def search(self,
filterText=None,
filterObject=None,
attributes=(),
scope=None,
derefAliases=None,
sizeLimit=0,
sizeLimitIsNonFatal=False,
timeLimit=0,
typesOnly=0,
callback=None):
self._checkState()
d = defer.Deferred()
if filterObject is None and filterText is None:
filterObject = pureldap.LDAPFilterMatchAll
elif filterObject is None and filterText is not None:
filterObject = ldapfilter.parseFilter(filterText)
elif filterObject is not None and filterText is None:
pass
elif filterObject is not None and filterText is not None:
f = ldapfilter.parseFilter(filterText)
filterObject = pureldap.LDAPFilter_and((f, filterObject))
if scope is None:
scope = pureldap.LDAP_SCOPE_wholeSubtree
if derefAliases is None:
derefAliases = pureldap.LDAP_DEREF_neverDerefAliases
if attributes is None:
attributes = ['1.1']
results = []
if callback is None:
cb = results.append
else:
cb = callback
try:
op = pureldap.LDAPSearchRequest(baseObject=str(self.dn),
scope=scope,
derefAliases=derefAliases,
sizeLimit=sizeLimit,
timeLimit=timeLimit,
typesOnly=typesOnly,
filter=filterObject,
attributes=attributes)
self.client.send_multiResponse(
op,
self._cbSearchMsg,
d,
cb,
complete=not attributes,
sizeLimitIsNonFatal=sizeLimitIsNonFatal)
except ldapclient.LDAPClientConnectionLostException:
d.errback(Failure())
else:
if callback is None:
d.addCallback(lambda dummy: results)
return d
def search(self,
filterText=None,
filterObject=None,
attributes=(),
scope=None,
derefAliases=None,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
callback=None):
if filterObject is None and filterText is None:
filterObject = pureldap.LDAPFilterMatchAll
elif filterObject is None and filterText is not None:
filterObject = ldapfilter.parseFilter(filterText)
elif filterObject is not None and filterText is None:
pass
elif filterObject is not None and filterText is not None:
f = ldapfilter.parseFilter(filterText)
filterObject = pureldap.LDAPFilter_and((f, filterObject))
if scope is None:
scope = pureldap.LDAP_SCOPE_wholeSubtree
if derefAliases is None:
derefAliases = pureldap.LDAP_DEREF_neverDerefAliases
# choose iterator: base/children/subtree
if scope == pureldap.LDAP_SCOPE_wholeSubtree:
iterator = self.subtree
elif scope == pureldap.LDAP_SCOPE_singleLevel:
iterator = self.children
elif scope == pureldap.LDAP_SCOPE_baseObject:
def iterateSelf(callback):
callback(self)
return defer.succeed(None)
iterator = iterateSelf
else:
raise ldaperrors.LDAPProtocolError, \
'unknown search scope: %r' % scope
results = []
if callback is None:
matchCallback = results.append
else:
matchCallback = callback
# gather results, send them
def _tryMatch(entry):
if entry.match(filterObject):
matchCallback(entry)
d = iterator(callback=_tryMatch)
if callback is None:
return defer.succeed(results)
else:
return defer.succeed(None)
def makeFilter(name, template=None):
filter=None
try:
filter=ldapfilter.parseFilter(name)
except ldapfilter.InvalidLDAPFilter:
try:
filter=ldapfilter.parseFilter('('+name+')')
except ldapfilter.InvalidLDAPFilter:
if template is not None:
try:
filter=ldapfilter.parseFilter(template % {'name':name})
except ldapfilter.InvalidLDAPFilter:
pass
return filter
def test_cn(self):
text = '(cn=Babs Jensen)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='Babs Jensen'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_escape_backslash(self):
text = r'(filename=C:\5cMyFile)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='filename'),
assertionValue=pureldap.LDAPAssertionValue(value=r'C:\MyFile'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_escape_parens(self):
text = r'(o=Parens R Us \28for all your parenthetical needs\29)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='o'),
assertionValue=pureldap.LDAPAssertionValue(value='Parens R Us (for all your parenthetical needs)'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
class LDAPBindingChecker:
"""
The avatarID returned is an LDAPEntry.
