rhodecode-enterprise-ce Commit - r2654:c156e0f4

auth-ldap: added connection pinning and timeout option to ldap plugin

marcink -

r2654:c156e0f4 default

parent child

rhodecode/apps/admin/tests/test_admin_auth_settings.py

0 +1 0

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
             from rhodecode.tests import assert_session_flash
             from rhodecode.tests.utils import AssertResponse
             from rhodecode.model.db import Session
             from rhodecode.model.settings import SettingsModel
             def assert_auth_settings_updated(response):
                 assert response.status_int == 302, 'Expected response HTTP Found 302'
                 assert_session_flash(response, 'Auth settings updated successfully')
             @pytest.mark.usefixtures("autologin_user", "app")
             class TestAuthSettingsView(object):
                 def _enable_plugins(self, plugins_list, csrf_token, override=None,
                                     verify_response=False):
                     test_url = '/_admin/auth'
                     params = {
                         'auth_plugins': plugins_list,
                         'csrf_token': csrf_token,
                     }
                     if override:
                         params.update(override)
                     _enabled_plugins = []
                     for plugin in plugins_list.split(','):
                         plugin_name = plugin.partition('#')[-1]
                         enabled_plugin = '%s_enabled' % plugin_name
                         cache_ttl = '%s_cache_ttl' % plugin_name
                         # default params that are needed for each plugin,
                         # `enabled` and `cache_ttl`
                         params.update({
                             enabled_plugin: True,
                             cache_ttl: 0
                         })
                         _enabled_plugins.append(enabled_plugin)
                     # we need to clean any enabled plugin before, since they require
                     # form params to be present
                     db_plugin = SettingsModel().get_setting_by_name('auth_plugins')
                     db_plugin.app_settings_value = \
                         'egg:rhodecode-enterprise-ce#rhodecode'
                     Session().add(db_plugin)
                     Session().commit()
                     for _plugin in _enabled_plugins:
                         db_plugin = SettingsModel().get_setting_by_name(_plugin)
                         if db_plugin:
                             Session().delete(db_plugin)
                     Session().commit()
                     response = self.app.post(url=test_url, params=params)
                     if verify_response:
                         assert_auth_settings_updated(response)
                     return params
                 def _post_ldap_settings(self, params, override=None, force=False):
                     params.update({
                         'filter': 'user',
                         'user_member_of': '',
                         'user_search_base': '',
                         'user_search_filter': 'test_filter',
                         'host': 'dc.example.com',
                         'port': '999',
+                        'timeout': 3600,
                         'tls_kind': 'PLAIN',
                         'tls_reqcert': 'NEVER',
                         'dn_user': 'test_user',
                         'dn_pass': 'test_pass',
                         'base_dn': 'test_base_dn',
                         'search_scope': 'BASE',
                         'attr_login': 'test_attr_login',
                         'attr_firstname': 'ima',
                         'attr_lastname': 'tester',
                         'attr_email': 'test@example.com',
                         'cache_ttl': '0',
                     })
                     if force:
                         params = {}
                     params.update(override or {})
                     test_url = '/_admin/auth/ldap/'
                     response = self.app.post(url=test_url, params=params)
                     return response
                 def test_index(self):
                     response = self.app.get('/_admin/auth')
                     response.mustcontain('Authentication Plugins')
