Show More
@@ -59,6 +59,13 b' class LdapSettingsController(BaseControl' | |||||
59 | ] |
|
59 | ] | |
60 | tls_reqcert_default = 'DEMAND' |
|
60 | tls_reqcert_default = 'DEMAND' | |
61 |
|
61 | |||
|
62 | tls_kind_choices = [('PLAIN', _('No encryption'),), | |||
|
63 | ('LDAPS', _('LDAPS connection'),), | |||
|
64 | ('START_TLS', _('START_TLS on LDAP connection'),) | |||
|
65 | ] | |||
|
66 | ||||
|
67 | tls_kind_default = 'PLAIN' | |||
|
68 | ||||
62 | @LoginRequired() |
|
69 | @LoginRequired() | |
63 | @HasPermissionAllDecorator('hg.admin') |
|
70 | @HasPermissionAllDecorator('hg.admin') | |
64 | def __before__(self): |
|
71 | def __before__(self): | |
@@ -66,12 +73,14 b' class LdapSettingsController(BaseControl' | |||||
66 | c.admin_username = session.get('admin_username') |
|
73 | c.admin_username = session.get('admin_username') | |
67 | c.search_scope_choices = self.search_scope_choices |
|
74 | c.search_scope_choices = self.search_scope_choices | |
68 | c.tls_reqcert_choices = self.tls_reqcert_choices |
|
75 | c.tls_reqcert_choices = self.tls_reqcert_choices | |
|
76 | c.tls_kind_choices = self.tls_kind_choices | |||
69 | super(LdapSettingsController, self).__before__() |
|
77 | super(LdapSettingsController, self).__before__() | |
70 |
|
78 | |||
71 | def index(self): |
|
79 | def index(self): | |
72 | defaults = SettingsModel().get_ldap_settings() |
|
80 | defaults = SettingsModel().get_ldap_settings() | |
73 | c.search_scope_cur = defaults.get('ldap_search_scope') |
|
81 | c.search_scope_cur = defaults.get('ldap_search_scope') | |
74 | c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert') |
|
82 | c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert') | |
|
83 | c.tls_kind_cur = defaults.get('ldap_tls_kind') | |||
75 |
|
84 | |||
76 | return htmlfill.render( |
|
85 | return htmlfill.render( | |
77 | render('admin/ldap/ldap.html'), |
|
86 | render('admin/ldap/ldap.html'), | |
@@ -84,7 +93,8 b' class LdapSettingsController(BaseControl' | |||||
84 |
|
93 | |||
85 | settings_model = SettingsModel() |
|
94 | settings_model = SettingsModel() | |
86 | _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices], |
|
95 | _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices], | |
87 |
[x[0] for x in self.search_scope_choices] |
|
96 | [x[0] for x in self.search_scope_choices], | |
|
97 | [x[0] for x in self.tls_kind_choices])() | |||
88 |
|
98 | |||
89 | try: |
|
99 | try: | |
90 | form_result = _form.to_python(dict(request.POST)) |
|
100 | form_result = _form.to_python(dict(request.POST)) |
@@ -190,7 +190,7 b' def authenticate(username, password):' | |||||
190 | 'port': ldap_settings.get('ldap_port'), |
|
190 | 'port': ldap_settings.get('ldap_port'), | |
191 | 'bind_dn': ldap_settings.get('ldap_dn_user'), |
|
191 | 'bind_dn': ldap_settings.get('ldap_dn_user'), | |
192 | 'bind_pass': ldap_settings.get('ldap_dn_pass'), |
|
192 | 'bind_pass': ldap_settings.get('ldap_dn_pass'), | |
193 |
' |
|
193 | 'tls_kind': ldap_settings.get('ldap_tls_kind'), | |
194 | 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), |
|
194 | 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), | |
195 | 'ldap_filter': ldap_settings.get('ldap_filter'), |
|
195 | 'ldap_filter': ldap_settings.get('ldap_filter'), | |
