# HG changeset patch # User Marcin Kuzminski # Date 2010-11-16 08:31:40 # Node ID 07fd56c36bfee25e696c2612d724082611daa874 # Parent 52da7cba88a68264a1cbeb9e8a2113f8bfb8937e added basic ldap auth lib diff --git a/rhodecode/lib/auth_ldap.py b/rhodecode/lib/auth_ldap.py new file mode 100644 --- /dev/null +++ b/rhodecode/lib/auth_ldap.py @@ -0,0 +1,78 @@ +import logging +logging.basicConfig(level=logging.DEBUG) +log = logging.getLogger('ldap') + +#============================================================================== +# LDAP +#Name = Just a description for the auth modes page +#Host = DepartmentName.OrganizationName.local/ IP +#Port = 389 default for ldap +#LDAPS = no set True if You need to use ldaps +#Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server) +#Password = +#Base DN = DC=DepartmentName,DC=OrganizationName,DC=local +# +#On-the-fly user creation = yes +#Attributes +# Login = sAMAccountName +# Firstname = givenName +# Lastname = sN +# Email = mail + +#============================================================================== +class UsernameError(Exception):pass +class PasswordError(Exception):pass + +LDAP_USE_LDAPS = False +ldap_server_type = 'ldap' +LDAP_SERVER_ADDRESS = '192.168.2.56' +LDAP_SERVER_PORT = '389' + +LDAP_BIND_DN = '' +LDAP_BIND_PASS = '' + +if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' +LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, + LDAP_SERVER_ADDRESS, + LDAP_SERVER_PORT) + +BASE_DN = "ou=people,dc=server,dc=com" + +def authenticate_ldap(username, password): + """Authenticate a user via LDAP and return his/her LDAP properties. + + Raises AuthenticationError if the credentials are rejected, or + EnvironmentError if the LDAP server can't be reached. + """ + try: + import ldap + except ImportError: + raise Exception('Could not import ldap make sure You install python-ldap') + + from rhodecode.lib.helpers import chop_at + + uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) + dn = "uid=%s,%s" % (uid, BASE_DN) + log.debug("Authenticating %r at %s", dn, LDAP_SERVER) + if "," in username: + raise UsernameError("invalid character in username: ,") + try: + #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') + server = ldap.initialize(LDAP_SERVER) + server.protocol = ldap.VERSION3 + server.simple_bind_s(dn, password) + properties = server.search_s(dn, ldap.SCOPE_SUBTREE) + if not properties: + raise ldap.NO_SUCH_OBJECT() + except ldap.NO_SUCH_OBJECT, e: + log.debug("LDAP says no such user '%s' (%s)", uid, username) + raise UsernameError() + except ldap.INVALID_CREDENTIALS, e: + log.debug("LDAP rejected password for user '%s' (%s)", uid, username) + raise PasswordError() + except ldap.SERVER_DOWN, e: + raise EnvironmentError("can't access authentication server") + return properties + + +print authenticate_ldap('test', 'test')