn = "uid=%s,%s" % (uid, BASE_DN) | 57 dn = AUTH_DN % (uid, BASE_DN) |
56 log.debug("Authenticating %r at %s", dn, LDAP_SERVER) | 58 log.debug("Authenticating %r at %s", dn, LDAP_SERVER) |
57 if "," in username: | 59 if "," in username: |
58 raise UsernameError("invalid character in username: ,") | 60 raise UsernameError("invalid character in username: ,") |
59 try: | 61 try: |
60 #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') | 62 #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') |
61 server = ldap.initialize(LDAP_SERVER) | 63 server = ldap.initialize(LDAP_SERVER) |
62 server.protocol = ldap.VERSION3 | 64 server.protocol = ldap.VERSION3 |
65 | |
66 if LDAP_BIND_DN and LDAP_BIND_PASS: | |
67 server.simple_bind_s(AUTH_DN % (LDAP_BIND_DN, | |
68 LDAP_BIND_PASS), | |
69 password) | |
70 | |
63 server.simple_bind_s(dn, password) | 71 server.simple_bind_s(dn, password) |
64 properties = server.search_s(dn, ldap.SCOPE_SUBTREE) | 72 properties = server.search_s(dn, ldap.SCOPE_SUBTREE) |
65 if not properties: | 73 if not properties: |
66 raise ldap.NO_SUCH_OBJECT() | 74 raise ldap.NO_SUCH_OBJECT() |
67 except ldap.NO_SUCH_OBJECT, e: | 75 except ldap.NO_SUCH_OBJECT, e: |