Mercurial > kallithea
diff rhodecode/lib/auth.py @ 705:9e9f1b919c0c beta
implements #60, ldap configuration and authentication.
fixes settings to use settings Model
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Wed, 17 Nov 2010 22:00:36 +0100 |
| parents | 52da7cba88a6 |
| children | 1bb0fcdec895 |
line wrap: on
line diff
--- a/rhodecode/lib/auth.py Wed Nov 17 21:29:02 2010 +0100 +++ b/rhodecode/lib/auth.py Wed Nov 17 22:00:36 2010 +0100 @@ -25,6 +25,7 @@ from pylons import config, session, url, request from pylons.controllers.util import abort, redirect from rhodecode.lib.utils import get_repo_slug +from rhodecode.lib.auth_ldap import AuthLdap, UsernameError, PasswordError from rhodecode.model import meta from rhodecode.model.user import UserModel from rhodecode.model.caching_query import FromCache @@ -34,6 +35,7 @@ from decorator import decorator import logging import random +import traceback log = logging.getLogger(__name__) @@ -74,17 +76,18 @@ def authfunc(environ, username, password): """ - Authentication function used in Mercurial/Git/ and access controll, + Authentication function used in Mercurial/Git/ and access control, firstly checks for db authentication then if ldap is enabled for ldap - authentication + authentication, also creates ldap user if not in database + :param environ: needed only for using in Basic auth, can be None :param username: username :param password: password """ + user_model = UserModel() + user = user_model.get_by_username(username, cache=False) - user = UserModel().get_by_username(username, cache=False) - - if user: + if user is not None and user.is_ldap is False: if user.active: if user.username == 'default' and user.active: @@ -97,6 +100,40 @@ else: log.error('user %s is disabled', username) + + else: + from rhodecode.model.settings import SettingsModel + ldap_settings = SettingsModel().get_ldap_settings() + + #====================================================================== + # FALLBACK TO LDAP AUTH IN ENABLE + #====================================================================== + if ldap_settings.get('ldap_active', False): + kwargs = { + 'server':ldap_settings.get('ldap_host', ''), + 'base_dn':ldap_settings.get('ldap_base_dn', ''), + 'port':ldap_settings.get('ldap_port'), + 'bind_dn':ldap_settings.get('ldap_dn_user'), + 'bind_pass':ldap_settings.get('ldap_dn_pass'), + 'use_ldaps':ldap_settings.get('ldap_ldaps'), + 'ldap_version':3, + } + log.debug('Checking for ldap authentication') + try: + aldap = AuthLdap(**kwargs) + res = aldap.authenticate_ldap(username, password) + + authenticated = res[1]['uid'][0] == username + + if authenticated and user_model.create_ldap(username, password): + log.info('created new ldap user') + + return authenticated + except (UsernameError, PasswordError): + return False + except: + log.error(traceback.format_exc()) + return False return False class AuthUser(object):