"""
implements(checkers.ICredentialsChecker)
credentialInterfaces = (credentials.IUsernamePassword,)
def __init__(self, cfg):
self.config = cfg
def _valid(self, result, entry):
matchedDN, serverSaslCreds = result
return entry
def _found(self, results, credentials):
if not results:
return failure.Failure(error.UnauthorizedLogin('TODO 1'))
assert len(results)==1
entry = results[0]
d = entry.client.bind(str(entry.dn), credentials.password)
d.addCallback(self._valid, entry)
return d
def _connected(self, client, filt, credentials):
base = ldapsyntax.LDAPEntry(client, self.config.getIdentityBaseDN())
d = base.search(filterObject=filt,
sizeLimit=1,
attributes=[''], # TODO no attributes
)
d.addCallback(self._found, credentials)
return d
def requestAvatarId(self, credentials):
try:
baseDN = self.config.getIdentityBaseDN()
except config.MissingBaseDNError, e:
return failure.Failure(error.UnauthorizedLogin("Disabled due configuration error: %s." % e))
if not credentials.username:
return failure.Failure(error.UnauthorizedLogin("I don't support anonymous"))
filtText = self.config.getIdentitySearch(credentials.username)
try:
filt = ldapfilter.parseFilter(filtText)
except ldapfilter.InvalidLDAPFilter:
return failure.Failure(error.UnauthorizedLogin("Couldn't create filter"))
c = ldapconnector.LDAPClientCreator(reactor, ldapclient.LDAPClient)
d = c.connect(baseDN, self.config.getServiceLocationOverrides())
d.addCallback(self._connected, filt, credentials)
def _err(reason):
reason.trap(ldaperrors.LDAPInvalidCredentials,
# this happens with slapd 2.1.30 when binding
# with DN but no password
ldaperrors.LDAPUnwillingToPerform)
return failure.Failure(error.UnauthorizedLogin())
d.addErrback(_err)
return d
def test_whitespace_afterEq(self):
text = r'(cn= foo)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value=' foo'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_item_substring_any(self):
text = r'(cn=*foo*)'
filt = pureldap.LDAPFilter_substrings(
type='cn',
substrings=[pureldap.LDAPFilter_substrings_any('foo'),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_not_cn(self):
text = '(!(cn=Tim Howes))'
filt = pureldap.LDAPFilter_not(
pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='Tim Howes')))
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_escape_asterisk(self):
text = r'(cn=*\2A*)'
filt = pureldap.LDAPFilter_substrings(
type='cn',
substrings=[ pureldap.LDAPFilter_substrings_any(value='*'),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text.lower())
def test_bind_match_success(self):
server = self.createServer(
services=[
'svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
# svc1
[
pureldap.LDAPSearchResultEntry(
r'cn=svc1+owner=cn\=jack\,dc\=example\,dc\=com,dc=example,dc=com',
attributes=[]),
pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode)
],
[
pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode)
],
])
server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=jack,dc=example,dc=com', auth='secret'),
id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc1)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPBindRequest(
dn=
r'cn=svc1+owner=cn\=jack\,dc\=example\,dc\=com,dc=example,dc=com',
auth='secret'),
)
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN='cn=jack,dc=example,dc=com'),
id=4)))
def test_extensible_4(self):
text = '(:dn:2.4.6.8.10:=Dino)'
self.assertEquals(ldapfilter.parseFilter(text),
pureldap.LDAPFilter_extensibleMatch(
type=None,
dnAttributes=True,
matchingRule='2.4.6.8.10',
matchValue='Dino',
))
def test_item_substring_if(self):
text = r'(cn=foo*bar)'
filt = pureldap.LDAPFilter_substrings(
type='cn',
substrings=[pureldap.LDAPFilter_substrings_initial('foo'),
pureldap.LDAPFilter_substrings_final('bar'),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_extensible_3(self):
