def __init__(self,
bind_dn,
bind_pw,
batch_mods=False,
sasl=False,
ro=False):
"""Handler for bindings to CSH LDAP.
Keyword arguments:
batch_mods -- whether or not to batch LDAP writes (default False)
sasl -- whether or not to bypass bind_dn and bind_pw and use SASL bind
"""
if ro:
print("########################################\n"
"# #\n"
"# CSH LDAP IS IN READ ONLY MODE #\n"
"# #\n"
"########################################")
self.__con__ = ReconnectLDAPObject(self.__ldap_uri__)
if sasl:
self.__con__.sasl_non_interactive_bind_s('')
else:
self.__con__.simple_bind_s(bind_dn, bind_pw)
self.__mod_queue__ = {}
self.__pending_mod_dn__ = []
self.__batch_mods__ = batch_mods
self.__ro__ = ro
def __init__(self, bind_dn, bind_pw, batch_mods=False,
sasl=False, ro=False):
"""Handler for bindings to CSH LDAP.
Keyword arguments:
batch_mods -- whether or not to batch LDAP writes (default False)
sasl -- whether or not to bypass bind_dn and bind_pw and use SASL bind
ro -- whether or not CSH LDAP is in read only mode (default False)
"""
if ro:
print("########################################\n"
"# #\n"
"# CSH LDAP IS IN READ ONLY MODE #\n"
"# #\n"
"########################################")
ldap_srvs = srvlookup.lookup("ldap", "tcp", self.__domain__)
ldap_uris = ""
for uri in ldap_srvs:
ldap_uris += "ldaps://"+uri.hostname+","
self.__con__ = ReconnectLDAPObject(ldap_uris)
# Allow connections with self-signed certs
self.__con__.set_option(self.__con__.OPT_X_TLS_REQUIRE_CERT, self.__con__.OPT_X_TLS_ALLOW)
if sasl:
self.__con__.sasl_non_interactive_bind_s('')
else:
self.__con__.simple_bind_s(bind_dn, bind_pw)
self.__mod_queue__ = {}
self.__pending_mod_dn__ = []
self.__batch_mods__ = batch_mods
self.__ro__ = ro
def ldap_init(ro, ldap_url, bind_dn, bind_pw, user_ou, group_ou, committee_ou):
global user_search_ou, group_search_ou, committee_search_ou, ldap_conn, read_only
read_only = ro
user_search_ou = user_ou
group_search_ou = group_ou
committee_search_ou = committee_ou
ldap_conn = ReconnectLDAPObject(ldap_url)
ldap_conn.simple_bind_s(bind_dn, bind_pw)
def ldap_connect(settings, use_cache=True):
"""Establishes an LDAP connection.
Establishes a connection to the LDAP server from the `uri` in the
``settings``.
To establish a connection, the settings must be specified:
- ``uri``: valid URI which points to a LDAP server,
- ``bind_dn``: `dn` used to initially bind every LDAP connection
- ``bind_password``" password used for the initial bind
- ``tls``: ``True`` if the connection should use TLS encryption
- ``starttls``: ``True`` to negotiate TLS with the server
`Note`: ``starttls`` is ignored if the URI uses LDAPS and ``tls`` is
set to ``True``.
This function re-uses an existing LDAP connection if there is one
available in the application context, unless caching is disabled.
:param settings: dict -- The settings for a LDAP provider.
:param use_cache: bool -- If the connection should be cached.
:return: The ldap connection.
"""
if use_cache:
cache = _get_ldap_cache()
cache_key = frozenset(
(k, hash(v)) for k, v in iteritems(settings) if k in conn_keys)
conn = cache.get(cache_key)
if conn is not None:
return conn
uri_info = urlparse(settings['uri'])
use_ldaps = uri_info.scheme == 'ldaps'
credentials = (settings['bind_dn'], settings['bind_password'])
ldap_connection = ReconnectLDAPObject(settings['uri'])
ldap_connection.protocol_version = ldap.VERSION3
ldap_connection.set_option(ldap.OPT_REFERRALS, 0)
ldap_connection.set_option(
ldap.OPT_X_TLS,
ldap.OPT_X_TLS_DEMAND if use_ldaps else ldap.OPT_X_TLS_NEVER)
ldap_connection.set_option(
ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND
if settings['verify_cert'] else ldap.OPT_X_TLS_ALLOW)