                 @pytest.mark.parametrize("disable_plugin, needs_import", [
                     ('egg:rhodecode-enterprise-ce#headers', None),
                     ('egg:rhodecode-enterprise-ce#crowd', None),
                     ('egg:rhodecode-enterprise-ce#jasig_cas', None),
                     ('egg:rhodecode-enterprise-ce#ldap', None),
                     ('egg:rhodecode-enterprise-ce#pam',  "pam"),
                 ])
                 def test_disable_plugin(self, csrf_token, disable_plugin, needs_import):
                     # TODO: johbo: "pam" is currently not available on darwin,
                     # although the docs state that it should work on darwin.
                     if needs_import:
                         pytest.importorskip(needs_import)
                     self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode,' + disable_plugin,
                         csrf_token, verify_response=True)
                     self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode', csrf_token,
                         verify_response=True)
                 def test_ldap_save_settings(self, csrf_token):
                     params = self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode,'
                         'egg:rhodecode-enterprise-ce#ldap',
                         csrf_token)
                     response = self._post_ldap_settings(params)
                     assert_auth_settings_updated(response)
                     new_settings = SettingsModel().get_auth_settings()
                     assert new_settings['auth_ldap_host'] == u'dc.example.com', \
                         'fail db write compare'
                 def test_ldap_error_form_wrong_port_number(self, csrf_token):
                     params = self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode,'
                         'egg:rhodecode-enterprise-ce#ldap',
                         csrf_token)
                     invalid_port_value = 'invalid-port-number'
                     response = self._post_ldap_settings(params, override={
                         'port': invalid_port_value,
                     })
                     assertr = AssertResponse(response)
                     assertr.element_contains(
                         '.form .field #port ~ .error-message',
                         invalid_port_value)
                 def test_ldap_error_form(self, csrf_token):
                     params = self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode,'
                         'egg:rhodecode-enterprise-ce#ldap',
                         csrf_token)
                     response = self._post_ldap_settings(params, override={
                         'attr_login': '',
                     })
                     response.mustcontain("""<span class="error-message">The LDAP Login"""
                                          """ attribute of the CN must be specified""")
                 def test_post_ldap_group_settings(self, csrf_token):
                     params = self._enable_plugins(
                         'egg:rhodecode-enterprise-ce#rhodecode,'
                         'egg:rhodecode-enterprise-ce#ldap',
                         csrf_token)
                     response = self._post_ldap_settings(params, override={
                         'host': 'dc-legacy.example.com',
                         'port': '999',
                         'tls_kind': 'PLAIN',
                         'tls_reqcert': 'NEVER',
                         'dn_user': 'test_user',
                         'dn_pass': 'test_pass',
                         'base_dn': 'test_base_dn',
                         'filter': 'test_filter',
                         'search_scope': 'BASE',
                         'attr_login': 'test_attr_login',
                         'attr_firstname': 'ima',
                         'attr_lastname': 'tester',
                         'attr_email': 'test@example.com',
                         'cache_ttl': '60',
                         'csrf_token': csrf_token,
                         }
                     )
                     assert_auth_settings_updated(response)
                     new_settings = SettingsModel().get_auth_settings()
                     assert new_settings['auth_ldap_host'] == u'dc-legacy.example.com', \
                         'fail db write compare'

