def authenticate(self, environ, identity):
"Authenticate identity"
try:
if check_failed_logins(environ):
raise TypeError
login = identity['login']
username, domain = login.split('@')
ldapsettings = self.dbsession.query(self.ldapsettingsmodel,
self.authsettingsmodel.address,
self.authsettingsmodel.port,
self.authsettingsmodel.split_address,
self.domainmodel.name)\
.join(self.authsettingsmodel)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_(\
self.domainmodel.id == self.alias.domain_id,
self.alias.name == domain,
self.alias.status == True)
)
)).all()
(settings,
address,
port,
split_address,
domain_name) = ldapsettings[0]
ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
ldap_uri = make_ldap_uri(address, port)
ldap_connection = make_ldap_connection(ldap_uri)
kwargs = dict(naming_attribute=settings.nameattribute,
returned_id=self.returned_id,
bind_dn=settings.binddn,
bind_pass=settings.bindpw,
start_tls=settings.usetls)
if domain != domain_name:
# override alias domain
domain = domain_name
if settings.usesearch:
ldap_module = 'LDAPSearchAuthenticatorPlugin'
# build_search_filters(kwargs, settings.search_scope,
# settings.searchfilter, domain,
# login, username)
kwargs['search_scope'] = settings.search_scope
if settings.searchfilter != '':
params = []
domaindn = ','.join(['dc=' + part
for part in domain.split('.')])
mapping = {
'%n':login,
'%u':username,
'%d':domain,
'%D': domaindn
}
searchfilter = escape_filter_chars(settings.searchfilter)
for key in ['%n', '%u', '%d', '%D']:
for _ in xrange(searchfilter.count(key)):
searchfilter = searchfilter.replace(key, '%s', 1)
params.append(mapping[key])
searchfilter = filter_format(searchfilter, params)
kwargs['filterstr'] = searchfilter
else:
ldap_module = 'LDAPAuthenticatorPlugin'
if split_address:
identity['login'] = username
else:
# use main domain name not alias reset above
identity['login'] = "******" % (username, domain)
auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module)
ldap_auth = auth(ldap_connection, settings.basedn, **kwargs)
userid = ldap_auth.authenticate(environ, identity)
fulladdr = "%s@%s" % (username, domain)
return userid if userid is None or '@' in userid else fulladdr
except (KeyError, TypeError, ValueError, AttributeError,
NoResultFound, IndexError, ldap.LDAPError):
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login'].decode('utf-8')
password = identity['password'].decode('utf-8')
username = login
domain = None
is_alias = False
if '@' not in login:
return None
username, domain = login.split('@')
try:
dma = self.dbsession.query(self.dommodel.name)\
.join(self.dam)\
.filter(self.dam.name == domain).one()
domain = dma.name
is_alias = True
except NoResultFound:
pass
radiussettings = self.dbsession.query(self.rsm,
self.asm.address,
self.asm.port,
self.asm.split_address,
self.asm.user_map_template)\
.join(self.asm)\
.join(self.dommodel)\
.filter(self.asm.enabled == True)\
.filter(self.dommodel.status == True)\
.filter(self.dommodel.name == domain)\
.one()
settings, address, port, split_address, template = radiussettings
if not port:
port = 1812
radclient = Client(server=address, authport=port,
secret=settings.secret.encode('utf-8'),
dict=Dictionary(StringIO(DICTIONARY)))
if settings.timeout:
radclient.timeout = settings.timeout
if split_address:
login = username
if is_alias:
identity['login'] = "******" % (username, domain)
if not split_address:
login = "******" % (username, domain)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
request = radclient.CreateAuthPacket(code=packet.AccessRequest,
User_Name=login)
request["User-Password"] = request.PwCrypt(password)
reply = radclient.SendPacket(request)
if reply.code == packet.AccessAccept:
identity['login'] = identity['login'].lower()
return identity['login']
except (KeyError, IndexError, NoResultFound, Timeout):
return None
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login']
password = identity['password']
username = login
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id,
self.aliasmodel.name == domain,
self.aliasmodel.status == True)
smtpsettings = self.dbsession.query(self.authsettingsmodel.port,
self.authsettingsmodel.address,
self.authsettingsmodel.split_address,
self.authsettingsmodel.user_map_template,
self.domainmodel.name)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.protocol == 3)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_clause)))\
.all()
port, address, split_address, template, \
domain_name = smtpsettings[0]
if split_address:
login = username
if domain != domain_name:
identity['login'] = "******" % (username, domain_name)