text = '(o:dn:=Ace Industry)'
self.assertEquals(ldapfilter.parseFilter(text),
pureldap.LDAPFilter_extensibleMatch(
type='o',
dnAttributes=True,
matchingRule=None,
matchValue='Ace Industry',
))
def test_extensible_1(self):
text = '(cn:1.2.3.4.5:=Fred Flintstone)'
self.assertEquals(ldapfilter.parseFilter(text),
pureldap.LDAPFilter_extensibleMatch(
type='cn',
dnAttributes=False,
matchingRule='1.2.3.4.5',
matchValue='Fred Flintstone',
))
def test_extensible_2(self):
text = '(sn:dn:2.4.6.8.10:=Barney Rubble)'
self.assertEquals(ldapfilter.parseFilter(text),
pureldap.LDAPFilter_extensibleMatch(
type='sn',
dnAttributes=True,
matchingRule='2.4.6.8.10',
matchValue='Barney Rubble',
))
def test_substrings(self):
text = '(o=univ*of*mich*)'
filt = pureldap.LDAPFilter_substrings(
type='o',
substrings=[ pureldap.LDAPFilter_substrings_initial(value='univ'),
pureldap.LDAPFilter_substrings_any(value='of'),
pureldap.LDAPFilter_substrings_any(value='mich'),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_and_item(self):
text = r'(&(cn=foo)(cn=bar))'
filt = pureldap.LDAPFilter_and([
pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='foo')),
pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='bar')),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_and_or(self):
text = '(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))'
filt = pureldap.LDAPFilter_and(
[ pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='objectClass'),
assertionValue=pureldap.LDAPAssertionValue(value='Person')),
pureldap.LDAPFilter_or([ pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='sn'),
assertionValue=pureldap.LDAPAssertionValue(value='Jensen')),
pureldap.LDAPFilter_substrings(
type='cn',
substrings=[ pureldap.LDAPFilter_substrings_initial(value='Babs J')
])
]),
])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_andornot(self):
text = r'(&(!(|(cn=foo)(cn=bar)))(sn=a*b*c*d))'
filt = pureldap.LDAPFilter_and([
pureldap.LDAPFilter_not(
pureldap.LDAPFilter_or([
pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='foo')),
pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='cn'),
assertionValue=pureldap.LDAPAssertionValue(value='bar')),
])),
pureldap.LDAPFilter_substrings(
type='sn',
substrings=[pureldap.LDAPFilter_substrings_initial('a'),
pureldap.LDAPFilter_substrings_any('b'),
pureldap.LDAPFilter_substrings_any('c'),
pureldap.LDAPFilter_substrings_final('d'),
])])
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_item_present(self):
text = r'(cn=*)'
filt = pureldap.LDAPFilter_present(value='cn')
self.assertEquals(ldapfilter.parseFilter(text), filt)
self.assertEquals(filt.asText(), text)
def test_bind_noMatchingServicesFound_fallback_badAuth(self):
server = self.createServer(
services=[
'svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[
pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode
),
],
])
server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=jack,dc=example,dc=com', auth='wrong-s3krit'),
id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc1)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc2)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc3)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com',
auth='wrong-s3krit'))
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=4)))
def test_escape_binary(self):
text = r'(bin=\00\00\00\04)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='bin'),
assertionValue=pureldap.LDAPAssertionValue(value='\00\00\00\04'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
def test_escape_utf8(self):
text = r'(sn=Lu\c4\8di\c4\87)'
filt = pureldap.LDAPFilter_equalityMatch(
attributeDesc=pureldap.LDAPAttributeDescription(value='sn'),
assertionValue=pureldap.LDAPAssertionValue(value='Lu\xc4\x8di\xc4\x87'))
self.assertEquals(ldapfilter.parseFilter(text), filt)
