def encrypt_password(self, password):
"""
Encrypts the password before storing it in LDAP.
:param password: The password to encrypt.
"""
return ldap_md5_crypt.encrypt(password)
def encrypt_password(self, password):
"""
Encrypts the password before storing it in LDAP.
:param password: The password to encrypt.
"""
return ldap_md5_crypt.encrypt(password)
def test_remove_leftovers_before_adding_secondary_password(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover)
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
set_secondary_password(request, 'ldaptest')
self.assertNotIn(leftover, get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'])
def test_dont_remove_primary_password_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover)
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_remove_leftovers_before_adding_secondary_password(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertNotIn(leftover, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password))
self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt)
request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE)
request.session["secondary_password"] = cipher.encrypt(secondary_password)
logout(request)
self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def add_mailbox(self, name, dom, passwd, fullname, quota=False):
dbase = apis.databases(self.app).get_interface('MariaDB')
conn = apis.databases(self.app).get_dbconn('MariaDB')
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
dbase.execute('vmail',
'INSERT INTO `mailbox` VALUES (\"'+name+'@'+dom+'\", '+\
'\"'+pwhash+'\", \"'+fullname+'\", \"'+name+'@'+dom+'/\", '+\
(quota if quota else '0')+', \"'+name+'\", \"'+dom+'\", '+\
'NOW(), 1)', conn, False)
def add_mailbox(self, name, dom, passwd, fullname, quota=False):
dbase = apis.databases(self.app).get_interface('MariaDB')
conn = apis.databases(self.app).get_dbconn('MariaDB')
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
dbase.execute('vmail',
'INSERT INTO `mailbox` VALUES (\"'+name+'@'+dom+'\", '+\
'\"'+pwhash+'\", \"'+fullname+'\", \"'+name+'@'+dom+'/\", '+\
(quota if quota else '0')+', \"'+name+'\", \"'+dom+'\", '+\
'NOW(), 1)', conn, False)
def test_dont_remove_primary_password_while_removing_secondary_password(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password))
self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt)
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
request.session['secondary_password'] = cipher.encrypt(secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(
'ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def password_reset(request, uidb64, token):
# urlsafe_base64_decode() decodes to bytestring
uid = urlsafe_base64_decode(uidb64).decode()
user = UserModel._default_manager.get(pk=uid)
token_generator = default_token_generator
user = LDAPBackend().populate_user(user.username)
if not user:
return HttpResponse("Kein bekannter Benutzer")
context = dict(
reason='password_reset',
vorname=user.ldap_user.attrs['givenName'][0],
nachname=user.ldap_user.attrs['sn'][0],
username=user.username,
user=user
)
if not token_generator.check_token(user, token):
messages.add_message(request, messages.INFO,
"Passwort-Reset-Link bereits verbraucht")
if not request.user:
return HttpResponse("Invalid Request. (43)")
else:
# Establish
conn = ldap.initialize(config.AUTH_LDAP_SERVER_URI)
conn.simple_bind_s(config.AUTH_LDAP_BIND_DN, config.AUTH_LDAP_BIND_PASSWORD)
#note salt generation is automatically handled
password = passlib.pwd.genword()
password_hash = ldap_md5_crypt.encrypt(password).encode('utf-8')
modlist = [(ldap.MOD_REPLACE, 'userPassword', [password_hash] )]
logger.info(f"reset/LDAP: changed to {user.ldap_user.dn}")
conn.modify_s(user.ldap_user.dn, modlist)
context['password'] = password
msg_plain = render_to_string('registration/account_info.txt', context)
send_mail("[EVH Account] Neues Passwort",
msg_plain,
config.EMAIL_FROM,
[user.email],
fail_silently=False)
user = authenticate(username=user.username, password=password)
login(request, user)
messages.add_message(request, messages.SUCCESS,
"Passwort erfolgreich zurückgesetzt.")
