rhodecode-enterprise-ce Commit - r4303:5bc0438b

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

"""

21

"""

22

RhodeCode authentication plugin for LDAP

22

RhodeCode authentication plugin for LDAP

23

"""

23

"""

24

25

import logging

25

import logging

26

import traceback

26

import traceback

27

28

import colander

28

import colander

29

from rhodecode.translation import _

29

from rhodecode.translation import _

30

from rhodecode.authentication.base import (

30

from rhodecode.authentication.base import (

31

RhodeCodeExternalAuthPlugin, AuthLdapBase, hybrid_property)

31

RhodeCodeExternalAuthPlugin, AuthLdapBase, hybrid_property)

32

from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase

32

from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase

33

from rhodecode.authentication.routes import AuthnPluginResourceBase

33

from rhodecode.authentication.routes import AuthnPluginResourceBase

34

from rhodecode.lib.colander_utils import strip_whitespace

34

from rhodecode.lib.colander_utils import strip_whitespace

35

from rhodecode.lib.exceptions import (

35

from rhodecode.lib.exceptions import (

36

LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError

36

LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError

37

)

37

)

38

from rhodecode.lib.utils2 import safe_unicode, safe_str

38

from rhodecode.lib.utils2 import safe_unicode, safe_str

39

from rhodecode.model.db import User

39

from rhodecode.model.db import User

40

from rhodecode.model.validators import Missing

40

from rhodecode.model.validators import Missing

41

42

log = logging.getLogger(__name__)

42

log = logging.getLogger(__name__)

43

44

try:

44

try:

45

import ldap

45

import ldap

46

except ImportError:

46

except ImportError:

47

# means that python-ldap is not installed, we use Missing object to mark

47

# means that python-ldap is not installed, we use Missing object to mark

48

# ldap lib is Missing

48

# ldap lib is Missing

49

ldap = Missing

49

ldap = Missing

50

51

52

class LdapError(Exception):

52

class LdapError(Exception):

53

pass

53

pass

54

55

56

def plugin_factory(plugin_id, *args, **kwargs):

56

def plugin_factory(plugin_id, *args, **kwargs):

57

"""

57

"""

58

Factory function that is called during plugin discovery.

58

Factory function that is called during plugin discovery.

59

It returns the plugin instance.

59

It returns the plugin instance.

60

"""

60

"""

61

plugin = RhodeCodeAuthPlugin(plugin_id)

61

plugin = RhodeCodeAuthPlugin(plugin_id)

62

return plugin

62

return plugin

63

64

65

class LdapAuthnResource(AuthnPluginResourceBase):

65

class LdapAuthnResource(AuthnPluginResourceBase):

66

pass

66

pass

67

68

69

class AuthLdap(AuthLdapBase):

69

class AuthLdap(AuthLdapBase):

70

default_tls_cert_dir = '/etc/openldap/cacerts'

70

default_tls_cert_dir = '/etc/openldap/cacerts'

71

72

scope_labels = {

73

ldap.SCOPE_BASE: 'SCOPE_BASE',

74

ldap.SCOPE_ONELEVEL: 'SCOPE_ONELEVEL',

75

ldap.SCOPE_SUBTREE: 'SCOPE_SUBTREE',

76

}

77

72

def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

78

def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

73

tls_kind='PLAIN', tls_reqcert='DEMAND', tls_cert_file=None,

79

tls_kind='PLAIN', tls_reqcert='DEMAND', tls_cert_file=None,

74

tls_cert_dir=None, ldap_version=3,

80

tls_cert_dir=None, ldap_version=3,

75

search_scope='SUBTREE', attr_login='uid',

81

search_scope='SUBTREE', attr_login='uid',

76

ldap_filter='', timeout=None):

82

ldap_filter='', timeout=None):

77

if ldap == Missing:

83

if ldap == Missing:

78

raise LdapImportError("Missing or incompatible ldap library")

84

raise LdapImportError("Missing or incompatible ldap library")

79

85

80

self.debug = False

86

self.debug = False

81

self.timeout = timeout or 60 * 5

87

self.timeout = timeout or 60 * 5

82

self.ldap_version = ldap_version

88

self.ldap_version = ldap_version

83

self.ldap_server_type = 'ldap'

89

self.ldap_server_type = 'ldap'

84

90

85

self.TLS_KIND = tls_kind

91

self.TLS_KIND = tls_kind

86

92

87

if self.TLS_KIND == 'LDAPS':

93

if self.TLS_KIND == 'LDAPS':

88

port = port or 636

94

port = port or 636

89

self.ldap_server_type += 's'

95

self.ldap_server_type += 's'

90

96

91

OPT_X_TLS_DEMAND = 2

97

OPT_X_TLS_DEMAND = 2

92

self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, OPT_X_TLS_DEMAND)

98

self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, OPT_X_TLS_DEMAND)

93

self.TLS_CERT_FILE = tls_cert_file or ''

99

self.TLS_CERT_FILE = tls_cert_file or ''

94

self.TLS_CERT_DIR = tls_cert_dir or self.default_tls_cert_dir

100

self.TLS_CERT_DIR = tls_cert_dir or self.default_tls_cert_dir

95

101

96

# split server into list

102

# split server into list

97

self.SERVER_ADDRESSES = self._get_server_list(server)

103

self.SERVER_ADDRESSES = self._get_server_list(server)

98

self.LDAP_SERVER_PORT = port

104

self.LDAP_SERVER_PORT = port

99

105

100

# USE FOR READ ONLY BIND TO LDAP SERVER

106

# USE FOR READ ONLY BIND TO LDAP SERVER

101

self.attr_login = attr_login

107

self.attr_login = attr_login

102

108

103

self.LDAP_BIND_DN = safe_str(bind_dn)

109

self.LDAP_BIND_DN = safe_str(bind_dn)

104

self.LDAP_BIND_PASS = safe_str(bind_pass)

110

self.LDAP_BIND_PASS = safe_str(bind_pass)

105

111

106

self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

112

self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

107

self.BASE_DN = safe_str(base_dn)

113

self.BASE_DN = safe_str(base_dn)

108

self.LDAP_FILTER = safe_str(ldap_filter)

114

self.LDAP_FILTER = safe_str(ldap_filter)

109

115

110

def _get_ldap_conn(self):

116

def _get_ldap_conn(self):

111

117

112

if self.debug:

118

if self.debug:

113

ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)

119

ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)

114

120

115

if self.TLS_CERT_FILE and hasattr(ldap, 'OPT_X_TLS_CACERTFILE'):

121

if self.TLS_CERT_FILE and hasattr(ldap, 'OPT_X_TLS_CACERTFILE'):

116

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.TLS_CERT_FILE)

122

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.TLS_CERT_FILE)

117

123

118

elif hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):

124

elif hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):

119

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.TLS_CERT_DIR)

