def bind_and_get_control(topo, err=0):
"""Bind as the user, and return any controls
"""
res_type = res_data = res_msgid = res_ctrls = None
result_id = ''
try:
result_id = topo.standalone.simple_bind(
USER_DN, USER_PW, serverctrls=[PasswordPolicyControl()])
res_type, res_data, res_msgid, res_ctrls = topo.standalone.result3(
result_id)
if err:
log.fatal('Expected an error, but bind succeeded')
assert False
except ldap.LDAPError as e:
if err:
log.debug('Got expected error: {}'.format(str(e)))
pass
else:
log.fatal('Did not expect an error: {}'.format(str(e)))
assert False
if DEBUGGING and res_ctrls and len(res_ctrls) > 0:
for ctl in res_ctrls:
if ctl.timeBeforeExpiration:
log.debug('control time before expiration: {}'.format(
ctl.timeBeforeExpiration))
if ctl.graceAuthNsRemaining:
log.debug('control grace login remaining: {}'.format(
ctl.graceAuthNsRemaining))
if ctl.error is not None and ctl.error >= 0:
log.debug('control error: {}'.format(ctl.error))
topo.standalone.simple_bind_s(DN_DM, PASSWORD)
return res_ctrls
def get_password_warning(topology_st):
"""Gets the password expiry warning time for the user"""
res_type = res_data = res_msgid = res_ctrls = None
result_id = ''
log.info('Bind with the user and request the password expiry warning time')
result_id = topology_st.standalone.simple_bind(
USER_DN, USER_PASSWD, serverctrls=[PasswordPolicyControl()])
res_type, res_data, res_msgid, res_ctrls = \
topology_st.standalone.result3(result_id)
# Return the control
return res_ctrls
def authenticate(binddn, password):
# open a new connection
conn = search.Connection()
# bind using the specified credentials
serverctrls = []
if cfg.pam_authc_ppolicy:
serverctrls.append(PasswordPolicyControl())
res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls)
# go over bind result server controls
for ctrl in ctrls:
if ctrl.controlType == PasswordPolicyControl.controlType:
# found a password policy control
logging.debug(
'PasswordPolicyControl found: error=%s (%s), '
'timeBeforeExpiration=%s, graceAuthNsRemaining=%s',
'None' if ctrl.error is None else PasswordPolicyError(ctrl.error).prettyPrint(),
ctrl.error, ctrl.timeBeforeExpiration, ctrl.graceAuthNsRemaining)
if ctrl.error == 0: # passwordExpired
return (
conn, constants.NSLCD_PAM_AUTHTOK_EXPIRED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.error == 1: # accountLocked
return (
conn, constants.NSLCD_PAM_ACCT_EXPIRED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.error == 2: # changeAfterReset
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password change is needed after reset')
elif ctrl.error:
return (
conn, constants.NSLCD_PAM_PERM_DENIED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.timeBeforeExpiration is not None:
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password will expire in %d seconds' % ctrl.timeBeforeExpiration)
elif ctrl.graceAuthNsRemaining is not None:
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password expired, %d grace logins left' % ctrl.graceAuthNsRemaining)
# perform search for own object (just to do any kind of search)
results = search.LDAPSearch(
conn, base=binddn, scope=ldap.SCOPE_BASE,
filter='(objectClass=*)', attributes=['dn'])
for entry in results:
if entry[0] == binddn:
return conn, constants.NSLCD_PAM_SUCCESS, ''
# if our DN wasn't found raise an error to signal bind failure
raise ldap.NO_SUCH_OBJECT()
def bind_and_get_control(topo):
log.info('Bind as the user, and return any controls')
res_type = res_data = res_msgid = res_ctrls = None
result_id = ''
try:
result_id = topo.standalone.simple_bind(
USER_DN, USER_PW, serverctrls=[PasswordPolicyControl()])
res_type, res_data, res_msgid, res_ctrls = topo.standalone.result3(
result_id)
except ldap.LDAPError as e:
log.info('Got expected error: {}'.format(str(e)))
res_ctrls = ast.literal_eval(str(e))
pass
topo.standalone.simple_bind(DN_DM, PASSWORD)
return res_ctrls
# Set debugging level
#ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 2
ldapmodule_trace_file = sys.stderr
ldap_conn = ldap.ldapobject.LDAPObject(ldap_url.initializeUrl(),
trace_level=ldapmodule_trace_level,
trace_file=ldapmodule_trace_file)
if ldap_url.cred is None:
print('Password for %s:' % (repr(ldap_url.who)))
ldap_url.cred = getpass.getpass()
try:
msgid = ldap_conn.simple_bind(ldap_url.who,
ldap_url.cred,
serverctrls=[PasswordPolicyControl()])
res_type, res_data, res_msgid, res_ctrls = ldap_conn.result3(msgid)
except ldap.INVALID_CREDENTIALS as e:
print('Simple bind failed:', str(e))
sys.exit(1)
else:
if res_ctrls[0].controlType == PasswordPolicyControl.controlType:
ppolicy_ctrl = res_ctrls[0]
print('PasswordPolicyControl')
print('error', repr(ppolicy_ctrl.error), (ppolicy_ctrl.error != None) *
repr(PasswordPolicyError(ppolicy_ctrl.error)))
print('timeBeforeExpiration', repr(ppolicy_ctrl.timeBeforeExpiration))
print('graceAuthNsRemaining', repr(ppolicy_ctrl.graceAuthNsRemaining))
sys.exit(1)
# Set debugging level
#ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 2
ldapmodule_trace_file = sys.stderr
ldap_conn = ldap.ldapobject.LDAPObject(
ldap_url.initializeUrl(),
trace_level=ldapmodule_trace_level,
trace_file=ldapmodule_trace_file
)
if ldap_url.cred is None:
print('Password for %s:' % (repr(ldap_url.who)))
ldap_url.cred = getpass.getpass()
try:
msgid = ldap_conn.simple_bind(ldap_url.who,ldap_url.cred,serverctrls=[PasswordPolicyControl()])
res_type,res_data,res_msgid,res_ctrls = ldap_conn.result3(msgid)
except ldap.INVALID_CREDENTIALS as e:
print('Simple bind failed:',str(e))
sys.exit(1)
else:
if res_ctrls[0].controlType==PasswordPolicyControl.controlType:
ppolicy_ctrl = res_ctrls[0]
print('PasswordPolicyControl')
print('error',repr(ppolicy_ctrl.error),(ppolicy_ctrl.error!=None)*repr(PasswordPolicyError(ppolicy_ctrl.error)))
print('timeBeforeExpiration',repr(ppolicy_ctrl.timeBeforeExpiration))
print('graceAuthNsRemaining',repr(ppolicy_ctrl.graceAuthNsRemaining))