return render(request, 'registration/password_reset_success.html', context)
def test_dont_remove_unknown_hashes_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
leftover2 = 'plain_leftover2'
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover2)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertIn(leftover2, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_remove_secondary_password_from_ldap(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertNotIn(secondary_password_crypt, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_dont_remove_primary_password_when_removing_secondary_passwd(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def edit(self, name, dom, quota, passwd):
dbase = apis.databases(self.app).get_interface('MariaDB')
conn = apis.databases(self.app).get_dbconn('MariaDB')
if passwd:
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
if passwd and quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s, password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'%(quota,pwhash,name,dom), conn, False)
elif passwd:
dbase.execute('vmail',
'UPDATE mailbox SET password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'%(pwhash,name,dom), conn, False)
elif quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s WHERE local_part = \"%s\" AND domain = \"%s\"'%(quota,name,dom), conn, False)
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def edit(self, name, dom, quota, passwd):
dbase = apis.databases(self.app).get_interface('SQLite3')
if passwd:
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
if passwd and quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s, password = "******" WHERE local_part = "%s" AND domain = "%s"' \
%(quota,pwhash,name,dom))
elif passwd:
dbase.execute('vmail',
'UPDATE mailbox SET password = "******" WHERE local_part = "%s\" AND domain = "%s"' \
%(pwhash,name,dom))
elif quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s WHERE local_part = "%s" AND domain = "%s"' \
%(quota,name,dom))
def edit(self, name, dom, quota, passwd):
dbase = apis.databases(self.app).get_interface('SQLite3')
if passwd:
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
if passwd and quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s, password = "******" WHERE local_part = "%s" AND domain = "%s"' \
%(quota,pwhash,name,dom))
elif passwd:
dbase.execute('vmail',
'UPDATE mailbox SET password = "******" WHERE local_part = "%s\" AND domain = "%s"' \
%(pwhash,name,dom))
elif quota:
dbase.execute('vmail',
'UPDATE mailbox SET quota = %s WHERE local_part = "%s" AND domain = "%s"' \
%(quota,name,dom))
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request(uri='/login',
post=vars.LOGIN_ALICE,
user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
logout(request)
self.assertEqual(
len(
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword']), 1)
def activate(request, token):
"""
The page that users get to activate their accounts
It is in the form /activate/$TOKEN
"""
try:
try:
queued = Queue.objects.get(encrypted_id=token)
except (Queue.DoesNotExist, OverflowError, TypeError, ValueError):
raise OkupyError('Invalid URL')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
# get max uidNumber
try:
uidnumber = LDAPUser.objects.latest('uid').uid + 1
except LDAPUser.DoesNotExist:
uidnumber = 1
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
# add account to ldap
new_user = LDAPUser(
object_class=settings.AUTH_LDAP_USER_OBJECTCLASS,
last_name=queued.last_name,
full_name='%s %s' % (queued.first_name, queued.last_name),
password=[ldap_md5_crypt.encrypt(queued.password)],
first_name=queued.first_name,
email=[queued.email],
username=queued.username,
uid=uidnumber,
gid=100,
gecos='%s %s' % (queued.first_name, queued.last_name),
home_directory='/home/%s' % queued.username,
ACL=['user.group'],
)
new_user.save()
# remove queued account from DB
queued.delete()
messages.success(
request, "Your account has been activated successfully")
except OkupyError as error:
messages.error(request, str(error))
return redirect(login)
def activate(request, token):
"""
The page that users get to activate their accounts
It is in the form /activate/$TOKEN
"""
try:
try:
queued = Queue.objects.get(encrypted_id=token)
except (Queue.DoesNotExist, OverflowError, TypeError, ValueError):
raise OkupyError('Invalid URL')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
# get max uidNumber
try:
uidnumber = LDAPUser.objects.latest('uid').uid + 1
except LDAPUser.DoesNotExist:
uidnumber = 1
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
# add account to ldap
new_user = LDAPUser(
object_class=settings.AUTH_LDAP_USER_OBJECTCLASS,
last_name=queued.last_name,
full_name='%s %s' % (queued.first_name, queued.last_name),
password=[ldap_md5_crypt.encrypt(queued.password)],
first_name=queued.first_name,
email=[queued.email],
username=queued.username,
uid=uidnumber,
gid=100,
gecos='%s %s' % (queued.first_name, queued.last_name),
home_directory='/home/%s' % queued.username,
ACL=['user.group'],
)
new_user.save()
# remove queued account from DB
queued.delete()
messages.success(request,
"Your account has been activated successfully")
except OkupyError as error:
messages.error(request, str(error))
return redirect(login)
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def edit(self, name, dom, quota, passwd):
dbase = apis.databases(self.app).get_interface('MariaDB')
conn = apis.databases(self.app).get_dbconn('MariaDB')
if passwd:
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
if passwd and quota:
dbase.execute(
'vmail',
'UPDATE mailbox SET quota = %s, password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'
% (quota, pwhash, name, dom), conn, False)
elif passwd:
dbase.execute(
'vmail',
'UPDATE mailbox SET password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'
% (pwhash, name, dom), conn, False)
elif quota:
dbase.execute(
'vmail',
'UPDATE mailbox SET quota = %s WHERE local_part = \"%s\" AND domain = \"%s\"'
% (quota, name, dom), conn, False)
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
username = request.user.username
user = LDAPUser.bind_as(alias='ldap_%s' % username,
username=username,
password=password).objects.get(username=username)
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in user.password:
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def create_ldap_user(username, first_name, last_name, email, password):