125

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.TLS_CERT_DIR)

120

126

121

if self.TLS_KIND != 'PLAIN':

127

if self.TLS_KIND != 'PLAIN':

122

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

128

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

123

129

124

ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

130

ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

125

ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

131

ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

126

132

127

# init connection now

133

# init connection now

128

ldap_servers = self._build_servers(

134

ldap_servers = self._build_servers(

129

self.ldap_server_type, self.SERVER_ADDRESSES, self.LDAP_SERVER_PORT)

135

self.ldap_server_type, self.SERVER_ADDRESSES, self.LDAP_SERVER_PORT)

130

log.debug('initializing LDAP connection to:%s', ldap_servers)

136

log.debug('initializing LDAP connection to:%s', ldap_servers)

131

ldap_conn = ldap.initialize(ldap_servers)

137

ldap_conn = ldap.initialize(ldap_servers)

132

ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)

138

ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)

133

ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)

139

ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)

134

ldap_conn.timeout = self.timeout

140

ldap_conn.timeout = self.timeout

135

141

136

if self.ldap_version == 2:

142

if self.ldap_version == 2:

137

ldap_conn.protocol = ldap.VERSION2

143

ldap_conn.protocol = ldap.VERSION2

138

else:

144

else:

139

ldap_conn.protocol = ldap.VERSION3

145

ldap_conn.protocol = ldap.VERSION3

140

146

141

if self.TLS_KIND == 'START_TLS':

147

if self.TLS_KIND == 'START_TLS':

142

ldap_conn.start_tls_s()

148

ldap_conn.start_tls_s()

143

149

144

if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

150

if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

145

log.debug('Trying simple_bind with password and given login DN: %r',

151

log.debug('Trying simple_bind with password and given login DN: %r',

146

self.LDAP_BIND_DN)

152

self.LDAP_BIND_DN)

147

ldap_conn.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

153

ldap_conn.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

148

log.debug('simple_bind successful')

154

log.debug('simple_bind successful')

149

return ldap_conn

155

return ldap_conn

150

156

151

def fetch_attrs_from_simple_bind(self, ~~server~~, dn, username, password):

157

def fetch_attrs_from_simple_bind(self, ldap_conn, dn, username, password):

158

scope = ldap.SCOPE_BASE

159

scope_label = self.scope_labels.get(scope)

160

ldap_filter = '(objectClass=*)'

161

152

try:

162

try:

153

log.debug('Trying ~~simple~~ bind with %r', dn)

163

log.debug('Trying authenticated search bind with dn: %r SCOPE: %s (and filter: %s)',

154

server.simple_bind_s(dn, safe_str(password))

164

dn, scope_label, ldap_filter)

155

_dn, attrs = server.search_ext_s(

165

ldap_conn.simple_bind_s(dn, safe_str(password))

156

dn, ldap.SCOPE_BASE, '(objectClass=*)', )[0]

166

response = ldap_conn.search_ext_s(dn, scope, ldap_filter, attrlist=['*', '+'])

157

167

158

~~return~~ ~~attrs~~

168

if not response:

169

log.error('search bind returned empty results: %r', response)

170

return {}

171

else:

172

_dn, attrs = response[0]

173

return attrs

159

174

160

except ldap.INVALID_CREDENTIALS:

175

except ldap.INVALID_CREDENTIALS:

161

log.debug(

176

log.debug("LDAP rejected password for user '%s': %s, org_exc:",

162

"LDAP rejected password for user '%s': %s, org_exc:",

177

username, dn, exc_info=True)

163

username, dn, exc_info=True)

164

178

165

def authenticate_ldap(self, username, password):

179

def authenticate_ldap(self, username, password):

166

"""

180

"""

167

Authenticate a user via LDAP and return his/her LDAP properties.

181

Authenticate a user via LDAP and return his/her LDAP properties.

168

182

169

Raises AuthenticationError if the credentials are rejected, or

183

Raises AuthenticationError if the credentials are rejected, or

170

EnvironmentError if the LDAP server can't be reached.

184

EnvironmentError if the LDAP server can't be reached.

171

185

172

:param username: username

186

:param username: username

173

:param password: password

187

:param password: password

174

"""

188

"""

175

189

176

uid = self.get_uid(username, self.SERVER_ADDRESSES)

190

uid = self.get_uid(username, self.SERVER_ADDRESSES)

177

user_attrs = {}

191

user_attrs = {}

178

dn = ''

192

dn = ''

179

193

180

self.validate_password(username, password)

194

self.validate_password(username, password)

181

self.validate_username(username)

195

self.validate_username(username)

196

scope_label = self.scope_labels.get(self.SEARCH_SCOPE)

182

197

183

ldap_conn = None

198

ldap_conn = None

184

try:

199

try:

185

ldap_conn = self._get_ldap_conn()

200

ldap_conn = self._get_ldap_conn()

186

filter_ = '(&%s(%s=%s))' % (

201

filter_ = '(&%s(%s=%s))' % (

187

self.LDAP_FILTER, self.attr_login, username)

202

self.LDAP_FILTER, self.attr_login, username)

188

log.debug("Authenticating %r filter %s", ~~self~~.~~BASE_DN~~, ~~filter_~~)

203

log.debug("Authenticating %r filter %s and scope: %s",

204

self.BASE_DN, filter_, scope_label)

189

205

190

lobjects = ldap_conn.search_ext_s(

206

ldap_objects = ldap_conn.search_ext_s(

191

self.BASE_DN, self.SEARCH_SCOPE, filter_)

207

self.BASE_DN, self.SEARCH_SCOPE, filter_, attrlist=['*', '+'])

192

208

193

if not lobjects:

209

if not ldap_objects:

194

log.debug("No matching LDAP objects for authentication "

210

log.debug("No matching LDAP objects for authentication "

195

"of UID:'%s' username:(%s)", uid, username)

211

"of UID:'%s' username:(%s)", uid, username)

196

raise ldap.NO_SUCH_OBJECT()

212

raise ldap.NO_SUCH_OBJECT()

197

213

198

log.debug('Found matching ldap object, trying to authenticate')

214

log.debug('Found %s matching ldap object[s], trying to authenticate on each one now...', len(ldap_objects))

199

for (dn, _attrs) in lobjects:

215

for (dn, _attrs) in ldap_objects:

200

if dn is None:

216

if dn is None:

201

continue

217

continue

202

218

203

user_attrs = self.fetch_attrs_from_simple_bind(

219

user_attrs = self.fetch_attrs_from_simple_bind(

204

ldap_conn, dn, username, password)

220

ldap_conn, dn, username, password)

221

205

if user_attrs:

222

if user_attrs:

223

log.debug('Got authenticated user attributes from DN:%s', dn)

206

break

224

break

207

else:

225

else:

208

raise LdapPasswordError(

226

raise LdapPasswordError(

209

'Failed to authenticate user `{}` '