rhodecode/authentication/plugins/auth_ldap.py

0 +55 -11

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2018 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             RhodeCode authentication plugin for LDAP
             """
+            import socket
             import re
             import colander
             import logging
             import traceback
             import string
             from rhodecode.translation import _
             from rhodecode.authentication.base import (
                 RhodeCodeExternalAuthPlugin, chop_at, hybrid_property)
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.authentication.routes import AuthnPluginResourceBase
             from rhodecode.lib.colander_utils import strip_whitespace
             from rhodecode.lib.exceptions import (
                 LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
             )
             from rhodecode.lib.utils2 import safe_unicode, safe_str
             from rhodecode.model.db import User
             from rhodecode.model.validators import Missing
             log = logging.getLogger(__name__)
             try:
                 import ldap
             except ImportError:
                 # means that python-ldap is not installed, we use Missing object to mark
                 # ldap lib is Missing
                 ldap = Missing
             class LdapError(Exception):
                 pass
             def plugin_factory(plugin_id, *args, **kwds):
                 """
                 Factory function that is called during plugin discovery.
                 It returns the plugin instance.
                 """
                 plugin = RhodeCodeAuthPlugin(plugin_id)
                 return plugin
             class LdapAuthnResource(AuthnPluginResourceBase):
                 pass
             class LdapSettingsSchema(AuthnPluginSettingsSchemaBase):
                 tls_kind_choices = ['PLAIN', 'LDAPS', 'START_TLS']
                 tls_reqcert_choices = ['NEVER', 'ALLOW', 'TRY', 'DEMAND', 'HARD']
                 search_scope_choices = ['BASE', 'ONELEVEL', 'SUBTREE']
                 host = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Host[s] of the LDAP Server \n'
                                   '(e.g., 192.168.2.154, or ldap-server.domain.com.\n '
                                   'Multiple servers can be specified using commas'),
                     preparer=strip_whitespace,
                     title=_('LDAP Host'),
                     widget='string')
                 port = colander.SchemaNode(
                     colander.Int(),
                     default=389,
                     description=_('Custom port that the LDAP server is listening on. '
                                   'Default value is: 389'),
                     preparer=strip_whitespace,
                     title=_('Port'),
                     validator=colander.Range(min=0, max=65536),
                     widget='int')
+                timeout = colander.SchemaNode(
+                    colander.Int(),
+                    default=60 * 5,
+                    description=_('Timeout for LDAP connection'),
+                    preparer=strip_whitespace,
+                    title=_('Connection timeout'),
+                    validator=colander.Range(min=1),
+                    widget='int')
                 dn_user = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Optional user DN/account to connect to LDAP if authentication is required. \n'
                                   'e.g., cn=admin,dc=mydomain,dc=com, or '
                                   'uid=root,cn=users,dc=mydomain,dc=com, or admin@mydomain.com'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Account'),
                     widget='string')
                 dn_pass = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Password to authenticate for given user DN.'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Password'),
                     widget='password')
                 tls_kind = colander.SchemaNode(
                     colander.String(),
                     default=tls_kind_choices[0],
                     description=_('TLS Type'),
                     title=_('Connection Security'),
                     validator=colander.OneOf(tls_kind_choices),
                     widget='select')
                 tls_reqcert = colander.SchemaNode(
                     colander.String(),
                     default=tls_reqcert_choices[0],
                     description=_('Require Cert over TLS?. Self-signed and custom '
                                   'certificates can be used when\n `RhodeCode Certificate` '
                                   'found in admin > settings > system info page is extended.'),
                     title=_('Certificate Checks'),
                     validator=colander.OneOf(tls_reqcert_choices),
                     widget='select')
                 base_dn = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Base DN to search. Dynamic bind is supported. Add `$login` marker '
                                   'in it to be replaced with current user credentials \n'
                                   '(e.g., dc=mydomain,dc=com, or ou=Users,dc=mydomain,dc=com)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Base DN'),
                     widget='string')
                 filter = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('Filter to narrow results \n'
                                   '(e.g., (&(objectCategory=Person)(objectClass=user)), or \n'
                                   '(memberof=cn=rc-login,ou=groups,ou=company,dc=mydomain,dc=com)))'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('LDAP Search Filter'),
                     widget='string')
                 search_scope = colander.SchemaNode(
                     colander.String(),
                     default=search_scope_choices[2],
                     description=_('How deep to search LDAP. If unsure set to SUBTREE'),
                     title=_('LDAP Search Scope'),
                     validator=colander.OneOf(search_scope_choices),
