def authenticateUser(session, req, username, password):
"""authenticate the username/password combination.
Only used if config.AUTH_TYPE=='FORM'.
This sets session['username'], iff authentication is successful.
This should raise an Exception if authentication fails (the caller must make sure to sanitize any error message, since there's no guarantee it won't contain passwords or other sensitive information).
"""
if password=='': raise Exception("empty password") #the ldap bind does not fail for empty password, so must catch it before
import ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
try:
try:
authenticated = False
for host in ('dc2-rc', 'dc3-rc'):
try:
l = ldap.initialize("ldaps://%s:636/" % host)
l.protocol_version = ldap.VERSION3
l.simple_bind_s(
core.getStdout("/n/sw/rc/bin/username2ldapatts -a distinguishedName %s" % core.shQuote(username)).strip(),
password
) #will raise ldap.INVALID_CREDENTIALS in case of failure
authenticated = True
break
except ldap.SERVER_DOWN, e:
msg = "got ldap.SERVER_DOWN for [%s]: %s; will retry other hosts if available" % (host, e)
core.log(msg, session, req)
continue
if not authenticated: raise Exception("cannot contact LDAP server(s)")
except ldap.INVALID_CREDENTIALS:
raise
def getEmailAddress(username):
"""return the email address of the user
This is provided for convenience only -- it not called anywhere be default, regardless of config.AUTH_TYPE.
"""
return core.getStdout("/n/sw/rc/bin/username2ldapatts -a mail %s" % core.shQuote(username)).strip()
