auth_ldap.py
128 lines
| 4.7 KiB
| text/x-python
|
PythonLexer
| r713 | #!/usr/bin/env python | |||
| # encoding: utf-8 | ||||
| # ldap authentication lib | ||||
| r902 | # Copyright (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com> | |||
| r713 | # | |||
| r1206 | # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | ||||
| # the Free Software Foundation, either version 3 of the License, or | ||||
| # (at your option) any later version. | ||||
| r1203 | # | |||
| r713 | # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| r1203 | # | |||
| r713 | # You should have received a copy of the GNU General Public License | |||
| r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| r713 | """ | |||
| Created on Nov 17, 2010 | ||||
| r700 | ||||
| r713 | @author: marcink | |||
| """ | ||||
| r705 | ||||
| r713 | from rhodecode.lib.exceptions import * | |||
| r705 | import logging | |||
| log = logging.getLogger(__name__) | ||||
| r700 | ||||
| r705 | try: | |||
| import ldap | ||||
| except ImportError: | ||||
| pass | ||||
| r700 | ||||
| r705 | class AuthLdap(object): | |||
| r700 | ||||
| r705 | def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', | |||
Thayne Harbaugh
|
r991 | use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3, | ||
| ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', | ||||
| search_scope='SUBTREE', | ||||
| attr_login='uid'): | ||||
| r705 | self.ldap_version = ldap_version | |||
| if use_ldaps: | ||||
| port = port or 689 | ||||
| self.LDAP_USE_LDAPS = use_ldaps | ||||
|
Thayne Harbaugh
|
r991 | self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert] | ||
| r705 | self.LDAP_SERVER_ADDRESS = server | |||
| self.LDAP_SERVER_PORT = port | ||||
| r700 | ||||
| r705 | #USE FOR READ ONLY BIND TO LDAP SERVER | |||
| self.LDAP_BIND_DN = bind_dn | ||||
| self.LDAP_BIND_PASS = bind_pass | ||||
| r700 | ||||
| r705 | ldap_server_type = 'ldap' | |||
| if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' | ||||
| self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, | ||||
| self.LDAP_SERVER_ADDRESS, | ||||
| self.LDAP_SERVER_PORT) | ||||
| self.BASE_DN = base_dn | ||||
|
Thayne Harbaugh
|
r991 | self.LDAP_FILTER = ldap_filter | ||
| self.SEARCH_SCOPE = ldap.__dict__['SCOPE_' + search_scope] | ||||
| self.attr_login = attr_login | ||||
| r700 | ||||
| r705 | def authenticate_ldap(self, username, password): | |||
| """Authenticate a user via LDAP and return his/her LDAP properties. | ||||
| r1203 | ||||
| r705 | Raises AuthenticationError if the credentials are rejected, or | |||
| EnvironmentError if the LDAP server can't be reached. | ||||
| r1203 | ||||
| r705 | :param username: username | |||
| :param password: password | ||||
| """ | ||||
| from rhodecode.lib.helpers import chop_at | ||||
| uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS) | ||||
| r775 | ||||
| r705 | if "," in username: | |||
| r713 | raise LdapUsernameError("invalid character in username: ,") | |||
| r705 | try: | |||
| r739 | ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts') | |||
|
Thayne Harbaugh
|
r991 | ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) | ||
| ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) | ||||
| ldap.set_option(ldap.OPT_TIMEOUT, 20) | ||||
| r705 | ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) | |||
|
Thayne Harbaugh
|
r991 | ldap.set_option(ldap.OPT_TIMELIMIT, 15) | ||
| if self.LDAP_USE_LDAPS: | ||||
| ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) | ||||
| r705 | server = ldap.initialize(self.LDAP_SERVER) | |||
| if self.ldap_version == 2: | ||||
| server.protocol = ldap.VERSION2 | ||||
| else: | ||||
| server.protocol = ldap.VERSION3 | ||||
| r700 | ||||
| r705 | if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: | |||
| r794 | server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) | |||
| r700 | ||||
|
Thayne Harbaugh
|
r991 | filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username) | ||
| r1170 | log.debug("Authenticating %r filt %s at %s", self.BASE_DN, | |||
| filt, self.LDAP_SERVER) | ||||
| lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, | ||||
| filt) | ||||
|
Thayne Harbaugh
|
r991 | |||
| if not lobjects: | ||||
| raise ldap.NO_SUCH_OBJECT() | ||||
| r775 | ||||
|
Thayne Harbaugh
|
r991 | for (dn, attrs) in lobjects: | ||
| try: | ||||
| server.simple_bind_s(dn, password) | ||||
| break | ||||
| except ldap.INVALID_CREDENTIALS, e: | ||||
| r1170 | log.debug("LDAP rejected password for user '%s' (%s): %s", | |||
| uid, username, dn) | ||||
|
Thayne Harbaugh
|
r991 | |||
| r1185 | else: | |||
| log.debug("No matching LDAP objects for authentication " | ||||
| "of '%s' (%s)", uid, username) | ||||
| raise LdapPasswordError() | ||||
|
Thayne Harbaugh
|
r991 | |||
| r705 | except ldap.NO_SUCH_OBJECT, e: | |||
| log.debug("LDAP says no such user '%s' (%s)", uid, username) | ||||
| r713 | raise LdapUsernameError() | |||
| r705 | except ldap.SERVER_DOWN, e: | |||
| r713 | raise LdapConnectionError("LDAP can't access authentication server") | |||
| r705 | ||||
|
Thayne Harbaugh
|
r991 | return (dn, attrs) | ||