227

'Failed to authenticate user `{}` with given password'.format(username))

210

'with given password'.format(username))

211

228

212

except ldap.NO_SUCH_OBJECT:

229

except ldap.NO_SUCH_OBJECT:

213

log.debug("LDAP says no such user '%s' (%s), org_exc:",

230

log.debug("LDAP says no such user '%s' (%s), org_exc:",

214

uid, username, exc_info=True)

231

uid, username, exc_info=True)

215

raise LdapUsernameError('Unable to find user')

232

raise LdapUsernameError('Unable to find user')

216

except ldap.SERVER_DOWN:

233

except ldap.SERVER_DOWN:

217

org_exc = traceback.format_exc()

234

org_exc = traceback.format_exc()

218

raise LdapConnectionError(

235

raise LdapConnectionError(

219

"LDAP can't access authentication "

236

"LDAP can't access authentication server, org_exc:%s" % org_exc)

220

"server, org_exc:%s" % org_exc)

221

finally:

237

finally:

222

if ldap_conn:

238

if ldap_conn:

223

log.debug('ldap: connection release')

239

log.debug('ldap: connection release')

224

try:

240

try:

225

ldap_conn.unbind_s()

241

ldap_conn.unbind_s()

226

except Exception:

242

except Exception:

227

# for any reason this can raise exception we must catch it

243

# for any reason this can raise exception we must catch it

228

# to not crush the server

244

# to not crush the server

229

pass

245

pass

230

246

231

return dn, user_attrs

247

return dn, user_attrs

232

248

233

249

234

class LdapSettingsSchema(AuthnPluginSettingsSchemaBase):

250

class LdapSettingsSchema(AuthnPluginSettingsSchemaBase):

235

tls_kind_choices = ['PLAIN', 'LDAPS', 'START_TLS']

251

tls_kind_choices = ['PLAIN', 'LDAPS', 'START_TLS']

236

tls_reqcert_choices = ['NEVER', 'ALLOW', 'TRY', 'DEMAND', 'HARD']

252

tls_reqcert_choices = ['NEVER', 'ALLOW', 'TRY', 'DEMAND', 'HARD']

237

search_scope_choices = ['BASE', 'ONELEVEL', 'SUBTREE']

253

search_scope_choices = ['BASE', 'ONELEVEL', 'SUBTREE']

238

254

239

host = colander.SchemaNode(

255

host = colander.SchemaNode(

240

colander.String(),

256

colander.String(),

241

default='',

257

default='',

242

description=_('Host[s] of the LDAP Server \n'

258

description=_('Host[s] of the LDAP Server \n'

243

'(e.g., 192.168.2.154, or ldap-server.domain.com.\n '

259

'(e.g., 192.168.2.154, or ldap-server.domain.com.\n '

244

'Multiple servers can be specified using commas'),

260

'Multiple servers can be specified using commas'),

245

preparer=strip_whitespace,

261

preparer=strip_whitespace,

246

title=_('LDAP Host'),

262

title=_('LDAP Host'),

247

widget='string')

263

widget='string')

248

port = colander.SchemaNode(

264

port = colander.SchemaNode(

249

colander.Int(),

265

colander.Int(),

250

default=389,

266

default=389,

251

description=_('Custom port that the LDAP server is listening on. '

267

description=_('Custom port that the LDAP server is listening on. '

252

'Default value is: 389, use 636 for LDAPS (SSL)'),

268

'Default value is: 389, use 636 for LDAPS (SSL)'),

253

preparer=strip_whitespace,

269

preparer=strip_whitespace,

254

title=_('Port'),

270

title=_('Port'),

255

validator=colander.Range(min=0, max=65536),

271

validator=colander.Range(min=0, max=65536),

256

widget='int')

272

widget='int')

257

273

258

timeout = colander.SchemaNode(

274

timeout = colander.SchemaNode(

259

colander.Int(),

275

colander.Int(),

260

default=60 * 5,

276

default=60 * 5,

261

description=_('Timeout for LDAP connection'),

277

description=_('Timeout for LDAP connection'),

262

preparer=strip_whitespace,

278

preparer=strip_whitespace,

263

title=_('Connection timeout'),

279

title=_('Connection timeout'),

264

validator=colander.Range(min=1),

280

validator=colander.Range(min=1),

265

widget='int')

281

widget='int')

266

282

267

dn_user = colander.SchemaNode(

283

dn_user = colander.SchemaNode(

268

colander.String(),

284

colander.String(),

269

default='',

285

default='',

270

description=_('Optional user DN/account to connect to LDAP if authentication is required. \n'

286

description=_('Optional user DN/account to connect to LDAP if authentication is required. \n'

271

'e.g., cn=admin,dc=mydomain,dc=com, or '

287

'e.g., cn=admin,dc=mydomain,dc=com, or '

272

'uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com'),

288

'uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com'),

273

missing='',

289

missing='',

274

preparer=strip_whitespace,

290

preparer=strip_whitespace,

275

title=_('Bind account'),

291

title=_('Bind account'),

276

widget='string')

292

widget='string')

277

dn_pass = colander.SchemaNode(

293

dn_pass = colander.SchemaNode(

278

colander.String(),

294

colander.String(),

279

default='',

295

default='',

280

description=_('Password to authenticate for given user DN.'),

296

description=_('Password to authenticate for given user DN.'),

281

missing='',

297

missing='',

282

preparer=strip_whitespace,

298

preparer=strip_whitespace,

283

title=_('Bind account password'),

299

title=_('Bind account password'),

284

widget='password')

300

widget='password')

285

tls_kind = colander.SchemaNode(

301

tls_kind = colander.SchemaNode(

286

colander.String(),

302

colander.String(),

287

default=tls_kind_choices[0],

303

default=tls_kind_choices[0],

288

description=_('TLS Type'),

304

description=_('TLS Type'),

289

title=_('Connection Security'),

305

title=_('Connection Security'),

290

validator=colander.OneOf(tls_kind_choices),

306

validator=colander.OneOf(tls_kind_choices),

291

widget='select')

307

widget='select')

292

tls_reqcert = colander.SchemaNode(

308

tls_reqcert = colander.SchemaNode(

293

colander.String(),

309

colander.String(),

294

default=tls_reqcert_choices[0],

310

default=tls_reqcert_choices[0],

295

description=_('Require Cert over TLS?. Self-signed and custom '

311

description=_('Require Cert over TLS?. Self-signed and custom '

296

'certificates can be used when\n `RhodeCode Certificate` '

312

'certificates can be used when\n `RhodeCode Certificate` '

297

'found in admin > settings > system info page is extended.'),

313

'found in admin > settings > system info page is extended.'),

298

title=_('Certificate Checks'),

314

title=_('Certificate Checks'),

299

validator=colander.OneOf(tls_reqcert_choices),

315

validator=colander.OneOf(tls_reqcert_choices),

300

widget='select')