                     widget='select')
                 attr_login = colander.SchemaNode(
                     colander.String(),
                     default='uid',
                     description=_('LDAP Attribute to map to user name (e.g., uid, or sAMAccountName)'),
                     preparer=strip_whitespace,
                     title=_('Login Attribute'),
                     missing_msg=_('The LDAP Login attribute of the CN must be specified'),
                     widget='string')
                 attr_firstname = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to first name (e.g., givenName)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('First Name Attribute'),
                     widget='string')
                 attr_lastname = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to last name (e.g., sn)'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Last Name Attribute'),
                     widget='string')
                 attr_email = colander.SchemaNode(
                     colander.String(),
                     default='',
                     description=_('LDAP Attribute to map to email address (e.g., mail).\n'
                                   'Emails are a crucial part of RhodeCode. \n'
                                   'If possible add a valid email attribute to ldap users.'),
                     missing='',
                     preparer=strip_whitespace,
                     title=_('Email Attribute'),
                     widget='string')
             class AuthLdap(object):
                 def _build_servers(self):
+                    def host_resolver(host, port):
+                        """
+                        Main work for this function is to prevent ldap connection issues,
+                        and detect them early using a "greenified" sockets
+                        """
+                        host = host.strip()
+                        log.info('Resolving LDAP host %s', host)
+                        try:
+                            ip = socket.gethostbyname(host)
+                            log.info('Got LDAP server %s ip %s', host, ip)
+                        except Exception:
+                            raise LdapConnectionError(
+                                'Failed to resolve host: `{}`'.format(host))
+                        log.info('Checking LDAP IP access %s', ip)
+                        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+                        try:
+                            s.connect((ip, int(port)))
+                            s.shutdown(socket.SHUT_RD)
+                        except Exception:
+                            raise LdapConnectionError(
+                                'Failed to connect to host: `{}:{}`'.format(host, port))
+                        return '{}:{}'.format(host, port)
+                    port = self.LDAP_SERVER_PORT
                     return ', '.join(
-                        ["{}://{}:{}".format(
+                        ["{}://{}".format(
-                            self.ldap_server_type, host.strip(), self.LDAP_SERVER_PORT)
+                            self.ldap_server_type, host_resolver(host, port))
                          for host in self.SERVER_ADDRESSES])
                 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
                              tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,
                              search_scope='SUBTREE', attr_login='uid',
-                             ldap_filter=''):
+                             ldap_filter='', timeout=None):
                     if ldap == Missing:
                         raise LdapImportError("Missing or incompatible ldap library")
                     self.debug = False
+                    self.timeout = timeout or 60 * 5
                     self.ldap_version = ldap_version
                     self.ldap_server_type = 'ldap'
                     self.TLS_KIND = tls_kind
                     if self.TLS_KIND == 'LDAPS':
                         port = port or 689
                         self.ldap_server_type += 's'
                     OPT_X_TLS_DEMAND = 2
                     self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
                                                OPT_X_TLS_DEMAND)
                     # split server into list
                     self.SERVER_ADDRESSES = server.split(',')
                     self.LDAP_SERVER_PORT = port
                     # USE FOR READ ONLY BIND TO LDAP SERVER
                     self.attr_login = attr_login
                     self.LDAP_BIND_DN = safe_str(bind_dn)
                     self.LDAP_BIND_PASS = safe_str(bind_pass)
                     self.LDAP_SERVER = self._build_servers()
                     self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
                     self.BASE_DN = safe_str(base_dn)
                     self.LDAP_FILTER = safe_str(ldap_filter)
                 def _get_ldap_conn(self):
+                    log.debug('initializing LDAP connection to:%s', self.LDAP_SERVER)
                     if self.debug:
                         ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
                     if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
-                        ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,
+                        ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
-                                        '/etc/openldap/cacerts')
-                    ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
-                    ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
-                    ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 60 * 10)
-                    ldap.set_option(ldap.OPT_TIMEOUT, 60 * 10)
                     if self.TLS_KIND != 'PLAIN':
                         ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
-                    log.debug('initializing LDAP connection to:%s', self.LDAP_SERVER)
+                    ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