if not split_address:
login = "******" % (username, domain_name)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
if port == 465:
conn = smtplib.SMTP_SSL(address, timeout=5)
elif port == 25 or port is None:
conn = smtplib.SMTP(address, timeout=5)
else:
conn = smtplib.SMTP(address, port, timeout=5)
conn.ehlo()
if conn.has_extn('STARTTLS') and port != 465:
conn.starttls()
conn.ehlo()
conn.login(login, password)
return identity['login']
except (KeyError, IndexError, NoResultFound, smtplib.SMTPException,
socket.error, SSLError):
return None
finally:
if 'conn' in locals():
try:
conn.quit()
except smtplib.SMTPServerDisconnected:
pass
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login']
password = identity['password']
username = login
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
and_clause = and_(self.dommodel.id == self.aliasmodel.domain_id,
self.aliasmodel.name == domain,
self.aliasmodel.status == True)
query = self.dbsession.query(self.authsettingsmodel.port,
self.authsettingsmodel.address,
self.authsettingsmodel.split_address,
self.authsettingsmodel.user_map_template,
self.dommodel.name)\
.join(self.dommodel)\
.filter(self.authsettingsmodel.protocol == 2)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.dommodel.status == True)\
.filter(or_(self.dommodel.name == domain,
func._(and_clause)))\
.all()
port, address, split_address, template, domain_name = query[0]
if split_address:
login = username
if domain != domain_name:
identity['login'] = "******" % (username, domain_name)
if not split_address:
login = "******" % (username, domain_name)
if (template and (USER_TEMPLATE_MAP_RE.search(template)
or DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
if port == 993:
conn = imaplib.IMAP4_SSL(address)
elif port == 143 or port is None:
conn = imaplib.IMAP4(address)
else:
conn = imaplib.IMAP4(address, port)
conn.login(login, password)
return identity['login']
except (KeyError, IndexError, NoResultFound, imaplib.IMAP4.error,
socket.error, SSLError):
return None
finally:
if 'conn' in locals():
conn.logout()
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login']
password = identity['password']
username = login
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id,
self.aliasmodel.name == domain,
self.aliasmodel.status == True)
popsettings = self.dbsession.query(self.authsettingsmodel.port,
self.authsettingsmodel.address,
self.authsettingsmodel.split_address,
self.authsettingsmodel.user_map_template,
self.domainmodel.name)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.protocol == 1)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_clause)))\
.all()
port, address, split_address, template, domain_name = popsettings[0]
if split_address:
login = username
if domain != domain_name:
identity['login'] = "******" % (username, domain_name)
if not split_address:
login = "******" % (username, domain_name)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
if port == 995:
conn = poplib.POP3_SSL(address)
elif port == 110 or port is None:
conn = poplib.POP3(address)
else:
conn = poplib.POP3(address, port)
if APOP_RE.match(conn.getwelcome()):
conn.apop(login, password)
else:
conn.user(login)
conn.pass_(password)
return identity['login']
except (KeyError, IndexError, NoResultFound, poplib.error_proto,
socket.error, SSLError):
return None
finally:
if 'conn' in locals():
conn.quit()
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login'].encode('utf-8')
password = identity['password'].encode('utf-8')
username = login
domain = None
is_alias = False
if '@' not in login:
return None
username, domain = login.split('@')
try:
dma = self.dbsession.query(self.dommodel.name)\
.join(self.dam)\
.filter(self.dam.name == domain).one()
domain = dma.name
is_alias = True
except NoResultFound:
pass
smtpsettings = self.dbsession.query(self.asm.port,
self.asm.address,
self.asm.split_address,
self.asm.user_map_template)\
.join(self.dommodel)\
.filter(self.asm.protocol == 3)\
.filter(self.asm.enabled == True)\
.filter(self.dommodel.status == True)\
.filter(self.dommodel.name == domain).one()
port, address, split_address, template = smtpsettings
if split_address:
login = username
if is_alias:
identity['login'] = u"%s@%s" % (username, domain)
if not split_address:
login = u"%s@%s" % (username, domain)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
if port == 465:
conn = smtplib.SMTP_SSL(address, timeout=5)
elif port == 25 or port is None:
conn = smtplib.SMTP(address, timeout=5)
else:
conn = smtplib.SMTP(address, port, timeout=5)
conn.ehlo()
if conn.has_extn('STARTTLS') and port != 465:
conn.starttls()
conn.ehlo()
conn.login(login, password)
identity['login'] = identity['login'].lower()
return identity['login']
except (KeyError, IndexError, NoResultFound, smtplib.SMTPException,
socket.error, SSLError):
return None
finally:
if 'conn' in locals():
try:
conn.quit()
except smtplib.SMTPServerDisconnected:
pass
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login']
password = identity['password']
username = login
is_alias = False
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
try:
dma = self.dbsession.query(self.dommodel.name)\
.join(self.dam)\
.filter(self.dam.name == domain).one()
domain = dma.name
is_alias = True
except NoResultFound:
pass
popsettings = self.dbsession.query(self.asm.port,
self.asm.address,
self.asm.split_address,
self.asm.user_map_template)\
.join(self.dommodel)\
.filter(self.asm.protocol == 1)\
.filter(self.asm.enabled == True)\
.filter(self.dommodel.status == True)\
.filter(self.dommodel.name == domain)\
.one()
port, address, split_address, template = popsettings
if split_address:
login = username
if is_alias:
identity['login'] = "******" % (username, domain)
if not split_address:
login = "******" % (username, domain)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
if port == 995:
conn = poplib.POP3_SSL(address)
elif port == 110 or port is None:
conn = poplib.POP3(address)
else:
conn = poplib.POP3(address, port)
if APOP_RE.match(conn.getwelcome()):
conn.apop(login, password)
else:
conn.user(login)
conn.pass_(password)
identity['login'] = identity['login'].lower()
return identity['login']
except (KeyError, IndexError, NoResultFound, poplib.error_proto,
socket.error, SSLError):
return None
finally:
if 'conn' in locals():
conn.quit()
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login'].decode('utf-8')
password = identity['password'].decode('utf-8')
username = login
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id,
self.aliasmodel.name == domain,
self.aliasmodel.status == True)
radiussettings = self.dbsession.query(self.radsettingsmodel,
self.authsettingsmodel.address,
self.authsettingsmodel.port,
self.authsettingsmodel.split_address,
self.authsettingsmodel.user_map_template,
self.domainmodel.name)\
.join(self.authsettingsmodel)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_clause)))\
.all()
settings, address, port, split_address, template, \
domain_name = radiussettings[0]
if not port:
port = 1812
radclient = Client(server=address, authport=port,
secret=settings.secret.encode('utf-8'),
dict=Dictionary(StringIO(DICTIONARY)))
if settings.timeout:
radclient.timeout = settings.timeout
if split_address:
login = username
if domain != domain_name:
identity['login'] = "******" % (username, domain_name)
if not split_address:
login = "******" % (username, domain_name)
if (template and (USER_TEMPLATE_MAP_RE.search(template) or
DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
request = radclient.CreateAuthPacket(code=packet.AccessRequest,
User_Name=login)
request["User-Password"] = request.PwCrypt(password)
reply = radclient.SendPacket(request)
if reply.code == packet.AccessAccept:
return identity['login']
except (KeyError, IndexError, NoResultFound, Timeout):
return None
return None
def authenticate(self, environ, identity):
"Authenticate identity"
try:
if check_failed_logins(environ):
raise TypeError
login = identity['login']
username, domain = login.split('@')
ldapsettings = self.dbsession.query(self.ldapsettingsmodel,
self.authsettingsmodel.address,
self.authsettingsmodel.port,
self.authsettingsmodel.split_address,
self.domainmodel.name)\
.join(self.authsettingsmodel)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_(\
self.domainmodel.id == self.alias.domain_id,
self.alias.name == domain,
self.alias.status == True)
)
)).all()
(settings, address, port, split_address,
domain_name) = ldapsettings[0]
ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
ldap_uri = make_ldap_uri(address, port)
ldap_connection = make_ldap_connection(ldap_uri)
kwargs = dict(naming_attribute=settings.nameattribute,
returned_id=self.returned_id,
bind_dn=settings.binddn,
bind_pass=settings.bindpw,
start_tls=settings.usetls)
if domain != domain_name:
# override alias domain
domain = domain_name
if settings.usesearch:
ldap_module = 'LDAPSearchAuthenticatorPlugin'
# build_search_filters(kwargs, settings.search_scope,
# settings.searchfilter, domain,
# login, username)
kwargs['search_scope'] = settings.search_scope
if settings.searchfilter != '':
params = []
domaindn = ','.join(
['dc=' + part for part in domain.split('.')])
