##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

ldap two phase auth fix
marcink -
r701:6602bf1c beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,78 +1,86 b''
1 import logging
1 import logging
2 logging.basicConfig(level=logging.DEBUG)
2 logging.basicConfig(level=logging.DEBUG)
3 log = logging.getLogger('ldap')
3 log = logging.getLogger('ldap')
4
4
5 #==============================================================================
5 #==============================================================================
6 # LDAP
6 # LDAP
7 #Name = Just a description for the auth modes page
7 #Name = Just a description for the auth modes page
8 #Host = DepartmentName.OrganizationName.local/ IP
8 #Host = DepartmentName.OrganizationName.local/ IP
9 #Port = 389 default for ldap
9 #Port = 389 default for ldap
10 #LDAPS = no set True if You need to use ldaps
10 #LDAPS = no set True if You need to use ldaps
11 #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server)
11 #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server)
12 #Password = <password>
12 #Password = <password>
13 #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local
13 #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local
14 #
14 #
15 #On-the-fly user creation = yes
15 #On-the-fly user creation = yes
16 #Attributes
16 #Attributes
17 # Login = sAMAccountName
17 # Login = sAMAccountName
18 # Firstname = givenName
18 # Firstname = givenName
19 # Lastname = sN
19 # Lastname = sN
20 # Email = mail
20 # Email = mail
21
21
22 #==============================================================================
22 #==============================================================================
23 class UsernameError(Exception):pass
23 class UsernameError(Exception):pass
24 class PasswordError(Exception):pass
24 class PasswordError(Exception):pass
25
25
26 LDAP_USE_LDAPS = False
26 LDAP_USE_LDAPS = False
27 ldap_server_type = 'ldap'
27 ldap_server_type = 'ldap'
28 LDAP_SERVER_ADDRESS = '192.168.2.56'
28 LDAP_SERVER_ADDRESS = 'myldap.com'
29 LDAP_SERVER_PORT = '389'
29 LDAP_SERVER_PORT = '389'
30
30
31 #USE FOR READ ONLY BIND TO LDAP SERVER
31 LDAP_BIND_DN = ''
32 LDAP_BIND_DN = ''
32 LDAP_BIND_PASS = ''
33 LDAP_BIND_PASS = ''
33
34
34 if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
35 if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
35 LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
36 LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
36 LDAP_SERVER_ADDRESS,
37 LDAP_SERVER_ADDRESS,
37 LDAP_SERVER_PORT)
38 LDAP_SERVER_PORT)
38
39
39 BASE_DN = "ou=people,dc=server,dc=com"
40 BASE_DN = "ou=people,dc=server,dc=com"
41 AUTH_DN = "uid=%s,%s"
40
42
41 def authenticate_ldap(username, password):
43 def authenticate_ldap(username, password):
42 """Authenticate a user via LDAP and return his/her LDAP properties.
44 """Authenticate a user via LDAP and return his/her LDAP properties.
43
45
44 Raises AuthenticationError if the credentials are rejected, or
46 Raises AuthenticationError if the credentials are rejected, or
45 EnvironmentError if the LDAP server can't be reached.
47 EnvironmentError if the LDAP server can't be reached.
46 """
48 """
47 try:
49 try:
48 import ldap
50 import ldap
49 except ImportError:
51 except ImportError:
50 raise Exception('Could not import ldap make sure You install python-ldap')
52 raise Exception('Could not import ldap make sure You install python-ldap')
51
53
52 from rhodecode.lib.helpers import chop_at
54 from rhodecode.lib.helpers import chop_at
53
55
54 uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS)
56 uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS)
55 dn = "uid=%s,%s" % (uid, BASE_DN)
57 dn = AUTH_DN % (uid, BASE_DN)
56 log.debug("Authenticating %r at %s", dn, LDAP_SERVER)
58 log.debug("Authenticating %r at %s", dn, LDAP_SERVER)
57 if "," in username:
59 if "," in username:
58 raise UsernameError("invalid character in username: ,")
60 raise UsernameError("invalid character in username: ,")
59 try:
61 try:
60 #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts')
62 #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts')
61 server = ldap.initialize(LDAP_SERVER)
63 server = ldap.initialize(LDAP_SERVER)
62 server.protocol = ldap.VERSION3
64 server.protocol = ldap.VERSION3
65
66 if LDAP_BIND_DN and LDAP_BIND_PASS:
67 server.simple_bind_s(AUTH_DN % (LDAP_BIND_DN,
68 LDAP_BIND_PASS),
69 password)
70
63 server.simple_bind_s(dn, password)
71 server.simple_bind_s(dn, password)
64 properties = server.search_s(dn, ldap.SCOPE_SUBTREE)
72 properties = server.search_s(dn, ldap.SCOPE_SUBTREE)
65 if not properties:
73 if not properties:
66 raise ldap.NO_SUCH_OBJECT()
74 raise ldap.NO_SUCH_OBJECT()
67 except ldap.NO_SUCH_OBJECT, e:
75 except ldap.NO_SUCH_OBJECT, e:
68 log.debug("LDAP says no such user '%s' (%s)", uid, username)
76 log.debug("LDAP says no such user '%s' (%s)", uid, username)
69 raise UsernameError()
77 raise UsernameError()
70 except ldap.INVALID_CREDENTIALS, e:
78 except ldap.INVALID_CREDENTIALS, e:
71 log.debug("LDAP rejected password for user '%s' (%s)", uid, username)
79 log.debug("LDAP rejected password for user '%s' (%s)", uid, username)
72 raise PasswordError()
80 raise PasswordError()
73 except ldap.SERVER_DOWN, e:
81 except ldap.SERVER_DOWN, e:
74 raise EnvironmentError("can't access authentication server")
82 raise EnvironmentError("can't access authentication server")
75 return properties
83 return properties
76
84
77
85
78 print authenticate_ldap('test', 'test')
86 print authenticate_ldap('test', 'test')
General Comments 0
You need to be logged in to leave comments. Login now