316

widget='select')

301

tls_cert_file = colander.SchemaNode(

317

tls_cert_file = colander.SchemaNode(

302

colander.String(),

318

colander.String(),

303

default='',

319

default='',

304

description=_('This specifies the PEM-format file path containing '

320

description=_('This specifies the PEM-format file path containing '

305

'certificates for use in TLS connection.\n'

321

'certificates for use in TLS connection.\n'

306

'If not specified `TLS Cert dir` will be used'),

322

'If not specified `TLS Cert dir` will be used'),

307

title=_('TLS Cert file'),

323

title=_('TLS Cert file'),

308

missing='',

324

missing='',

309

widget='string')

325

widget='string')

310

tls_cert_dir = colander.SchemaNode(

326

tls_cert_dir = colander.SchemaNode(

311

colander.String(),

327

colander.String(),

312

default=AuthLdap.default_tls_cert_dir,

328

default=AuthLdap.default_tls_cert_dir,

313

description=_('This specifies the path of a directory that contains individual '

329

description=_('This specifies the path of a directory that contains individual '

314

'CA certificates in separate files.'),

330

'CA certificates in separate files.'),

315

title=_('TLS Cert dir'),

331

title=_('TLS Cert dir'),

316

widget='string')

332

widget='string')

317

base_dn = colander.SchemaNode(

333

base_dn = colander.SchemaNode(

318

colander.String(),

334

colander.String(),

319

default='',

335

default='',

320

description=_('Base DN to search. Dynamic bind is supported. Add `$login` marker '

336

description=_('Base DN to search. Dynamic bind is supported. Add `$login` marker '

321

'in it to be replaced with current user username \n'

337

'in it to be replaced with current user username \n'

322

'(e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)'),

338

'(e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)'),

323

missing='',

339

missing='',

324

preparer=strip_whitespace,

340

preparer=strip_whitespace,

325

title=_('Base DN'),

341

title=_('Base DN'),

326

widget='string')

342

widget='string')

327

filter = colander.SchemaNode(

343

filter = colander.SchemaNode(

328

colander.String(),

344

colander.String(),

329

default='',

345

default='',

330

description=_('Filter to narrow results \n'

346

description=_('Filter to narrow results \n'

331

'(e.g., (&(objectCategory=Person)(objectClass=user)), or \n'

347

'(e.g., (&(objectCategory=Person)(objectClass=user)), or \n'

332

'(memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))'),

348

'(memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))'),

333

missing='',

349

missing='',

334

preparer=strip_whitespace,

350

preparer=strip_whitespace,

335

title=_('LDAP Search Filter'),

351

title=_('LDAP Search Filter'),

336

widget='string')

352

widget='string')

337

353

338

search_scope = colander.SchemaNode(

354

search_scope = colander.SchemaNode(

339

colander.String(),

355

colander.String(),

340

default=search_scope_choices[2],

356

default=search_scope_choices[2],

341

description=_('How deep to search LDAP. If unsure set to SUBTREE'),

357

description=_('How deep to search LDAP. If unsure set to SUBTREE'),

342

title=_('LDAP Search Scope'),

358

title=_('LDAP Search Scope'),

343

validator=colander.OneOf(search_scope_choices),

359

validator=colander.OneOf(search_scope_choices),

344

widget='select')

360

widget='select')

345

attr_login = colander.SchemaNode(

361

attr_login = colander.SchemaNode(

346

colander.String(),

362

colander.String(),

347

default='uid',

363

default='uid',

348

description=_('LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)'),

364

description=_('LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)'),

349

preparer=strip_whitespace,

365

preparer=strip_whitespace,

350

title=_('Login Attribute'),

366

title=_('Login Attribute'),

351

missing_msg=_('The LDAP Login attribute of the CN must be specified'),

367

missing_msg=_('The LDAP Login attribute of the CN must be specified'),

352

widget='string')

368

widget='string')

353

attr_email = colander.SchemaNode(

369

attr_email = colander.SchemaNode(

354

colander.String(),

370

colander.String(),

355

default='',

371

default='',

356

description=_('LDAP Attribute to map to email address (e.g., mail).\n'

372

description=_('LDAP Attribute to map to email address (e.g., mail).\n'

357

'Emails are a crucial part of RhodeCode. \n'

373

'Emails are a crucial part of RhodeCode. \n'

358

'If possible add a valid email attribute to ldap users.'),

374

'If possible add a valid email attribute to ldap users.'),

359

missing='',

375

missing='',

360

preparer=strip_whitespace,

376

preparer=strip_whitespace,

361

title=_('Email Attribute'),

377

title=_('Email Attribute'),

362

widget='string')

378

widget='string')

363

attr_firstname = colander.SchemaNode(

379

attr_firstname = colander.SchemaNode(

364

colander.String(),

380

colander.String(),

365

default='',

381

default='',

366

description=_('LDAP Attribute to map to first name (e.g., givenName)'),

382

description=_('LDAP Attribute to map to first name (e.g., givenName)'),

367

missing='',

383

missing='',

368

preparer=strip_whitespace,

384

preparer=strip_whitespace,

369

title=_('First Name Attribute'),

385

title=_('First Name Attribute'),

370

widget='string')

386

widget='string')

371

attr_lastname = colander.SchemaNode(

387

attr_lastname = colander.SchemaNode(

372

colander.String(),

388

colander.String(),

373

default='',

389

default='',

374

description=_('LDAP Attribute to map to last name (e.g., sn)'),

390

description=_('LDAP Attribute to map to last name (e.g., sn)'),

375

missing='',

391

missing='',

376

preparer=strip_whitespace,

392

preparer=strip_whitespace,

377

title=_('Last Name Attribute'),

393

title=_('Last Name Attribute'),

378

widget='string')

394

widget='string')

379

395

380

396

381

class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):

397

class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):

382

uid = 'ldap'

398

uid = 'ldap'

383

# used to define dynamic binding in the

399

# used to define dynamic binding in the

384

DYNAMIC_BIND_VAR = '$login'

400

DYNAMIC_BIND_VAR = '$login'

385

_settings_unsafe_keys = ['dn_pass']

401

_settings_unsafe_keys = ['dn_pass']

386

402

387

def includeme(self, config):

403

def includeme(self, config):

388

config.add_authn_plugin(self)

404

config.add_authn_plugin(self)

389

config.add_authn_resource(self.get_id(), LdapAuthnResource(self))

405

config.add_authn_resource(self.get_id(), LdapAuthnResource(self))

