Mercurial > kallithea
view rhodecode/lib/auth_ldap.py @ 709:a23b686fb14d beta
bugfix for application name
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Thu, 18 Nov 2010 02:25:12 +0100 |
parents | 9e9f1b919c0c |
children | 1bb0fcdec895 |
line wrap: on
line source
#============================================================================== # LDAP #Name = Just a description for the auth modes page #Host = DepartmentName.OrganizationName.local/ IP #Port = 389 default for ldap #LDAPS = no set True if You need to use ldaps #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server) #Password = <password> #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local #============================================================================== from rhodecode.lib.exceptions import LdapImportError, UsernameError, \ PasswordError, ConnectionError import logging log = logging.getLogger(__name__) try: import ldap except ImportError: pass class AuthLdap(object): def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', use_ldaps=False, ldap_version=3): self.ldap_version = ldap_version if use_ldaps: port = port or 689 self.LDAP_USE_LDAPS = use_ldaps self.LDAP_SERVER_ADDRESS = server self.LDAP_SERVER_PORT = port #USE FOR READ ONLY BIND TO LDAP SERVER self.LDAP_BIND_DN = bind_dn self.LDAP_BIND_PASS = bind_pass ldap_server_type = 'ldap' if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, self.LDAP_SERVER_ADDRESS, self.LDAP_SERVER_PORT) self.BASE_DN = base_dn self.AUTH_DN = "uid=%s,%s" def authenticate_ldap(self, username, password): """Authenticate a user via LDAP and return his/her LDAP properties. Raises AuthenticationError if the credentials are rejected, or EnvironmentError if the LDAP server can't be reached. :param username: username :param password: password """ from rhodecode.lib.helpers import chop_at uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) dn = self.AUTH_DN % (uid, self.BASE_DN) log.debug("Authenticating %r at %s", dn, self.LDAP_SERVER) if "," in username: raise UsernameError("invalid character in username: ,") try: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) server = ldap.initialize(self.LDAP_SERVER) if self.ldap_version == 2: server.protocol = ldap.VERSION2 else: server.protocol = ldap.VERSION3 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: server.simple_bind_s(self.AUTH_DN % (self.LDAP_BIND_DN, self.BASE_DN), self.LDAP_BIND_PASS) server.simple_bind_s(dn, password) properties = server.search_s(dn, ldap.SCOPE_SUBTREE) if not properties: raise ldap.NO_SUCH_OBJECT() except ldap.NO_SUCH_OBJECT, e: log.debug("LDAP says no such user '%s' (%s)", uid, username) raise UsernameError() except ldap.INVALID_CREDENTIALS, e: log.debug("LDAP rejected password for user '%s' (%s)", uid, username) raise PasswordError() except ldap.SERVER_DOWN, e: raise ConnectionError("LDAP can't access authentication server") return properties[0]