Show More
@@ -1,78 +1,86 b'' | |||||
1 | import logging |
|
1 | import logging | |
2 | logging.basicConfig(level=logging.DEBUG) |
|
2 | logging.basicConfig(level=logging.DEBUG) | |
3 | log = logging.getLogger('ldap') |
|
3 | log = logging.getLogger('ldap') | |
4 |
|
4 | |||
5 | #============================================================================== |
|
5 | #============================================================================== | |
6 | # LDAP |
|
6 | # LDAP | |
7 | #Name = Just a description for the auth modes page |
|
7 | #Name = Just a description for the auth modes page | |
8 | #Host = DepartmentName.OrganizationName.local/ IP |
|
8 | #Host = DepartmentName.OrganizationName.local/ IP | |
9 | #Port = 389 default for ldap |
|
9 | #Port = 389 default for ldap | |
10 | #LDAPS = no set True if You need to use ldaps |
|
10 | #LDAPS = no set True if You need to use ldaps | |
11 | #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server) |
|
11 | #Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server) | |
12 | #Password = <password> |
|
12 | #Password = <password> | |
13 | #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local |
|
13 | #Base DN = DC=DepartmentName,DC=OrganizationName,DC=local | |
14 | # |
|
14 | # | |
15 | #On-the-fly user creation = yes |
|
15 | #On-the-fly user creation = yes | |
16 | #Attributes |
|
16 | #Attributes | |
17 | # Login = sAMAccountName |
|
17 | # Login = sAMAccountName | |
18 | # Firstname = givenName |
|
18 | # Firstname = givenName | |
19 | # Lastname = sN |
|
19 | # Lastname = sN | |
20 | # Email = mail |
|
20 | # Email = mail | |
21 |
|
21 | |||
22 | #============================================================================== |
|
22 | #============================================================================== | |
23 | class UsernameError(Exception):pass |
|
23 | class UsernameError(Exception):pass | |
24 | class PasswordError(Exception):pass |
|
24 | class PasswordError(Exception):pass | |
25 |
|
25 | |||
26 | LDAP_USE_LDAPS = False |
|
26 | LDAP_USE_LDAPS = False | |
27 | ldap_server_type = 'ldap' |
|
27 | ldap_server_type = 'ldap' | |
28 |
LDAP_SERVER_ADDRESS = ' |
|
28 | LDAP_SERVER_ADDRESS = 'myldap.com' | |
29 | LDAP_SERVER_PORT = '389' |
|
29 | LDAP_SERVER_PORT = '389' | |
30 |
|
30 | |||
|
31 | #USE FOR READ ONLY BIND TO LDAP SERVER | |||
31 | LDAP_BIND_DN = '' |
|
32 | LDAP_BIND_DN = '' | |
32 | LDAP_BIND_PASS = '' |
|
33 | LDAP_BIND_PASS = '' | |
33 |
|
34 | |||
34 | if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' |
|
35 | if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' | |
35 | LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
|
36 | LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, | |
36 | LDAP_SERVER_ADDRESS, |
|
37 | LDAP_SERVER_ADDRESS, | |
37 | LDAP_SERVER_PORT) |
|
38 | LDAP_SERVER_PORT) | |
38 |
|
39 | |||
39 | BASE_DN = "ou=people,dc=server,dc=com" |
|
40 | BASE_DN = "ou=people,dc=server,dc=com" | |
|
41 | AUTH_DN = "uid=%s,%s" | |||
40 |
|
42 | |||
41 | def authenticate_ldap(username, password): |
|
43 | def authenticate_ldap(username, password): | |
42 | """Authenticate a user via LDAP and return his/her LDAP properties. |
|
44 | """Authenticate a user via LDAP and return his/her LDAP properties. | |
43 |
|
45 | |||
44 | Raises AuthenticationError if the credentials are rejected, or |
|
46 | Raises AuthenticationError if the credentials are rejected, or | |
45 | EnvironmentError if the LDAP server can't be reached. |
|
47 | EnvironmentError if the LDAP server can't be reached. | |
46 | """ |
|
48 | """ | |
47 | try: |
|
49 | try: | |
48 | import ldap |
|
50 | import ldap | |
49 | except ImportError: |
|
51 | except ImportError: | |
50 | raise Exception('Could not import ldap make sure You install python-ldap') |
|
52 | raise Exception('Could not import ldap make sure You install python-ldap') | |
51 |
|
53 | |||
52 | from rhodecode.lib.helpers import chop_at |
|
54 | from rhodecode.lib.helpers import chop_at | |
53 |
|
55 | |||
54 | uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) |
|
56 | uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS) | |
55 |
dn = |
|
57 | dn = AUTH_DN % (uid, BASE_DN) | |
56 | log.debug("Authenticating %r at %s", dn, LDAP_SERVER) |
|
58 | log.debug("Authenticating %r at %s", dn, LDAP_SERVER) | |
57 | if "," in username: |
|
59 | if "," in username: | |
58 | raise UsernameError("invalid character in username: ,") |
|
60 | raise UsernameError("invalid character in username: ,") | |
59 | try: |
|
61 | try: | |
60 | #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') |
|
62 | #ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts') | |
61 | server = ldap.initialize(LDAP_SERVER) |
|
63 | server = ldap.initialize(LDAP_SERVER) | |
62 | server.protocol = ldap.VERSION3 |
|
64 | server.protocol = ldap.VERSION3 | |
|
65 | ||||
|
66 | if LDAP_BIND_DN and LDAP_BIND_PASS: | |||
|
67 | server.simple_bind_s(AUTH_DN % (LDAP_BIND_DN, | |||
|
68 | LDAP_BIND_PASS), | |||
|
69 | password) | |||
|
70 | ||||
63 | server.simple_bind_s(dn, password) |
|
71 | server.simple_bind_s(dn, password) | |
64 | properties = server.search_s(dn, ldap.SCOPE_SUBTREE) |
|
72 | properties = server.search_s(dn, ldap.SCOPE_SUBTREE) | |
65 | if not properties: |
|
73 | if not properties: | |
66 | raise ldap.NO_SUCH_OBJECT() |
|
74 | raise ldap.NO_SUCH_OBJECT() | |
67 | except ldap.NO_SUCH_OBJECT, e: |
|
75 | except ldap.NO_SUCH_OBJECT, e: | |
68 | log.debug("LDAP says no such user '%s' (%s)", uid, username) |
|
76 | log.debug("LDAP says no such user '%s' (%s)", uid, username) | |
69 | raise UsernameError() |
|
77 | raise UsernameError() | |
70 | except ldap.INVALID_CREDENTIALS, e: |
|
78 | except ldap.INVALID_CREDENTIALS, e: | |
71 | log.debug("LDAP rejected password for user '%s' (%s)", uid, username) |
|
79 | log.debug("LDAP rejected password for user '%s' (%s)", uid, username) | |
72 | raise PasswordError() |
|
80 | raise PasswordError() | |
73 | except ldap.SERVER_DOWN, e: |
|
81 | except ldap.SERVER_DOWN, e: | |
74 | raise EnvironmentError("can't access authentication server") |
|
82 | raise EnvironmentError("can't access authentication server") | |
75 | return properties |
|
83 | return properties | |
76 |
|
84 | |||
77 |
|
85 | |||
78 | print authenticate_ldap('test', 'test') |
|
86 | print authenticate_ldap('test', 'test') |
General Comments 0
You need to be logged in to leave comments.
Login now