390

config.add_view(

406

config.add_view(

391

'rhodecode.authentication.views.AuthnPluginViewBase',

407

'rhodecode.authentication.views.AuthnPluginViewBase',

392

attr='settings_get',

408

attr='settings_get',

393

renderer='rhodecode:templates/admin/auth/plugin_settings.mako',

409

renderer='rhodecode:templates/admin/auth/plugin_settings.mako',

394

request_method='GET',

410

request_method='GET',

395

route_name='auth_home',

411

route_name='auth_home',

396

context=LdapAuthnResource)

412

context=LdapAuthnResource)

397

config.add_view(

413

config.add_view(

398

'rhodecode.authentication.views.AuthnPluginViewBase',

414

'rhodecode.authentication.views.AuthnPluginViewBase',

399

attr='settings_post',

415

attr='settings_post',

400

renderer='rhodecode:templates/admin/auth/plugin_settings.mako',

416

renderer='rhodecode:templates/admin/auth/plugin_settings.mako',

401

request_method='POST',

417

request_method='POST',

402

route_name='auth_home',

418

route_name='auth_home',

403

context=LdapAuthnResource)

419

context=LdapAuthnResource)

404

420

405

def get_settings_schema(self):

421

def get_settings_schema(self):

406

return LdapSettingsSchema()

422

return LdapSettingsSchema()

407

423

408

def get_display_name(self):

424

def get_display_name(self):

409

return _('LDAP')

425

return _('LDAP')

410

426

411

@classmethod

427

@classmethod

412

def docs(cls):

428

def docs(cls):

413

return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-ldap.html"

429

return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-ldap.html"

414

430

415

@hybrid_property

431

@hybrid_property

416

def name(self):

432

def name(self):

417

return u"ldap"

433

return u"ldap"

418

434

419

def use_fake_password(self):

435

def use_fake_password(self):

420

return True

436

return True

421

437

422

def user_activation_state(self):

438

def user_activation_state(self):

423

def_user_perms = User.get_default_user().AuthUser().permissions['global']

439

def_user_perms = User.get_default_user().AuthUser().permissions['global']

424

return 'hg.extern_activate.auto' in def_user_perms

440

return 'hg.extern_activate.auto' in def_user_perms

425

441

426

def try_dynamic_binding(self, username, password, current_args):

442

def try_dynamic_binding(self, username, password, current_args):

427

"""

443

"""

428

Detects marker inside our original bind, and uses dynamic auth if

444

Detects marker inside our original bind, and uses dynamic auth if

429

present

445

present

430

"""

446

"""

431

447

432

org_bind = current_args['bind_dn']

448

org_bind = current_args['bind_dn']

433

passwd = current_args['bind_pass']

449

passwd = current_args['bind_pass']

434

450

435

def has_bind_marker(username):

451

def has_bind_marker(username):

436

if self.DYNAMIC_BIND_VAR in username:

452

if self.DYNAMIC_BIND_VAR in username:

437

return True

453

return True

438

454

439

# we only passed in user with "special" variable

455

# we only passed in user with "special" variable

440

if org_bind and has_bind_marker(org_bind) and not passwd:

456

if org_bind and has_bind_marker(org_bind) and not passwd:

441

log.debug('Using dynamic user/password binding for ldap '

457

log.debug('Using dynamic user/password binding for ldap '

442

'authentication. Replacing `%s` with username',

458

'authentication. Replacing `%s` with username',

443

self.DYNAMIC_BIND_VAR)

459

self.DYNAMIC_BIND_VAR)

444

current_args['bind_dn'] = org_bind.replace(

460

current_args['bind_dn'] = org_bind.replace(

445

self.DYNAMIC_BIND_VAR, username)

461

self.DYNAMIC_BIND_VAR, username)

446

current_args['bind_pass'] = password

462

current_args['bind_pass'] = password

447

463

448

return current_args

464

return current_args

449

465

450

def auth(self, userobj, username, password, settings, **kwargs):

466

def auth(self, userobj, username, password, settings, **kwargs):

451

"""

467

"""

452

Given a user object (which may be null), username, a plaintext password,

468

Given a user object (which may be null), username, a plaintext password,

453

and a settings object (containing all the keys needed as listed in

469

and a settings object (containing all the keys needed as listed in

454

settings()), authenticate this user's login attempt.

470

settings()), authenticate this user's login attempt.

455

471

456

Return None on failure. On success, return a dictionary of the form:

472

Return None on failure. On success, return a dictionary of the form:

457

473

458

see: RhodeCodeAuthPluginBase.auth_func_attrs

474

see: RhodeCodeAuthPluginBase.auth_func_attrs

459

This is later validated for correctness

475

This is later validated for correctness

460

"""

476

"""

461

477

462

if not username or not password:

478

if not username or not password:

463

log.debug('Empty username or password skipping...')

479

log.debug('Empty username or password skipping...')

464

return None

480

return None

465

481

466

ldap_args = {

482

ldap_args = {

467

'server': settings.get('host', ''),

483

'server': settings.get('host', ''),

468

'base_dn': settings.get('base_dn', ''),

484

'base_dn': settings.get('base_dn', ''),

469

'port': settings.get('port'),

485

'port': settings.get('port'),

470

'bind_dn': settings.get('dn_user'),

486

'bind_dn': settings.get('dn_user'),

471

'bind_pass': settings.get('dn_pass'),

487

'bind_pass': settings.get('dn_pass'),

472

'tls_kind': settings.get('tls_kind'),

488

'tls_kind': settings.get('tls_kind'),

473

'tls_reqcert': settings.get('tls_reqcert'),

489

'tls_reqcert': settings.get('tls_reqcert'),

474

'tls_cert_file': settings.get('tls_cert_file'),

490

'tls_cert_file': settings.get('tls_cert_file'),

475

'tls_cert_dir': settings.get('tls_cert_dir'),

491

'tls_cert_dir': settings.get('tls_cert_dir'),

476

'search_scope': settings.get('search_scope'),

492

'search_scope': settings.get('search_scope'),

477

'attr_login': settings.get('attr_login'),

493

'attr_login': settings.get('attr_login'),

478

'ldap_version': 3,

494

'ldap_version': 3,

479

'ldap_filter': settings.get('filter'),

495

'ldap_filter': settings.get('filter'),

480

'timeout': settings.get('timeout')

496

'timeout': settings.get('timeout')

481

}

497

}

482

498

483

ldap_attrs = self.try_dynamic_binding(username, password, ldap_args)

499

ldap_attrs = self.try_dynamic_binding(username, password, ldap_args)

484

500

485

log.debug('Checking for ldap authentication.')

501

log.debug('Checking for ldap authentication.')