196 | 'search_scope': ldap_settings.get('ldap_search_scope'), |
|
196 | 'search_scope': ldap_settings.get('ldap_search_scope'), |
@@ -34,14 +34,19 b' except ImportError:' | |||||
34 | class AuthLdap(object): |
|
34 | class AuthLdap(object): | |
35 |
|
35 | |||
36 | def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', |
|
36 | def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', | |
37 |
|
|
37 | tls_kind = 'PLAIN', tls_reqcert='DEMAND', ldap_version=3, | |
38 | ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', |
|
38 | ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', | |
39 | search_scope='SUBTREE', |
|
39 | search_scope='SUBTREE', | |
40 | attr_login='uid'): |
|
40 | attr_login='uid'): | |
41 | self.ldap_version = ldap_version |
|
41 | self.ldap_version = ldap_version | |
42 | if use_ldaps: |
|
42 | ldap_server_type = 'ldap' | |
|
43 | ||||
|
44 | self.TLS_KIND = tls_kind | |||
|
45 | ||||
|
46 | if self.TLS_KIND == 'LDAPS': | |||
43 | port = port or 689 |
|
47 | port = port or 689 | |
44 | self.LDAP_USE_LDAPS = use_ldaps |
|
48 | ldap_server_type = ldap_server_type + 's' | |
|
49 | ||||
45 | self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert] |
|
50 | self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert] | |
46 | self.LDAP_SERVER_ADDRESS = server |
|
51 | self.LDAP_SERVER_ADDRESS = server | |
47 | self.LDAP_SERVER_PORT = port |
|
52 | self.LDAP_SERVER_PORT = port | |
@@ -50,8 +55,6 b' class AuthLdap(object):' | |||||
50 | self.LDAP_BIND_DN = bind_dn |
|
55 | self.LDAP_BIND_DN = bind_dn | |
51 | self.LDAP_BIND_PASS = bind_pass |
|
56 | self.LDAP_BIND_PASS = bind_pass | |
52 |
|
57 | |||
53 | ldap_server_type = 'ldap' |
|
|||
54 | if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' |
|
|||
55 | self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, |
|
58 | self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, | |
56 | self.LDAP_SERVER_ADDRESS, |
|
59 | self.LDAP_SERVER_ADDRESS, | |
57 | self.LDAP_SERVER_PORT) |
|
60 | self.LDAP_SERVER_PORT) | |
@@ -85,7 +88,7 b' class AuthLdap(object):' | |||||
85 | ldap.set_option(ldap.OPT_TIMEOUT, 20) |
|
88 | ldap.set_option(ldap.OPT_TIMEOUT, 20) | |
86 | ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) |
|
89 | ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) | |
87 | ldap.set_option(ldap.OPT_TIMELIMIT, 15) |
|
90 | ldap.set_option(ldap.OPT_TIMELIMIT, 15) | |
88 |
if self. |
|
91 | if self.TLS_KIND != 'PLAIN': | |
89 | ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) |
|
92 | ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) | |
90 | server = ldap.initialize(self.LDAP_SERVER) |
|
93 | server = ldap.initialize(self.LDAP_SERVER) | |
91 | if self.ldap_version == 2: |
|
94 | if self.ldap_version == 2: | |
@@ -93,6 +96,9 b' class AuthLdap(object):' | |||||
93 | else: |
|
96 | else: | |
94 | server.protocol = ldap.VERSION3 |
|
97 | server.protocol = ldap.VERSION3 | |
95 |
|
98 | |||
|
99 | if self.TLS_KIND == 'START_TLS': | |||
|
100 | server.start_tls_s() | |||
|
101 | ||||
96 | if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: |
|
102 | if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: | |
97 | server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) |
|
103 | server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) | |
