def check_group(self, obj, group):
"""Check if user is in AD group"""
found = False
try:
assert self.ldap_connection
res2 = self.ldap_connection.search_ext_s(obj,
ldap.SCOPE_BASE,
"(objectClass=*)",
self.ad_search_fields)
if not res2:
return False
assert len(res2) >= 1, "Result should contain at least one element: %s\n" % res2
result = res2[0][1]
if result.has_key('primaryGroupID'):
pri_grp_rid = result['primaryGroupID'][0]
domain_sid = self.ldap_connection.search_s(self.ad_search_dn, ldap.SCOPE_BASE)[0][1]['objectSid'][0]
domain_sid_s = self.sid2str(domain_sid)
obj_sid = domain_sid_s + '-' + pri_grp_rid
pri_grp_cn = self.ldap_connection.search_s(self.ad_search_dn, ldap.SCOPE_SUBTREE, "objectSid=%s" % obj_sid, ['cn'])
if self.check_group (pri_grp_cn[0][0], group):
return True
if result.has_key('sAMAccountName'):
if result['sAMAccountName'][0] == group:
return True
if result.has_key('memberOf'):
for group2 in result['memberOf']:
if self.check_group (group2, group):
return True
except Exception, exp:
logger.debug("AD auth backend error by fetching"
" ldap data: %s (%s)\n" % (str(exp), get_exc_str()))
def __del__(self):
"Disconnect"
try:
self.disconnect()
except Exception, exp:
logger.error("AD auth backend error when "
"disconnecting: %s (%s)\n" % (str(exp), get_exc_str()))
return False
def _connect(self, password):
"""connect to ad helper"""
if not password:
return False
try:
if ADUser.ldap_connection is None:
logger.info("AD auth backend ldap connecting")
ADUser.ldap_connection = ldap.initialize(self.get_ldap_url())
assert self.ldap_connection == ADUser.ldap_connection
self.ldap_connection.simple_bind_s(self.user_bind_name, password)
self.is_bound = True
except Exception, exp:
if str(exp.message).find("connection invalid") >= 0:
logger.warning("AD reset connection - it "
"looks like invalid: %s (%s)" % (str(exp), get_exc_str()))
ADUser.ldap_connection = None
else:
logger.error("AD auth backend ldap - "
"probably bad credentials: %s (%s)" % (str(exp), get_exc_str()))
return False
def get_data(self):
"""Get the user data from AD"""
try:
res = self.ldap_connection.search_ext_s(settings.AD_SEARCH_DN,
ldap.SCOPE_SUBTREE,
"sAMAccountName=%s" % self.uname,
self.AD_SEARCH_FIELDS)
if not res:
logger.error("b) AD auth ldap backend error by "
"searching %s. No result.\n" % settings.AD_SEARCH_DN)
return False
assert len(res) >= 1, "c) Result should contain at least one element: %s\n" % res
result = res[0][1]
except Exception, exp:
logger.error("a) Auth failed for (%s)\n" % self.uname )
logger.error("a) AD auth backend error by fetching"
" ldap data: %s (%s)\n" % (str(exp), get_exc_str()))
return False
def check_group(self, obj, group):
"""Check if user is in AD group"""
found = False
try:
assert self.ldap_connection
res2 = self.ldap_connection.search_ext_s(obj,
ldap.SCOPE_BASE,
"(objectClass=*)",
self.AD_SEARCH_FIELDS)
if not res2:
return False
assert len(res2) >= 1, "Result should contain at least one element: %s\n" % res2
result = res2[0][1]
if result.has_key('sAMAccountName'):
if result['sAMAccountName'][0] == group:
return True
for group2 in result['memberOf']:
if self.check_group (group2, group):
return True
except Exception, exp:
logger.debug("AD auth backend error by fetching"
" ldap data: %s (%s)\n" % (str(exp), get_exc_str()))
self.email_addresses.append(mail1.split(':')[1])
logger.error("Adding Address: %s\n", mail1)
basedn = res[0][0]
if self.check_group(basedn, self.ad_admin_group):
self.is_superuser = True
elif self.check_group(basedn, self.ad_user_group):
self.is_superuser = False
else:
logger.error("User %s not in group", self.username)
return False
self.has_data = True
except Exception, exp:
logger.error("AD auth backend error by reading"
" fetched data: %s (%s)\n" % (str(exp), get_exc_str()))
return False
return True
def __del__(self):
"Disconnect"
try:
self.disconnect()
except Exception, exp:
logger.error("AD auth backend error when "
"disconnecting: %s (%s)\n" % (str(exp), get_exc_str()))
return False
def __str__(self):
"String representation"