486

502

487

try:

503

try:

488

aldap = AuthLdap(**ldap_args)

504

aldap = AuthLdap(**ldap_args)

489

(user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)

505

(user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)

490

log.debug('Got ldap DN response %s', user_dn)

506

log.debug('Got ldap DN response %s', user_dn)

491

507

492

def get_ldap_attr(k):

508

def get_ldap_attr(k):

493

return ldap_attrs.get(settings.get(k), [''])[0]

509

return ldap_attrs.get(settings.get(k), [''])[0]

494

510

495

# old attrs fetched from RhodeCode database

511

# old attrs fetched from RhodeCode database

496

admin = getattr(userobj, 'admin', False)

512

admin = getattr(userobj, 'admin', False)

497

active = getattr(userobj, 'active', True)

513

active = getattr(userobj, 'active', True)

498

email = getattr(userobj, 'email', '')

514

email = getattr(userobj, 'email', '')

499

username = getattr(userobj, 'username', username)

515

username = getattr(userobj, 'username', username)

500

firstname = getattr(userobj, 'firstname', '')

516

firstname = getattr(userobj, 'firstname', '')

501

lastname = getattr(userobj, 'lastname', '')

517

lastname = getattr(userobj, 'lastname', '')

502

extern_type = getattr(userobj, 'extern_type', '')

518

extern_type = getattr(userobj, 'extern_type', '')

503

519

504

groups = []

520

groups = []

505

521

506

user_attrs = {

522

user_attrs = {

507

'username': username,

523

'username': username,

508

'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

524

'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

509

'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

525

'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

510

'groups': groups,

526

'groups': groups,

511

'user_group_sync': False,

527

'user_group_sync': False,

512

'email': get_ldap_attr('attr_email') or email,

528

'email': get_ldap_attr('attr_email') or email,

513

'admin': admin,

529

'admin': admin,

514

'active': active,

530

'active': active,

515

'active_from_extern': None,

531

'active_from_extern': None,

516

'extern_name': user_dn,

532

'extern_name': user_dn,

517

'extern_type': extern_type,

533

'extern_type': extern_type,

518

}

534

}

519

535

520

log.debug('ldap user: %s', user_attrs)

536

log.debug('ldap user: %s', user_attrs)

521

log.info('user `%s` authenticated correctly', user_attrs['username'])

537

log.info('user `%s` authenticated correctly', user_attrs['username'])

522

538

523

return user_attrs

539

return user_attrs

524

540

525

except (LdapUsernameError, LdapPasswordError, LdapImportError):

541

except (LdapUsernameError, LdapPasswordError, LdapImportError):

526

log.exception("LDAP related exception")

542

log.exception("LDAP related exception")

527

return None

543

return None

528

except (Exception,):

544

except (Exception,):

529

log.exception("Other exception")

545

log.exception("Other exception")

530

return None

546

return None

531

547

532

548

533

def includeme(config):

549

def includeme(config):

534

plugin_id = 'egg:rhodecode-enterprise-ce#{}'.format(RhodeCodeAuthPlugin.uid)

550

plugin_id = 'egg:rhodecode-enterprise-ce#{}'.format(RhodeCodeAuthPlugin.uid)

535

plugin_factory(plugin_id).includeme(config)