98 |
|
104 |
@@ -312,7 +312,7 b' class DbManage(object):' | |||||
312 |
|
312 | |||
313 | try: |
|
313 | try: | |
314 | for k, v in [('ldap_active', 'false'), ('ldap_host', ''), |
|
314 | for k, v in [('ldap_active', 'false'), ('ldap_host', ''), | |
315 |
('ldap_port', '389'), ('ldap_ld |
|
315 | ('ldap_port', '389'), ('ldap_tls_kind', 'PLAIN'), | |
316 | ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''), |
|
316 | ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''), | |
317 | ('ldap_dn_pass', ''), ('ldap_base_dn', ''), |
|
317 | ('ldap_dn_pass', ''), ('ldap_base_dn', ''), | |
318 | ('ldap_filter', ''), ('ldap_search_scope', ''), |
|
318 | ('ldap_filter', ''), ('ldap_search_scope', ''), |
@@ -556,7 +556,7 b' def DefaultPermissionsForm(perms_choices' | |||||
556 | return _DefaultPermissionsForm |
|
556 | return _DefaultPermissionsForm | |
557 |
|
557 | |||
558 |
|
558 | |||
559 | def LdapSettingsForm(tls_reqcert_choices, search_scope_choices): |
|
559 | def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, tls_kind_choices): | |
560 | class _LdapSettingsForm(formencode.Schema): |
|
560 | class _LdapSettingsForm(formencode.Schema): | |
561 | allow_extra_fields = True |
|
561 | allow_extra_fields = True | |
562 | filter_extra_fields = True |
|
562 | filter_extra_fields = True | |
@@ -564,7 +564,7 b' def LdapSettingsForm(tls_reqcert_choices' | |||||
564 | ldap_active = StringBoolean(if_missing=False) |
|
564 | ldap_active = StringBoolean(if_missing=False) | |
565 | ldap_host = UnicodeString(strip=True,) |
|
565 | ldap_host = UnicodeString(strip=True,) | |
566 | ldap_port = Number(strip=True,) |
|
566 | ldap_port = Number(strip=True,) | |
567 | ldap_ldaps = StringBoolean(if_missing=False) |
|
567 | ldap_tls_kind = OneOf(tls_kind_choices) | |
568 | ldap_tls_reqcert = OneOf(tls_reqcert_choices) |
|
568 | ldap_tls_reqcert = OneOf(tls_reqcert_choices) | |
569 | ldap_dn_user = UnicodeString(strip=True,) |
|
569 | ldap_dn_user = UnicodeString(strip=True,) | |
570 | ldap_dn_pass = UnicodeString(strip=True,) |
|
570 | ldap_dn_pass = UnicodeString(strip=True,) |
@@ -70,7 +70,7 b' class SettingsModel(BaseModel):' | |||||
70 | ldap_active |
|
70 | ldap_active | |
71 | ldap_host |
|
71 | ldap_host | |
72 | ldap_port |
|
72 | ldap_port | |
73 |
ldap_ld |
|
73 | ldap_tls_kind | |
74 | ldap_tls_reqcert |
|
74 | ldap_tls_reqcert | |
75 | ldap_dn_user |
|
75 | ldap_dn_user | |
76 | ldap_dn_pass |
|
76 | ldap_dn_pass |
@@ -47,8 +47,8 b'' | |||||
47 | <div class="input">${h.password('ldap_dn_pass',class_='small')}</div> |
|
47 | <div class="input">${h.password('ldap_dn_pass',class_='small')}</div> | |
48 | </div> |
|
48 | </div> | |
49 | <div class="field"> |
|
49 | <div class="field"> | |
50 |
<div class="label |
|
50 | <div class="label"><label for="ldap_tls_kind">${_('Connection security')}</label></div> | |
51 |
<div class=" |
|
51 | <div class="select">${h.select('ldap_tls_kind',c.tls_kind_cur,c.tls_kind_choices,class_='small')}</div> | |
52 | </div> |
|
52 | </div> | |
53 | <div class="field"> |
|
53 | <div class="field"> | |
54 | <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div> |
|
54 | <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div> |
General Comments 0
You need to be logged in to leave comments.
Login now