##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

pep8
marcink -
r1170:6a9a5af4 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,126 +1,130 b''
1 1 #!/usr/bin/env python
2 2 # encoding: utf-8
3 3 # ldap authentication lib
4 4 # Copyright (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>
5 5 #
6 6 # This program is free software; you can redistribute it and/or
7 7 # modify it under the terms of the GNU General Public License
8 8 # as published by the Free Software Foundation; version 2
9 9 # of the License or (at your opinion) any later version of the license.
10 10 #
11 11 # This program is distributed in the hope that it will be useful,
12 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 14 # GNU General Public License for more details.
15 15 #
16 16 # You should have received a copy of the GNU General Public License
17 17 # along with this program; if not, write to the Free Software
18 18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
19 19 # MA 02110-1301, USA.
20 20 """
21 21 Created on Nov 17, 2010
22 22
23 23 @author: marcink
24 24 """
25 25
26 26 from rhodecode.lib.exceptions import *
27 27 import logging
28 28
29 29 log = logging.getLogger(__name__)
30 30
31 31 try:
32 32 import ldap
33 33 except ImportError:
34 34 pass
35 35
36 36 class AuthLdap(object):
37 37
38 38 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
39 39 use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3,
40 40 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
41 41 search_scope='SUBTREE',
42 42 attr_login='uid'):
43 43 self.ldap_version = ldap_version
44 44 if use_ldaps:
45 45 port = port or 689
46 46 self.LDAP_USE_LDAPS = use_ldaps
47 47 self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
48 48 self.LDAP_SERVER_ADDRESS = server
49 49 self.LDAP_SERVER_PORT = port
50 50
51 51 #USE FOR READ ONLY BIND TO LDAP SERVER
52 52 self.LDAP_BIND_DN = bind_dn
53 53 self.LDAP_BIND_PASS = bind_pass
54 54
55 55 ldap_server_type = 'ldap'
56 56 if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
57 57 self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
58 58 self.LDAP_SERVER_ADDRESS,
59 59 self.LDAP_SERVER_PORT)
60 60
61 61 self.BASE_DN = base_dn
62 62 self.LDAP_FILTER = ldap_filter
63 63 self.SEARCH_SCOPE = ldap.__dict__['SCOPE_' + search_scope]
64 64 self.attr_login = attr_login
65 65
66 66
67 67 def authenticate_ldap(self, username, password):
68 68 """Authenticate a user via LDAP and return his/her LDAP properties.
69 69
70 70 Raises AuthenticationError if the credentials are rejected, or
71 71 EnvironmentError if the LDAP server can't be reached.
72 72
73 73 :param username: username
74 74 :param password: password
75 75 """
76 76
77 77 from rhodecode.lib.helpers import chop_at
78 78
79 79 uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
80 80
81 81 if "," in username:
82 82 raise LdapUsernameError("invalid character in username: ,")
83 83 try:
84 84 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
85 85 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
86 86 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
87 87 ldap.set_option(ldap.OPT_TIMEOUT, 20)
88 88 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
89 89 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
90 90 if self.LDAP_USE_LDAPS:
91 91 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
92 92 server = ldap.initialize(self.LDAP_SERVER)
93 93 if self.ldap_version == 2:
94 94 server.protocol = ldap.VERSION2
95 95 else:
96 96 server.protocol = ldap.VERSION3
97 97
98 98 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
99 99 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
100 100
101 101 filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username)
102 log.debug("Authenticating %r filt %s at %s", self.BASE_DN, filt, self.LDAP_SERVER)
103 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, filt)
102 log.debug("Authenticating %r filt %s at %s", self.BASE_DN,
103 filt, self.LDAP_SERVER)
104 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
105 filt)
104 106
105 107 if not lobjects:
106 108 raise ldap.NO_SUCH_OBJECT()
107 109
108 110 for (dn, attrs) in lobjects:
109 111 try:
110 112 server.simple_bind_s(dn, password)
111 113 break
112 114
113 115 except ldap.INVALID_CREDENTIALS, e:
114 log.debug("LDAP rejected password for user '%s' (%s): %s", uid, username, dn)
116 log.debug("LDAP rejected password for user '%s' (%s): %s",
117 uid, username, dn)
115 118
116 119 else:
117 log.debug("No matching LDAP objecs for authentication of '%s' (%s)", uid, username)
120 log.debug("No matching LDAP objects for authentication "
121 "of '%s' (%s)", uid, username)
118 122 raise LdapPasswordError()
119 123
120 124 except ldap.NO_SUCH_OBJECT, e:
121 125 log.debug("LDAP says no such user '%s' (%s)", uid, username)
122 126 raise LdapUsernameError()
123 127 except ldap.SERVER_DOWN, e:
124 128 raise LdapConnectionError("LDAP can't access authentication server")
125 129
126 130 return (dn, attrs)
General Comments 0
You need to be logged in to leave comments. Login now