551

plugin_factory(plugin_id).includeme(config)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             RhodeCode authentication plugin for LDAP
             """
             import logging
             import traceback
             import colander
             from rhodecode.translation import _
             from rhodecode.authentication.base import (
                 RhodeCodeExternalAuthPlugin, AuthLdapBase, hybrid_property)
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.authentication.routes import AuthnPluginResourceBase
             from rhodecode.lib.colander_utils import strip_whitespace
             from rhodecode.lib.exceptions import (
                 LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
             )
             from rhodecode.lib.utils2 import safe_unicode, safe_str
             from rhodecode.model.db import User
             from rhodecode.model.validators import Missing
             log = logging.getLogger(__name__)
             try:
                 import ldap
             except ImportError:
                 # means that python-ldap is not installed, we use Missing object to mark
                 # ldap lib is Missing
                 ldap = Missing
             class LdapError(Exception):
                 pass
             def plugin_factory(plugin_id, *args, **kwargs):
                 """
                 Factory function that is called during plugin discovery.
                 It returns the plugin instance.
                 """
                 plugin = RhodeCodeAuthPlugin(plugin_id)
                 return plugin
             class LdapAuthnResource(AuthnPluginResourceBase):
                 pass
             class AuthLdap(AuthLdapBase):
                 default_tls_cert_dir = '/etc/openldap/cacerts'
+                scope_labels = {
+                    ldap.SCOPE_BASE: 'SCOPE_BASE',
+                    ldap.SCOPE_ONELEVEL: 'SCOPE_ONELEVEL',
+                    ldap.SCOPE_SUBTREE: 'SCOPE_SUBTREE',
+                }
                 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
                              tls_kind='PLAIN', tls_reqcert='DEMAND', tls_cert_file=None,
                              tls_cert_dir=None, ldap_version=3,
                              search_scope='SUBTREE', attr_login='uid',
                              ldap_filter='', timeout=None):
                     if ldap == Missing:
                         raise LdapImportError("Missing or incompatible ldap library")
                     self.debug = False
                     self.timeout = timeout or 60 * 5
                     self.ldap_version = ldap_version
                     self.ldap_server_type = 'ldap'
                     self.TLS_KIND = tls_kind
                     if self.TLS_KIND == 'LDAPS':
                         port = port or 636
                         self.ldap_server_type += 's'
                     OPT_X_TLS_DEMAND = 2
                     self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, OPT_X_TLS_DEMAND)
                     self.TLS_CERT_FILE = tls_cert_file or ''
                     self.TLS_CERT_DIR = tls_cert_dir or self.default_tls_cert_dir
                     # split server into list
                     self.SERVER_ADDRESSES = self._get_server_list(server)
                     self.LDAP_SERVER_PORT = port
                     # USE FOR READ ONLY BIND TO LDAP SERVER
                     self.attr_login = attr_login
                     self.LDAP_BIND_DN = safe_str(bind_dn)
                     self.LDAP_BIND_PASS = safe_str(bind_pass)
                     self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
                     self.BASE_DN = safe_str(base_dn)
                     self.LDAP_FILTER = safe_str(ldap_filter)
                 def _get_ldap_conn(self):
                     if self.debug:
                         ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
                     if self.TLS_CERT_FILE and hasattr(ldap, 'OPT_X_TLS_CACERTFILE'):
                         ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.TLS_CERT_FILE)
                     elif hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
                         ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.TLS_CERT_DIR)
                     if self.TLS_KIND != 'PLAIN':
                         ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
                     ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
                     ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
                     # init connection now
                     ldap_servers = self._build_servers(
                         self.ldap_server_type,  self.SERVER_ADDRESSES, self.LDAP_SERVER_PORT)
                     log.debug('initializing LDAP connection to:%s', ldap_servers)
                     ldap_conn = ldap.initialize(ldap_servers)
                     ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
                     ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)
                     ldap_conn.timeout = self.timeout
                     if self.ldap_version == 2:
                         ldap_conn.protocol = ldap.VERSION2
                     else:
                         ldap_conn.protocol = ldap.VERSION3
                     if self.TLS_KIND == 'START_TLS':
                         ldap_conn.start_tls_s()
                     if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                         log.debug('Trying simple_bind with password and given login DN: %r',
                                   self.LDAP_BIND_DN)
                         ldap_conn.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
                     log.debug('simple_bind successful')
                     return ldap_conn
-                def fetch_attrs_from_simple_bind(self, server, dn, username, password):
+                def fetch_attrs_from_simple_bind(self, ldap_conn, dn, username, password):
+                    scope = ldap.SCOPE_BASE
+                    scope_label = self.scope_labels.get(scope)
+                    ldap_filter = '(objectClass=*)'
                     try:
-                        log.debug('Trying simple bind with %r', dn)
+                        log.debug('Trying authenticated search bind with dn: %r SCOPE: %s (and filter: %s)',
-                        server.simple_bind_s(dn, safe_str(password))
+                                  dn, scope_label, ldap_filter)
-                        _dn, attrs = server.search_ext_s(
+                        ldap_conn.simple_bind_s(dn, safe_str(password))
-                            dn, ldap.SCOPE_BASE, '(objectClass=*)', )[0]
+                        response = ldap_conn.search_ext_s(dn, scope, ldap_filter, attrlist=['*', '+'])
-                        return attrs
+                        if not response:
+                            log.error('search bind returned empty results: %r', response)
+                            return {}
+                        else:
+                            _dn, attrs = response[0]
+                            return attrs
                     except ldap.INVALID_CREDENTIALS:
-                        log.debug(
+                        log.debug("LDAP rejected password for user '%s': %s, org_exc:",
-                            "LDAP rejected password for user '%s': %s, org_exc:",
+                                  username, dn, exc_info=True)
-                            username, dn, exc_info=True)
                 def authenticate_ldap(self, username, password):
                     """
                     Authenticate a user via LDAP and return his/her LDAP properties.
                     Raises AuthenticationError if the credentials are rejected, or
                     EnvironmentError if the LDAP server can't be reached.
                     :param username: username
                     :param password: password
                     """
                     uid = self.get_uid(username, self.SERVER_ADDRESSES)
                     user_attrs = {}
                     dn = ''
                     self.validate_password(username, password)
                     self.validate_username(username)
+                    scope_label = self.scope_labels.get(self.SEARCH_SCOPE)
                     ldap_conn = None
                     try:
                         ldap_conn = self._get_ldap_conn()
                         filter_ = '(&%s(%s=%s))' % (
                             self.LDAP_FILTER, self.attr_login, username)
-                        log.debug("Authenticating %r filter %s", self.BASE_DN, filter_)
+                        log.debug("Authenticating %r filter %s and scope: %s",
+                                  self.BASE_DN, filter_, scope_label)
-                        lobjects = ldap_conn.search_ext_s(
+                        ldap_objects = ldap_conn.search_ext_s(
-                            self.BASE_DN, self.SEARCH_SCOPE, filter_)
+                            self.BASE_DN, self.SEARCH_SCOPE, filter_, attrlist=['*', '+'])
-                        if not lobjects:
+                        if not ldap_objects:
                             log.debug("No matching LDAP objects for authentication "
                                       "of UID:'%s' username:(%s)", uid, username)
                             raise ldap.NO_SUCH_OBJECT()
-                        log.debug('Found matching ldap object, trying to authenticate')
+                        log.debug('Found %s matching ldap object[s], trying to authenticate on each one now...', len(ldap_objects))
-                        for (dn, _attrs) in lobjects:
+                        for (dn, _attrs) in ldap_objects:
                             if dn is None:
                                 continue
                             user_attrs = self.fetch_attrs_from_simple_bind(
                                 ldap_conn, dn, username, password)
                             if user_attrs:
+                                log.debug('Got authenticated user attributes from DN:%s', dn)
                                 break
                         else:
                             raise LdapPasswordError(
-                                'Failed to authenticate user `{}` '
+                                'Failed to authenticate user `{}` with given password'.format(username))
-                                'with given password'.format(username))
                     except ldap.NO_SUCH_OBJECT:
                         log.debug("LDAP says no such user '%s' (%s), org_exc:",
                                   uid, username, exc_info=True)
                         raise LdapUsernameError('Unable to find user')
                     except ldap.SERVER_DOWN:
                         org_exc = traceback.format_exc()
                         raise LdapConnectionError(
-                            "LDAP can't access authentication "
+                            "LDAP can't access authentication server, org_exc:%s" % org_exc)
-                            "server, org_exc:%s" % org_exc)
                     finally:
                         if ldap_conn:
                             log.debug('ldap: connection release')
                             try:
                                 ldap_conn.unbind_s()
                             except Exception:
                                 # for any reason this can raise exception we must catch it
                                 # to not crush the server
                                 pass
                     return dn, user_attrs
             class LdapSettingsSchema(AuthnPluginSettingsSchemaBase):
                 tls_kind_choices = ['PLAIN', 'LDAPS', 'START_TLS']
                 tls_reqcert_choices = ['NEVER', 'ALLOW', 'TRY', 'DEMAND', 'HARD']
                 search_scope_choices = ['BASE', 'ONELEVEL', 'SUBTREE']
                 host = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Host[s] of the LDAP Server \n'
                                   '(e.g., 192.168.2.154, or ldap-server.domain.com.\n '
                                   'Multiple servers can be specified using commas'),
                     preparer=strip_whitespace,
                     title=_('LDAP Host'),
                     widget='string')