# Python LDAP library doesn't like Unicode, so we convert everything to ascii here.
# If you figure out a way to use Unicode, please let me know!
username.encode('ascii', 'strict')
first_name.encode('ascii', 'strict')
last_name.encode('ascii', 'strict')
email.encode('ascii', 'strict')
password.encode('ascii', 'strict')
con = ldap.initialize(settings.LDAP_URL)
con.bind(settings.LDAP_ADMIN_CN, settings.LDAP_PASSWORD, ldap.AUTH_SIMPLE)
# Figure out largest UID (is there a better way to do this?)
users = LdapUser.objects.all()
largestUid = 0
for user in users:
if user.uid > largestUid:
largestUid = user.uid
print('Largest UID', largestUid)
# Create the new user record:
add_record = [
('objectclass', [b'inetOrgPerson', b'posixAccount', b'top']),
('givenName', [ first_name.encode('ascii') ]),
('uidNumber', [ str(largestUid + 1).encode('ascii') ]),
('gidNumber', [ b'501' ]),
('cn', [ username.encode('ascii') ] ),
('uid', [ username.encode('ascii') ] ),
('sn', [ last_name.encode('ascii') ] ),
('mail', [ email.encode('ascii') ] ),
('userpassword', [ ldap_md5_crypt.encrypt(password).encode('ascii') ]),
('homeDirectory', [ ('/home/' + username).encode('ascii') ]),
('ou', [ b'users' ])
]
usercn = 'cn=' + username + ',' + settings.LDAP_USERS_CN
con.add_s(usercn, add_record)
con.unbind()
def index(request):
if request.method == 'POST':
form = NewUserForm(request.POST)
if form.is_valid():
username = smart_text(form.cleaned_data['username'])
first_name = smart_text(form.cleaned_data['first_name'])
last_name = smart_text(form.cleaned_data['last_name'])
email = smart_text(form.cleaned_data['email'])
password = smart_text(form.cleaned_data['password'])
password2 = smart_text(form.cleaned_data['password2'])
# Python LDAP library doesn't like Unicode, so we convert everything to ascii here.
# If you figure out a way to use Unicode, please let me know!
try:
username = username.encode('ascii', 'strict')
first_name = first_name.encode('ascii', 'strict')
last_name = last_name.encode('ascii', 'strict')
email = email.encode('ascii', 'strict')
password = password.encode('ascii', 'strict')
password2 = password2.encode('ascii', 'strict')
con = ldap.initialize(settings.LDAP_URL)
con.bind(settings.LDAP_ADMIN_CN, settings.LDAP_PASSWORD, ldap.AUTH_SIMPLE)
# Figure out largest UID (is there a better way to do this?)
base_dn = settings.LDAP_USERS_CN
filter = '(objectclass=person)'
attrs = [b'uidNumber']
uidList = con.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs )
# print "Uids: " + str( uidList )
largestUid = 0
for user in uidList:
uid = int(user[1]['uidNumber'][0])
if uid > largestUid:
largestUid = uid
# print 'Largest Uid:' + str(largestUid)
# Create the new user record:
add_record = [
('objectclass', [b'inetOrgPerson', b'posixAccount', b'top']),
('givenName', [ first_name.encode('ascii','ignore') ]),
('uidNumber', [ str(largestUid + 1)]),
('gidNumber', [b'501']),
('cn', [ username ] ),
('uid', [ username ] ),
('sn', [ last_name ] ),
('mail', [ email ] ),
('userpassword', [ldap_md5_crypt.encrypt(password)]),
('homeDirectory', [ '/home/' + username ]),
('ou', [b'users'])
]
try:
usercn = 'cn=' + username + ',' + settings.LDAP_USERS_CN
print ("User cn is:" + usercn + ", " + str(type(usercn)))
con.add_s(usercn, add_record)
except ldap.ALREADY_EXISTS:
form.add_error('username', "User already exists")
con.unbind()
if form.is_valid():
return HttpResponseRedirect('thanks')
except UnicodeEncodeError:
form.add_error(None, 'Non-ascii characters inputted - use only a-z as ldap sucks with Unicode. Use Ä->A and Ö->O')
else:
form = NewUserForm()
return render(request, 'registrationui/index.html', { 'form': form, 'settings': settings } )
def add_mailbox(self, name, dom, passwd, fullname, quota=False):
dbase = apis.databases(self.app).get_interface('SQLite3')
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
dbase.execute('vmail',
'INSERT INTO mailbox VALUES ("%s@%s", "%s", "%s", "%s@%s", %s, "%s", "%s", datetime(), 1)' \
%(name,dom,pwhash,fullname,name,dom,(quota if quota else '0'),name,dom))
def __create(request, context, vorname, nachname, username, mail):
conn = ldap.initialize(config.AUTH_LDAP_SERVER_URI)
conn.simple_bind_s(config.AUTH_LDAP_BIND_DN, config.AUTH_LDAP_BIND_PASSWORD)
#note salt generation is automatically handled
password = passlib.pwd.genword()
password_hash = ldap_md5_crypt.encrypt(password)
################################################################
# LDAP Account
dn = f"cn={username},{config.AUTH_LDAP_USER_DN}"
entry = {
'objectClass': [b'inetOrgPerson'],
'cn': [username.encode()],
'sn': [nachname.encode()],
'givenName': [vorname.encode()],
'mail': [mail.encode()],
'displayName': [f"{vorname} {nachname}".encode()],
'userPassword': [password_hash.encode()],
}
try:
modlist = ldap.modlist.addModlist(entry)
conn.add_s(dn, modlist)
logger.info(f"create/LDAP: success {dn}")
except ldap.ALREADY_EXISTS:
messages.add_message(request, messages.ERROR,
"Der Account existiert bereits. Du solltest bereits eine Mail mit Zugangsinformationen erhalten haben.")