mapping = {
'%n': login,
'%u': username,
'%d': domain,
'%D': domaindn
}
searchfilter = escape_filter_chars(settings.searchfilter)
for key in ['%n', '%u', '%d', '%D']:
for _ in xrange(searchfilter.count(key)):
searchfilter = searchfilter.replace(key, '%s', 1)
params.append(mapping[key])
searchfilter = filter_format(searchfilter, params)
kwargs['filterstr'] = searchfilter
else:
ldap_module = 'LDAPAuthenticatorPlugin'
if split_address:
identity['login'] = username
else:
# use main domain name not alias reset above
identity['login'] = "******" % (username, domain)
auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module)
ldap_auth = auth(ldap_connection, settings.basedn, **kwargs)
userid = ldap_auth.authenticate(environ, identity)
fulladdr = "%s@%s" % (username, domain)
return userid if userid is None or '@' in userid else fulladdr
except (KeyError, TypeError, ValueError, AttributeError, NoResultFound,
IndexError, ldap.LDAPError):
return None
def authenticate(self, environ, identity):
"""authenticator"""
try:
if check_failed_logins(environ):
return None
login = identity['login'].decode('utf-8')
password = identity['password'].decode('utf-8')
username = login
domain = None
if '@' not in login:
return None
username, domain = login.split('@')
and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id,
self.aliasmodel.name == domain,
self.aliasmodel.status == True)
radiussettings = self.dbsession.query(self.radsettingsmodel,
self.authsettingsmodel.address,
self.authsettingsmodel.port,
self.authsettingsmodel.split_address,
self.authsettingsmodel.user_map_template,
self.domainmodel.name)\
.join(self.authsettingsmodel)\
.join(self.domainmodel)\
.filter(self.authsettingsmodel.enabled == True)\
.filter(self.domainmodel.status == True)\
.filter(or_(self.domainmodel.name == domain,
func._(and_clause)))\
.all()
settings, address, port, split_address, template, \
domain_name = radiussettings[0]
if not port:
port = 1812
radclient = Client(server=address,
authport=port,
secret=settings.secret.encode('utf-8'),
dict=Dictionary(StringIO(DICTIONARY)))
if settings.timeout:
radclient.timeout = settings.timeout
if split_address:
login = username
if domain != domain_name:
identity['login'] = "******" % (username, domain_name)
if not split_address:
login = "******" % (username, domain_name)
if (template and (USER_TEMPLATE_MAP_RE.search(template)
or DOM_TEMPLATE_MAP_RE.search(template))):
# domain has user template
login = USER_TEMPLATE_MAP_RE.sub(username, template)
login = DOM_TEMPLATE_MAP_RE.sub(domain, login)
request = radclient.CreateAuthPacket(code=packet.AccessRequest,
User_Name=login)
request["User-Password"] = request.PwCrypt(password)
reply = radclient.SendPacket(request)
if reply.code == packet.AccessAccept:
return identity['login']
except (KeyError, IndexError, NoResultFound, Timeout):
return None
return None