                 port = colander.SchemaNode(
                     colander.Int(),
                     default=389,
                     description=_('Custom port that the LDAP server is listening on. '
                                   'Default value is: 389, use 636 for LDAPS (SSL)'),
                     preparer=strip_whitespace,
                     title=_('Port'),
                     validator=colander.Range(min=0, max=65536),
                     widget='int')
                 timeout = colander.SchemaNode(
                     colander.Int(),
                     default=60 * 5,
                     description=_('Timeout for LDAP connection'),
                     preparer=strip_whitespace,
                     title=_('Connection timeout'),
                     validator=colander.Range(min=1),
                     widget='int')
                 dn_user = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Optional user DN/account to connect to LDAP if authentication is required. \n'
                                   'e.g., cn=admin,dc=mydomain,dc=com, or '
                                   'uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Bind account'),
                     widget='string')
                 dn_pass = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Password to authenticate for given user DN.'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Bind account password'),
                     widget='password')
                 tls_kind = colander.SchemaNode(
                     colander.String(),
                     default=tls_kind_choices[0],
                     description=_('TLS Type'),
                     title=_('Connection Security'),
                     validator=colander.OneOf(tls_kind_choices),
                     widget='select')
                 tls_reqcert = colander.SchemaNode(
                     colander.String(),
                     default=tls_reqcert_choices[0],
                     description=_('Require Cert over TLS?. Self-signed and custom '
                                   'certificates can be used when\n `RhodeCode Certificate` '
                                   'found in admin > settings > system info page is extended.'),
                     title=_('Certificate Checks'),
                     validator=colander.OneOf(tls_reqcert_choices),
                     widget='select')
                 tls_cert_file = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('This specifies the PEM-format file path containing '
                                   'certificates for use in TLS connection.\n'
                                   'If not specified `TLS Cert dir` will be used'),
                     title=_('TLS Cert file'),
                     missing='',
                     widget='string')
                 tls_cert_dir = colander.SchemaNode(
                     colander.String(),
                     default=AuthLdap.default_tls_cert_dir,
                     description=_('This specifies the path of a directory that contains individual '
                                   'CA certificates in separate files.'),
                     title=_('TLS Cert dir'),
                     widget='string')
                 base_dn = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Base DN to search. Dynamic bind is supported. Add `$login` marker '
                                   'in it to be replaced with current user username \n'
                                   '(e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Base DN'),
                     widget='string')
                 filter = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Filter to narrow results \n'
                                   '(e.g., (&(objectCategory=Person)(objectClass=user)), or \n'
                                   '(memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('LDAP Search Filter'),
                     widget='string')
                 search_scope = colander.SchemaNode(
                     colander.String(),
                     default=search_scope_choices[2],
                     description=_('How deep to search LDAP. If unsure set to SUBTREE'),
                     title=_('LDAP Search Scope'),
                     validator=colander.OneOf(search_scope_choices),
                     widget='select')
                 attr_login = colander.SchemaNode(
                     colander.String(),
                     default='uid',
                     description=_('LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)'),
                     preparer=strip_whitespace,
                     title=_('Login Attribute'),
                     missing_msg=_('The LDAP Login attribute of the CN must be specified'),
                     widget='string')
                 attr_email = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to email address (e.g., mail).\n'
                                   'Emails are a crucial part of RhodeCode. \n'
                                   'If possible add a valid email attribute to ldap users.'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Email Attribute'),
                     widget='string')
                 attr_firstname = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to first name (e.g., givenName)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('First Name Attribute'),
                     widget='string')
                 attr_lastname = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to last name (e.g., sn)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Last Name Attribute'),
                     widget='string')
             class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
                 uid = 'ldap'
                 # used to define dynamic binding in the
                 DYNAMIC_BIND_VAR = '$login'
                 _settings_unsafe_keys = ['dn_pass']
                 def includeme(self, config):
                     config.add_authn_plugin(self)
                     config.add_authn_resource(self.get_id(), LdapAuthnResource(self))
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_get',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='GET',
                         route_name='auth_home',
                         context=LdapAuthnResource)
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_post',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='POST',
                         route_name='auth_home',
                         context=LdapAuthnResource)
                 def get_settings_schema(self):
                     return LdapSettingsSchema()
                 def get_display_name(self):
                     return _('LDAP')
                 @classmethod
                 def docs(cls):
                     return "https://docs.rhodecode.com/RhodeCode-Enterprise/auth/auth-ldap.html"
                 @hybrid_property
                 def name(self):
                     return u"ldap"
                 def use_fake_password(self):
                     return True
                 def user_activation_state(self):
                     def_user_perms = User.get_default_user().AuthUser().permissions['global']
                     return 'hg.extern_activate.auto' in def_user_perms
                 def try_dynamic_binding(self, username, password, current_args):
                     """
                     Detects marker inside our original bind, and uses dynamic auth if
                     present
                     """
                     org_bind = current_args['bind_dn']
                     passwd = current_args['bind_pass']
                     def has_bind_marker(username):
                         if self.DYNAMIC_BIND_VAR in username:
                             return True
                     # we only passed in user with "special" variable
                     if org_bind and has_bind_marker(org_bind) and not passwd:
                         log.debug('Using dynamic user/password binding for ldap '
                                   'authentication. Replacing `%s` with username',
                                   self.DYNAMIC_BIND_VAR)
                         current_args['bind_dn'] = org_bind.replace(
                             self.DYNAMIC_BIND_VAR, username)
                         current_args['bind_pass'] = password
                     return current_args
                 def auth(self, userobj, username, password, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext password,
                     and a settings object (containing all the keys needed as listed in
                     settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     if not username or not password:
                         log.debug('Empty username or password skipping...')
                         return None
                     ldap_args = {
                         'server': settings.get('host', ''),
                         'base_dn': settings.get('base_dn', ''),
                         'port': settings.get('port'),
                         'bind_dn': settings.get('dn_user'),
                         'bind_pass': settings.get('dn_pass'),
                         'tls_kind': settings.get('tls_kind'),
                         'tls_reqcert': settings.get('tls_reqcert'),
                         'tls_cert_file': settings.get('tls_cert_file'),
                         'tls_cert_dir': settings.get('tls_cert_dir'),
                         'search_scope': settings.get('search_scope'),
                         'attr_login': settings.get('attr_login'),
                         'ldap_version': 3,
                         'ldap_filter': settings.get('filter'),
                         'timeout': settings.get('timeout')
                     }
                     ldap_attrs = self.try_dynamic_binding(username, password, ldap_args)
                     log.debug('Checking for ldap authentication.')
                     try:
                         aldap = AuthLdap(**ldap_args)
                         (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
                         log.debug('Got ldap DN response %s', user_dn)
                         def get_ldap_attr(k):
                             return ldap_attrs.get(settings.get(k), [''])[0]
                         # old attrs fetched from RhodeCode database
                         admin = getattr(userobj, 'admin', False)
                         active = getattr(userobj, 'active', True)
                         email = getattr(userobj, 'email', '')
                         username = getattr(userobj, 'username', username)
                         firstname = getattr(userobj, 'firstname', '')
                         lastname = getattr(userobj, 'lastname', '')
                         extern_type = getattr(userobj, 'extern_type', '')
                         groups = []
                         user_attrs = {
                             'username': username,
                             'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),
                             'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),
                             'groups': groups,
                             'user_group_sync': False,
                             'email': get_ldap_attr('attr_email') or email,
                             'admin': admin,
                             'active': active,
                             'active_from_extern': None,
                             'extern_name': user_dn,
                             'extern_type': extern_type,
                         }
                         log.debug('ldap user: %s', user_attrs)
                         log.info('user `%s` authenticated correctly', user_attrs['username'])
                         return user_attrs
                     except (LdapUsernameError, LdapPasswordError, LdapImportError):
                         log.exception("LDAP related exception")
                         return None
                     except (Exception,):
                         log.exception("Other exception")
                         return None
             def includeme(config):
                 plugin_id = 'egg:rhodecode-enterprise-ce#{}'.format(RhodeCodeAuthPlugin.uid)
                 plugin_factory(plugin_id).includeme(config)