# force the creation of a new TLS context. This must be the last TLS option.
# see: http://stackoverflow.com/a/27713355/298479
ldap_connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
if use_ldaps and settings['starttls']:
warn(
"Unable to start TLS, LDAP connection already secured over SSL (LDAPS)"
)
elif settings['starttls']:
ldap_connection.start_tls_s()
# TODO: allow anonymous bind
ldap_connection.simple_bind_s(*credentials)
if use_cache:
cache[cache_key] = ldap_connection
return ldap_connection
def connect(self):
try:
self.connection = ReconnectLDAPObject(self.uri)
if self.user is not None:
self.connection.simple_bind_s(self.user, self.password)
except:
logger.exception("LDAP connection failed")
return False
return True
def _cursor(self):
if self.connection is None:
# self.connection = ldap.initialize(self.settings_dict['NAME'])
self.connection = ReconnectLDAPObject(self.settings_dict['NAME'])
self.connection.simple_bind_s(
self.settings_dict['USER'],
self.settings_dict['PASSWORD'])
return DatabaseCursor(self.connection)
def ldap_client(self):
if not self._ldap_client:
self._ldap_client = ReconnectLDAPObject(
self.ldap_url,
retry_max=self.ldap_retry_max,
retry_delay=self.ldap_retry_delay)
self._ldap_client.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
self._ldap_client.set_option(ldap.OPT_REFERRALS, 0)
return self._ldap_client
def __init__(self,
ldap_uri,
base_dn,
admin_user,
admin_password,
home_base_directory=None,
group_id=None):
self.ldap_uri = ldap_uri
self.ldap_com = ReconnectLDAPObject(ldap_uri,
retry_max=10,
retry_delay=3)
# self.ldap_com = ldap.initialize(ldap_uri)
self.ldap_base_dn = base_dn
if home_base_directory is not None:
self.HOME_BASE_DIRECTORY = home_base_directory
if group_id is not None:
self.GROUP_ID_NUMBER = "%s" % group_id
self.ldap_admin = "cn=%s,%s" % (admin_user, self.ldap_base_dn)
self.people_base_cn = "ou=People,%s" % self.ldap_base_dn
self.ldap_com.bind_s(self.ldap_admin, admin_password)
def __init__(self, bind_dn, bind_pw, batch_mods=False,
sasl=False, ro=False):
"""Handler for bindings to CSH LDAP.
Keyword arguments:
batch_mods -- whether or not to batch LDAP writes (default False)
sasl -- whether or not to bypass bind_dn and bind_pw and use SASL bind
ro -- whether or not CSH LDAP is in read only mode (default False)
"""
if ro:
print("########################################\n"
"# #\n"
"# CSH LDAP IS IN READ ONLY MODE #\n"
"# #\n"
"########################################")
ldap_srvs = srvlookup.lookup("ldap", "tcp", self.__domain__)
self.ldap_uris = ['ldaps://' + uri.hostname for uri in ldap_srvs]
self.server_uri = None
self.__con__ = None
for uri in self.ldap_uris:
try:
self.__con__ = ReconnectLDAPObject(uri)
self.server_uri = uri
except (ldap.SERVER_DOWN, ldap.TIMEOUT):
continue
if self.__con__ is None:
raise ldap.SERVER_DOWN
if sasl:
self.__con__.sasl_non_interactive_bind_s('')
else:
self.__con__.simple_bind_s(bind_dn, bind_pw)
self.__mod_queue__ = {}
self.__pending_mod_dn__ = []
self.__batch_mods__ = batch_mods
self.__ro__ = ro
def ldap_init(app):
app.config['LDAP_CONN'] = ReconnectLDAPObject(app.config['LDAP_URL'])
app.config['LDAP_CONN'].simple_bind_s(app.config['LDAP_BIND_DN'],
app.config['LDAP_BIND_PW'])