+                    ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
+                    # init connection now
                     ldap_conn = ldap.initialize(self.LDAP_SERVER)
+                    ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
+                    ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)
+                    ldap_conn.timeout = self.timeout
                     if self.ldap_version == 2:
                         ldap_conn.protocol = ldap.VERSION2
                     else:
                         ldap_conn.protocol = ldap.VERSION3
                     if self.TLS_KIND == 'START_TLS':
                         ldap_conn.start_tls_s()
                     if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                         log.debug('Trying simple_bind with password and given login DN: %s',
                                   self.LDAP_BIND_DN)
                         ldap_conn.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
                     return ldap_conn
                 def get_uid(self, username):
                     uid = username
                     for server_addr in self.SERVER_ADDRESSES:
                         uid = chop_at(username, "@%s" % server_addr)
                     return uid
                 def fetch_attrs_from_simple_bind(self, server, dn, username, password):
                     try:
                         log.debug('Trying simple bind with %s', dn)
                         server.simple_bind_s(dn, safe_str(password))
                         user = server.search_ext_s(
                             dn, ldap.SCOPE_BASE, '(objectClass=*)', )[0]
                         _, attrs = user
                         return attrs
                     except ldap.INVALID_CREDENTIALS:
                         log.debug(
                             "LDAP rejected password for user '%s': %s, org_exc:",
                             username, dn, exc_info=True)
                 def authenticate_ldap(self, username, password):
                     """
                     Authenticate a user via LDAP and return his/her LDAP properties.
                     Raises AuthenticationError if the credentials are rejected, or
                     EnvironmentError if the LDAP server can't be reached.
                     :param username: username
                     :param password: password
                     """
                     uid = self.get_uid(username)
                     if not password:
                         msg = "Authenticating user %s with blank password not allowed"
                         log.warning(msg, username)
                         raise LdapPasswordError(msg)
                     if "," in username:
                         raise LdapUsernameError(
                             "invalid character `,` in username: `{}`".format(username))
                     ldap_conn = None
                     try:
                         ldap_conn = self._get_ldap_conn()
                         filter_ = '(&%s(%s=%s))' % (
                             self.LDAP_FILTER, self.attr_login, username)
                         log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
                                   filter_, self.LDAP_SERVER)
                         lobjects = ldap_conn.search_ext_s(
                             self.BASE_DN, self.SEARCH_SCOPE, filter_)
                         if not lobjects:
                             log.debug("No matching LDAP objects for authentication "
                                       "of UID:'%s' username:(%s)", uid, username)
                             raise ldap.NO_SUCH_OBJECT()
                         log.debug('Found matching ldap object, trying to authenticate')
                         for (dn, _attrs) in lobjects:
                             if dn is None:
                                 continue
                             user_attrs = self.fetch_attrs_from_simple_bind(
                                 ldap_conn, dn, username, password)
                             if user_attrs:
                                 break
                         else:
                             raise LdapPasswordError(
                                 'Failed to authenticate user `{}`'
                                 'with given password'.format(username))
                     except ldap.NO_SUCH_OBJECT:
                         log.debug("LDAP says no such user '%s' (%s), org_exc:",
                                   uid, username, exc_info=True)
                         raise LdapUsernameError('Unable to find user')
                     except ldap.SERVER_DOWN:
                         org_exc = traceback.format_exc()
                         raise LdapConnectionError(
                             "LDAP can't access authentication "
                             "server, org_exc:%s" % org_exc)
                     finally:
                         if ldap_conn:
                             log.debug('ldap: connection release')
                             try:
                                 ldap_conn.unbind_s()
                             except Exception:
                                 # for any reason this can raise exception we must catch it
                                 # to not crush the server
                                 pass
                     return dn, user_attrs
             class RhodeCodeAuthPlugin(RhodeCodeExternalAuthPlugin):
                 # used to define dynamic binding in the
                 DYNAMIC_BIND_VAR = '$login'
                 _settings_unsafe_keys = ['dn_pass']
                 def includeme(self, config):
                     config.add_authn_plugin(self)
                     config.add_authn_resource(self.get_id(), LdapAuthnResource(self))
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_get',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='GET',
                         route_name='auth_home',
                         context=LdapAuthnResource)
                     config.add_view(
