##// END OF EJS Templates
ldap: changed plugin to help with debugging and error handling....
marcink -
r4303:5bc0438b default
parent child Browse files
Show More
@@ -69,6 +69,12 b' class LdapAuthnResource(AuthnPluginResou'
69 69 class AuthLdap(AuthLdapBase):
70 70 default_tls_cert_dir = '/etc/openldap/cacerts'
71 71
72 scope_labels = {
73 ldap.SCOPE_BASE: 'SCOPE_BASE',
74 ldap.SCOPE_ONELEVEL: 'SCOPE_ONELEVEL',
75 ldap.SCOPE_SUBTREE: 'SCOPE_SUBTREE',
76 }
77
72 78 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
73 79 tls_kind='PLAIN', tls_reqcert='DEMAND', tls_cert_file=None,
74 80 tls_cert_dir=None, ldap_version=3,
@@ -148,19 +154,27 b' class AuthLdap(AuthLdapBase):'
148 154 log.debug('simple_bind successful')
149 155 return ldap_conn
150 156
151 def fetch_attrs_from_simple_bind(self, server, dn, username, password):
157 def fetch_attrs_from_simple_bind(self, ldap_conn, dn, username, password):
158 scope = ldap.SCOPE_BASE
159 scope_label = self.scope_labels.get(scope)
160 ldap_filter = '(objectClass=*)'
161
152 162 try:
153 log.debug('Trying simple bind with %r', dn)
154 server.simple_bind_s(dn, safe_str(password))
155 _dn, attrs = server.search_ext_s(
156 dn, ldap.SCOPE_BASE, '(objectClass=*)', )[0]
163 log.debug('Trying authenticated search bind with dn: %r SCOPE: %s (and filter: %s)',
164 dn, scope_label, ldap_filter)
165 ldap_conn.simple_bind_s(dn, safe_str(password))
166 response = ldap_conn.search_ext_s(dn, scope, ldap_filter, attrlist=['*', '+'])
157 167
158 return attrs
168 if not response:
169 log.error('search bind returned empty results: %r', response)
170 return {}
171 else:
172 _dn, attrs = response[0]
173 return attrs
159 174
160 175 except ldap.INVALID_CREDENTIALS:
161 log.debug(
162 "LDAP rejected password for user '%s': %s, org_exc:",
163 username, dn, exc_info=True)
176 log.debug("LDAP rejected password for user '%s': %s, org_exc:",
177 username, dn, exc_info=True)
164 178
165 179 def authenticate_ldap(self, username, password):
166 180 """
@@ -179,35 +193,38 b' class AuthLdap(AuthLdapBase):'
179 193
180 194 self.validate_password(username, password)
181 195 self.validate_username(username)
196 scope_label = self.scope_labels.get(self.SEARCH_SCOPE)
182 197
183 198 ldap_conn = None
184 199 try:
185 200 ldap_conn = self._get_ldap_conn()
186 201 filter_ = '(&%s(%s=%s))' % (
187 202 self.LDAP_FILTER, self.attr_login, username)
188 log.debug("Authenticating %r filter %s", self.BASE_DN, filter_)
203 log.debug("Authenticating %r filter %s and scope: %s",
204 self.BASE_DN, filter_, scope_label)
189 205
190 lobjects = ldap_conn.search_ext_s(
191 self.BASE_DN, self.SEARCH_SCOPE, filter_)
206 ldap_objects = ldap_conn.search_ext_s(
207 self.BASE_DN, self.SEARCH_SCOPE, filter_, attrlist=['*', '+'])
192 208
193 if not lobjects:
209 if not ldap_objects:
194 210 log.debug("No matching LDAP objects for authentication "
195 211 "of UID:'%s' username:(%s)", uid, username)
196 212 raise ldap.NO_SUCH_OBJECT()
197 213
198 log.debug('Found matching ldap object, trying to authenticate')
199 for (dn, _attrs) in lobjects:
214 log.debug('Found %s matching ldap object[s], trying to authenticate on each one now...', len(ldap_objects))
215 for (dn, _attrs) in ldap_objects:
200 216 if dn is None:
201 217 continue
202 218
203 219 user_attrs = self.fetch_attrs_from_simple_bind(
204 220 ldap_conn, dn, username, password)
221
205 222 if user_attrs:
223 log.debug('Got authenticated user attributes from DN:%s', dn)
206 224 break
207 225 else:
208 226 raise LdapPasswordError(
209 'Failed to authenticate user `{}` '
210 'with given password'.format(username))
227 'Failed to authenticate user `{}` with given password'.format(username))
211 228
212 229 except ldap.NO_SUCH_OBJECT:
213 230 log.debug("LDAP says no such user '%s' (%s), org_exc:",
@@ -216,8 +233,7 b' class AuthLdap(AuthLdapBase):'
216 233 except ldap.SERVER_DOWN:
217 234 org_exc = traceback.format_exc()
218 235 raise LdapConnectionError(
219 "LDAP can't access authentication "
220 "server, org_exc:%s" % org_exc)
236 "LDAP can't access authentication server, org_exc:%s" % org_exc)
221 237 finally:
222 238 if ldap_conn:
223 239 log.debug('ldap: connection release')
General Comments 0
You need to be logged in to leave comments. Login now