Mercurial > kallithea

view rhodecode/lib/auth_ldap.py @ 1217:a3b2b4b4e440

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fixes for issue #149
author Marcin Kuzminski <marcin@python-works.com>
date Tue, 05 Apr 2011 18:04:06 +0200
parents 93b980ebee55
children bf263968da47
line wrap: on
line source

#!/usr/bin/env python
# encoding: utf-8
# ldap authentication lib
# Copyright (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
"""
Created on Nov 17, 2010

@author: marcink
"""

from rhodecode.lib.exceptions import *
import logging

log = logging.getLogger(__name__)

try:
    import ldap
except ImportError:
    pass

class AuthLdap(object):

    def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
                 use_ldaps=False, ldap_version=3):
        self.ldap_version = ldap_version
        if use_ldaps:
            port = port or 689
        self.LDAP_USE_LDAPS = use_ldaps
        self.LDAP_SERVER_ADDRESS = server
        self.LDAP_SERVER_PORT = port

        #USE FOR READ ONLY BIND TO LDAP SERVER
        self.LDAP_BIND_DN = bind_dn
        self.LDAP_BIND_PASS = bind_pass

        ldap_server_type = 'ldap'
        if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
        self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
                                               self.LDAP_SERVER_ADDRESS,
                                               self.LDAP_SERVER_PORT)

        self.BASE_DN = base_dn

    def authenticate_ldap(self, username, password):
        """Authenticate a user via LDAP and return his/her LDAP properties.
    
        Raises AuthenticationError if the credentials are rejected, or
        EnvironmentError if the LDAP server can't be reached.
        
        :param username: username
        :param password: password
        """

        from rhodecode.lib.helpers import chop_at

        uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

        if "," in username:
            raise LdapUsernameError("invalid character in username: ,")
        try:
            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
            server = ldap.initialize(self.LDAP_SERVER)
            if self.ldap_version == 2:
                server.protocol = ldap.VERSION2
            else:
                server.protocol = ldap.VERSION3

            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

            dn = self.BASE_DN % {'user':uid}
            log.debug("Authenticating %r at %s", dn, self.LDAP_SERVER)
            server.simple_bind_s(dn, password)

            properties = server.search_s(dn, ldap.SCOPE_SUBTREE)
            if not properties:
                raise ldap.NO_SUCH_OBJECT()
        except ldap.NO_SUCH_OBJECT, e:
            log.debug("LDAP says no such user '%s' (%s)", uid, username)
            raise LdapUsernameError()
        except ldap.INVALID_CREDENTIALS, e:
            log.debug("LDAP rejected password for user '%s' (%s)", uid, username)
            raise LdapPasswordError()
        except ldap.SERVER_DOWN, e:
            raise LdapConnectionError("LDAP can't access authentication server")

        return properties[0]