context['success'] = False
return
except Exception as e:
messages.add_message(request, messages.ERROR,
f"LDAP Fehler: {e}")
logger.error(f"create/LDAP: {e}")
context['success'] = False
return
User = LDAP().search_user(username)
################################################################
# Initial Groups
invite = Invite.find_by_mail(mail)
groups = [g for g in (invite.groups or "").split(",") if g]
for group in groups:
if ldap_addgroup(username, group):
signals.group_member_add.send(sender=create,
group=group,
member=User)
messages.add_message(request, messages.SUCCESS,
"Du wurdest der Gruppe %s hinzugefügt" % group)
################################################################
# Login user
user = authenticate(username=username, password=password)
login(request, user)
user_changed.send(sender=create, username=username)
################################################################
# Mail versenden
try:
c = dict(
reason='create',
vorname=vorname,
nachname=nachname,
username=username,
user=user,
password=password
)
msg_plain = render_to_string('registration/account_info.txt', c)
send_mail("[EVH Account] Account angelegt",
msg_plain,
config.EMAIL_FROM,
[mail],
fail_silently=False)
except Exception as e:
messages.add_message(request, messages.ERROR,
f"Versenden der Passwort-Mail ist fehlgeschlagen: {e}")
logger.error(f"create/SMTP: {e}")
conn.delete_s(dn)
logger.error(f"create/LDAP: deleted {dn}")
context['success'] = False
return
messages.add_message(request, messages.SUCCESS,
"Account wurde erstellt. Du hast eine E-Mail mit dem Passwort erhalten.")
context['password'] = password
context['success'] = True
send_mail("[EVH Account] Nutzer angelegt: " +username, "",
config.EMAIL_FROM,
[config.EMAIL_FROM],
fail_silently=True)
def set_password(secret):
return ldap_md5_crypt.encrypt(secret)
print('Password is empty!')
sys.exit()
ldap_email = input('Enter the email address: ') # Email
if not ldap_email:
print('Email is empty!')
sys.exit()
# Checks if email is in a valid format
if isValidEmail(ldap_email) == False:
print('Not a valid email')
sys.exit()
# hashing password with md5_crypt
# hash will be similar to '{CRYPT}$1$wa6OLvW3$uzcIj2Puf3GcFDf2KztQN0'
ldap_userpass_hash = ldap_md5_crypt.encrypt(ldap_userpass)
# Display summary on screen
print('Username: '******'Password: '******'Email: ' + ldap_email)
# Prompt for LDAP admin password. Using getpass.getpass so it doesn't echo
ldap_adminpass = getpass.getpass('Enter LDAP admin password: '******'ldap-server.companyname.com', port=389)
connection = ldap3.Connection(server,
user='******',
password=ldap_adminpass)
connection.bind()
def add_mailbox(self, name, dom, passwd, fullname, quota=False):
dbase = apis.databases(self.app).get_interface('SQLite3')
pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1]
dbase.execute('vmail',
'INSERT INTO mailbox VALUES ("%s@%s", "%s", "%s", "%s@%s", %s, "%s", "%s", datetime(), 1)' \
%(name,dom,pwhash,fullname,name,dom,(quota if quota else '0'),name,dom))
def convertPassword(password):
newpassword = md5.new(password).digest()
newpassword = ldap_md5_crypt.encrypt(password)
return newpassword