##// END OF EJS Templates
moved out celerypylons import to enviromnet to prevent celery from displaying celeryconfig.py warning
moved out celerypylons import to enviromnet to prevent celery from displaying celeryconfig.py warning

File last commit:

r991:b232a36c issue-108
r1006:02246101 beta
Show More
auth_ldap.py
126 lines | 4.7 KiB | text/x-python | PythonLexer
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 #!/usr/bin/env python
# encoding: utf-8
# ldap authentication lib
fixed copyright year to 2011
r902 # Copyright (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 #
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License or (at your opinion) any later version of the license.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
"""
Created on Nov 17, 2010
added basic ldap auth lib
r700
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 @author: marcink
"""
implements #60, ldap configuration and authentication....
r705
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 from rhodecode.lib.exceptions import *
implements #60, ldap configuration and authentication....
r705 import logging
log = logging.getLogger(__name__)
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 try:
import ldap
except ImportError:
pass
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 class AuthLdap(object):
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
Thayne Harbaugh
Improve LDAP authentication...
r991 use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3,
ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
search_scope='SUBTREE',
attr_login='uid'):
implements #60, ldap configuration and authentication....
r705 self.ldap_version = ldap_version
if use_ldaps:
port = port or 689
self.LDAP_USE_LDAPS = use_ldaps
Thayne Harbaugh
Improve LDAP authentication...
r991 self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
implements #60, ldap configuration and authentication....
r705 self.LDAP_SERVER_ADDRESS = server
self.LDAP_SERVER_PORT = port
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 #USE FOR READ ONLY BIND TO LDAP SERVER
self.LDAP_BIND_DN = bind_dn
self.LDAP_BIND_PASS = bind_pass
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 ldap_server_type = 'ldap'
if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
self.LDAP_SERVER_ADDRESS,
self.LDAP_SERVER_PORT)
self.BASE_DN = base_dn
Thayne Harbaugh
Improve LDAP authentication...
r991 self.LDAP_FILTER = ldap_filter
self.SEARCH_SCOPE = ldap.__dict__['SCOPE_' + search_scope]
self.attr_login = attr_login
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 def authenticate_ldap(self, username, password):
"""Authenticate a user via LDAP and return his/her LDAP properties.
Raises AuthenticationError if the credentials are rejected, or
EnvironmentError if the LDAP server can't be reached.
ldap two phase auth fix
r701
implements #60, ldap configuration and authentication....
r705 :param username: username
:param password: password
"""
from rhodecode.lib.helpers import chop_at
uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
fixes #77 and adds extendable base Dn with custom uid specification
r775
implements #60, ldap configuration and authentication....
r705 if "," in username:
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 raise LdapUsernameError("invalid character in username: ,")
implements #60, ldap configuration and authentication....
r705 try:
fixes #76 added confirmation dialog for user removal....
r739 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
Thayne Harbaugh
Improve LDAP authentication...
r991 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
ldap.set_option(ldap.OPT_TIMEOUT, 20)
implements #60, ldap configuration and authentication....
r705 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
Thayne Harbaugh
Improve LDAP authentication...
r991 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
if self.LDAP_USE_LDAPS:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
implements #60, ldap configuration and authentication....
r705 server = ldap.initialize(self.LDAP_SERVER)
if self.ldap_version == 2:
server.protocol = ldap.VERSION2
else:
server.protocol = ldap.VERSION3
added basic ldap auth lib
r700
implements #60, ldap configuration and authentication....
r705 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)
r794 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
added basic ldap auth lib
r700
Thayne Harbaugh
Improve LDAP authentication...
r991 filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username)
log.debug("Authenticating %r filt %s at %s", self.BASE_DN, filt, self.LDAP_SERVER)
lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, filt)
if not lobjects:
raise ldap.NO_SUCH_OBJECT()
fixes #77 and adds extendable base Dn with custom uid specification
r775
Thayne Harbaugh
Improve LDAP authentication...
r991 for (dn, attrs) in lobjects:
try:
server.simple_bind_s(dn, password)
break
except ldap.INVALID_CREDENTIALS, e:
log.debug("LDAP rejected password for user '%s' (%s): %s", uid, username, dn)
else:
log.debug("No matching LDAP objecs for authentication of '%s' (%s)", uid, username)
raise LdapPasswordError()
implements #60, ldap configuration and authentication....
r705 except ldap.NO_SUCH_OBJECT, e:
log.debug("LDAP says no such user '%s' (%s)", uid, username)
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 raise LdapUsernameError()
implements #60, ldap configuration and authentication....
r705 except ldap.SERVER_DOWN, e:
fixed #72 show warning on removal when user still is owner of existing repositories...
r713 raise LdapConnectionError("LDAP can't access authentication server")
implements #60, ldap configuration and authentication....
r705
Thayne Harbaugh
Improve LDAP authentication...
r991 return (dn, attrs)