                         'rhodecode.authentication.views.AuthnPluginViewBase',
                         attr='settings_post',
                         renderer='rhodecode:templates/admin/auth/plugin_settings.mako',
                         request_method='POST',
                         route_name='auth_home',
                         context=LdapAuthnResource)
                 def get_settings_schema(self):
                     return LdapSettingsSchema()
                 def get_display_name(self):
                     return _('LDAP')
                 @hybrid_property
                 def name(self):
                     return "ldap"
                 def use_fake_password(self):
                     return True
                 def user_activation_state(self):
                     def_user_perms = User.get_default_user().AuthUser().permissions['global']
                     return 'hg.extern_activate.auto' in def_user_perms
                 def try_dynamic_binding(self, username, password, current_args):
                     """
                     Detects marker inside our original bind, and uses dynamic auth if
                     present
                     """
                     org_bind = current_args['bind_dn']
                     passwd = current_args['bind_pass']
                     def has_bind_marker(username):
                         if self.DYNAMIC_BIND_VAR in username:
                             return True
                     # we only passed in user with "special" variable
                     if org_bind and has_bind_marker(org_bind) and not passwd:
                         log.debug('Using dynamic user/password binding for ldap '
                                   'authentication. Replacing `%s` with username',
                                   self.DYNAMIC_BIND_VAR)
                         current_args['bind_dn'] = org_bind.replace(
                             self.DYNAMIC_BIND_VAR, username)
                         current_args['bind_pass'] = password
                     return current_args
                 def auth(self, userobj, username, password, settings, **kwargs):
                     """
                     Given a user object (which may be null), username, a plaintext password,
                     and a settings object (containing all the keys needed as listed in
                     settings()), authenticate this user's login attempt.
                     Return None on failure. On success, return a dictionary of the form:
                         see: RhodeCodeAuthPluginBase.auth_func_attrs
                     This is later validated for correctness
                     """
                     if not username or not password:
                         log.debug('Empty username or password skipping...')
                         return None
                     ldap_args = {
                         'server': settings.get('host', ''),
                         'base_dn': settings.get('base_dn', ''),
                         'port': settings.get('port'),
                         'bind_dn': settings.get('dn_user'),
                         'bind_pass': settings.get('dn_pass'),
                         'tls_kind': settings.get('tls_kind'),
                         'tls_reqcert': settings.get('tls_reqcert'),
                         'search_scope': settings.get('search_scope'),
                         'attr_login': settings.get('attr_login'),
                         'ldap_version': 3,
                         'ldap_filter': settings.get('filter'),
+                        'timeout': settings.get('timeout')
                     }
                     ldap_attrs = self.try_dynamic_binding(username, password, ldap_args)
                     log.debug('Checking for ldap authentication.')
                     try:
                         aldap = AuthLdap(**ldap_args)
                         (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
                         log.debug('Got ldap DN response %s', user_dn)
                         def get_ldap_attr(k):
                             return ldap_attrs.get(settings.get(k), [''])[0]
                         # old attrs fetched from RhodeCode database
                         admin = getattr(userobj, 'admin', False)
                         active = getattr(userobj, 'active', True)
                         email = getattr(userobj, 'email', '')
                         username = getattr(userobj, 'username', username)
                         firstname = getattr(userobj, 'firstname', '')
                         lastname = getattr(userobj, 'lastname', '')
                         extern_type = getattr(userobj, 'extern_type', '')
                         groups = []
                         user_attrs = {
                             'username': username,
                             'firstname': safe_unicode(
                                 get_ldap_attr('attr_firstname') or firstname),
                             'lastname': safe_unicode(
                                 get_ldap_attr('attr_lastname') or lastname),
                             'groups': groups,
                             'user_group_sync': False,
                             'email': get_ldap_attr('attr_email') or email,
                             'admin': admin,
                             'active': active,
                             'active_from_extern': None,
                             'extern_name': user_dn,
                             'extern_type': extern_type,
                         }
                         log.debug('ldap user: %s', user_attrs)
                         log.info('user `%s` authenticated correctly', user_attrs['username'])
                         return user_attrs
                     except (LdapUsernameError, LdapPasswordError, LdapImportError):
                         log.exception("LDAP related exception")
                         return None
                     except (Exception,):
                         log.exception("Other exception")
                         return None

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages