def test_search(self): """ When performing an LDAP search against the server; the search results and a single "search done" response is written to the transport. """ server = self.createServer( [pureldap.LDAPBindResponse(resultCode=0)], [ pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com', [('a', ['b'])]), pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com', [('b', ['c'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ], ) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire()) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire()) server.reactor.advance(1) self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=foo,dc=example,dc=com', [('a', ['b'])]), id=3).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=bar,dc=example,dc=com', [('b', ['c'])]), id=3).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultDone( ldaperrors.Success.resultCode), id=3).toWire())
def test_bind_noMatchingServicesFound_fallback_success(self): server = self.createServer( services=['svc1', 'svc2', 'svc3', ], fallback=True, responses=[ [ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ], [ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ], [ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ], [ pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode) ], ]) server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit'), id=4))) reactor.iterate() #TODO client = server.client client.assertSent( pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com', derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=ldapfilter.parseFilter('(&' +'(objectClass=serviceSecurityObject)' +'(owner=cn=jack,dc=example,dc=com)' +'(cn=svc1)' +('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +')'), attributes=('1.1',)), pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com', derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=ldapfilter.parseFilter('(&' +'(objectClass=serviceSecurityObject)' +'(owner=cn=jack,dc=example,dc=com)' +'(cn=svc2)' +('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +')'), attributes=('1.1',)), pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com', derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=ldapfilter.parseFilter('(&' +'(objectClass=serviceSecurityObject)' +'(owner=cn=jack,dc=example,dc=com)' +'(cn=svc3)' +('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +')'), attributes=('1.1',)), pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit')) self.assertEquals(server.transport.value(), str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode), id=4)))
def test_intercepted_search_response(self): """ When performing an LDAP search against the server; the search results are intercepted and modified by the proxy. """ server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)], [ pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com', [('a', ['b'])]), pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com', [('b', ['c'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ], protocol=ResponseInterceptingProxy) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire()) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire()) server.reactor.advance(1) server.reactor.advance(5) self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=foo,dc=example,dc=com', [('a', ['b']), ('frotz', ['xyzzy'])]), id=3).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=bar,dc=example,dc=com', [('b', ['c']), ('frotz', ['xyzzy'])]), id=3).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultDone( ldaperrors.Success.resultCode), id=3).toWire())
def test_unbind_clientEOF(self): server = self.createServer( [ pureldap.LDAPBindResponse(resultCode=0), ], [], ) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2))) reactor.iterate() #TODO client = server.client client.assertSent(pureldap.LDAPBindRequest()) self.assertEquals( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2))) server.connectionLost(error.ConnectionDone) reactor.iterate() #TODO client.assertSent(pureldap.LDAPBindRequest(), 'fake-unbind-by-LDAPClientTestDriver') self.assertEquals( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2)))
def test_realm_mapping_succeeds_case_sensitive(self): marker = 'markerSecret' password = '******' service_dn = 'uid=passthrough,cn=users,dc=test,dc=local' dn = 'uid=Hugo,cn=users,dc=test,DC=LOCAL' server, client = self.create_server_and_client( [ pureldap.LDAPBindResponse(resultCode=0), # for service account ], [ pureldap.LDAPSearchResultEntry(dn, [('someattr', ['somevalue'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client.bind(service_dn, 'service-secret') # Assert that Proxy<->Backend uses the correct credentials server.client.assertSent( pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), ) # Perform a simple search in the context of the service account entry = LDAPEntry(client, dn) r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' % marker, scope=pureldap.LDAP_SCOPE_baseObject) # sleep half a second and then try to bind as hugo time.sleep(0.5) server2, client2 = self.create_server_and_client([ pureldap.LDAPBindResponse( resultCode=0), # for service account (successful hugo bind) ]) yield client2.bind( dn.lower(), password) # this will work even though the DN has differing case self.assertEqual(self.privacyidea.authentication_requests, [('hugo', 'realmSecret', password, True)]) time.sleep(1) # to clean the reactor
def test_search(self): server = self.createServer( [ pureldap.LDAPBindResponse(resultCode=0), ], [ pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com', [('a', ['b'])]), pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com', [('b', ['c'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ], ) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2))) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3))) reactor.iterate() #TODO self.assertEquals( server.transport.value(), str( pureldap.LDAPMessage( pureldap.LDAPBindResponse(resultCode=0), id=2)) + str( pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=foo,dc=example,dc=com', [('a', ['b'])]), id=3)) + str( pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=bar,dc=example,dc=com', [('b', ['c'])]), id=3)) + str( pureldap.LDAPMessage(pureldap.LDAPSearchResultDone( ldaperrors.Success.resultCode), id=3)))
def test_realm_mapping_fails_wrong_password(self): marker = 'markerSecret' realm = 'realmSecret' password = '******' # this is the wrong password! service_dn = 'uid=passthrough,cn=users,dc=test,dc=local' dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client( [ pureldap.LDAPBindResponse(resultCode=0), # for service account ], [ pureldap.LDAPSearchResultEntry(dn, [('someattr', ['somevalue'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client.bind(service_dn, 'service-secret') # Assert that Proxy<->Backend uses the correct credentials server.client.assertSent( pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), ) # Perform a simple search in the context of the service account entry = LDAPEntry(client, dn) r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' % marker, scope=pureldap.LDAP_SCOPE_baseObject) # sleep a second and then try to bind as hugo time.sleep(0.5) server2, client2 = self.create_server_and_client([ pureldap.LDAPBindResponse( resultCode=0), # for service account (successful hugo bind) ]) d = client2.bind(dn, password) yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials) self.assertEqual(self.privacyidea.authentication_requests, [('hugo', realm, password, False)]) time.sleep(1) # to clean the reactor
def test_unbind_clientUnbinds(self): """ The server disconnects from the client gracefully when the client signals its intent to unbind. """ server = self.createServer( [pureldap.LDAPBindResponse(resultCode=0)], [], ) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2))) server.reactor.advance(1) client = server.client client.assertSent(pureldap.LDAPBindRequest()) self.assertEqual( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2))) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3))) server.connectionLost(error.ConnectionDone) server.reactor.advance(1) client.assertSent(pureldap.LDAPBindRequest(), pureldap.LDAPUnbindRequest()) self.assertEqual( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2)))
def test_unbind_clientEOF(self): """ The server disconects correctly when the client terminates the connection without sending an unbind request. """ server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)]) server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2))) server.reactor.advance(1) client = server.client client.assertSent(pureldap.LDAPBindRequest()) self.assertEqual( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2))) server.connectionLost(error.ConnectionDone) server.reactor.advance(1) client.assertSent(pureldap.LDAPBindRequest(), 'fake-unbind-by-LDAPClientTestDriver') self.assertEqual( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2)))
def test_search(self): server = self.createServer( [ pureldap.LDAPBindResponse(resultCode=0), ], [ pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com", [("a", ["b"])]), pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com", [("b", ["c"])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ], ) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire()) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire()) reactor.iterate() # TODO self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2).toWire() + pureldap.LDAPMessage( pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com", [("a", ["b"])]), id=3, ).toWire() + pureldap.LDAPMessage( pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com", [("b", ["c"])]), id=3, ).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultDone( ldaperrors.Success.resultCode), id=3).toWire(), )
def test_bind(self): server = self.createServer([ pureldap.LDAPBindResponse(resultCode=0), ]) server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4))) reactor.iterate() #TODO self.assertEqual(server.transport.value(), str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def test_unbind_clientUnbinds(self): server = self.createServer( [ pureldap.LDAPBindResponse(resultCode=0), ], [], ) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire()) reactor.iterate() # TODO client = server.client client.assertSent(pureldap.LDAPBindRequest()) self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2).toWire(), ) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3).toWire()) server.connectionLost(error.ConnectionDone) reactor.iterate() # TODO client.assertSent(pureldap.LDAPBindRequest(), pureldap.LDAPUnbindRequest()) self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=2).toWire(), )
def test_bind(self): """ When binding to the server an `LDAPBindResponse` with a successful result code.is written to the transport. """ server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)]) server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4))) server.reactor.advance(1) self.assertEqual(server.transport.value(), str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def _maybeFallback(self, entry, request, controls, reply): if entry is not None: msg = pureldap.LDAPBindResponse( resultCode=ldaperrors.Success.resultCode, matchedDN=request.dn) return msg elif self.fallback: self.handleUnknown(request, controls, reply) else: msg = pureldap.LDAPBindResponse( resultCode=ldaperrors.LDAPInvalidCredentials.resultCode) return msg
def handleProxiedResponse(self, response, request, controls): global binds if isinstance(request, pureldap.LDAPCompareRequest): print(request) print("Compare Request") if isinstance(request, pureldap.LDAPBindRequest): dnrequested = str(request.dn.decode('utf-8').strip()) dnpassword = str(request.auth.decode('utf-8').strip()) try: jwtsecret = os.environ.get("JWT_SECRET") token = jwt.decode(dnpassword, jwtsecret, algorithms="HS256") log.msg("Token received, details follow:") log.msg(token) epoch_time = int(time.time()) try: expiresat = int(token['expires_at']) username = str(token['username']) if (expiresat - epoch_time < 0): #token has expired log.msg("JWT was expired; return failure") response = pureldap.LDAPBindResponse(resultCode=49) return defer.succeed(response) if username.lower() == dnrequested.lower(): log.msg("JWT was provided and valid, return success") response = pureldap.LDAPBindResponse(resultCode=0) return defer.succeed(response) else: log.msg( "JWT did not match requested user, return failure") response = pureldap.LDAPBindResponse(resultCode=49) return defer.succeed(response) except: log.msg("JWT token format was invalid; return failure") response = pureldap.LDAPBindResponse(resultCode=49) return defer.succeed(response) except: #not a JWT #log.msg("Not a JWT; proxying") pass log.msg("LDAP Bind for " + str(dnrequested) + ", proxying to upstream") return defer.succeed(response)
def test_subsequent_binds_succeed(self): dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) yield client.bind(dn, 'secret') time.sleep(0.5) server2, client2 = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) yield client2.bind(dn, 'secret') # but only one authentication request to privacyIDEA! self.assertEqual(self.privacyidea.authentication_requests, [('hugo', 'default', 'secret', True)]) time.sleep(2) # to clean the reactor
def test_reusing_connection_succeeds2(self): # User Bind, User Bind server, client = self.create_server_and_client( [pureldap.LDAPBindResponse(resultCode=0)], [pureldap.LDAPBindResponse(resultCode=0)]) yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret') yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret') server.client.assertSent( pureldap.LDAPBindRequest( dn='uid=service,cn=users,dc=test,dc=local', auth='service-secret'), pureldap.LDAPBindRequest( dn='uid=service,cn=users,dc=test,dc=local', auth='service-secret'), )
def _cb(entry): self.boundUser = entry msg = pureldap.LDAPBindResponse( resultCode=ldaperrors.Success.resultCode, matchedDN=entry.dn.getText(), ) return msg
def test_intercepted_search_request(self): """ When performing an LDAP search against the server; the requests are intercepted and custom responses are written to the transport. """ server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)], [ pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com', [('a', ['b'])]), pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com', [('b', ['c'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ], protocol=RequestInterceptingProxy) server.responses = [ pureldap.LDAPSearchResultEntry('cn=xyzzy,dc=example,dc=com', [('frobnitz', ['zork'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ] server.dataReceived( str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=1))) server.reactor.advance(1) self.assertEqual(len(server.clientTestDriver.sent), 0) self.assertEqual( server.transport.value(), str( pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry( 'cn=xyzzy,dc=example,dc=com', [('frobnitz', ['zork'])]), id=1)) + str( pureldap.LDAPMessage(pureldap.LDAPSearchResultDone( ldaperrors.Success.resultCode), id=1)))
def test_simple_search(self): dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client( [ pureldap.LDAPBindResponse(resultCode=0), # for service account ], [ pureldap.LDAPSearchResultEntry(dn, [('someattr', ['somevalue'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client.bind(dn, 'secret') # Assert that Proxy<->Backend uses the correct credentials server.client.assertSent( pureldap.LDAPBindRequest( dn='uid=service,cn=users,dc=test,dc=local', auth='service-secret'), ) # Perform a simple search in the context of the service account entry = LDAPEntry(client, dn) results = yield entry.search('(objectClass=*)', scope=pureldap.LDAP_SCOPE_baseObject) self.assertEqual(len(results), 1) self.assertEqual(len(results[0]['someattr']), 1) (value, ) = results[0]['someattr'] self.assertEqual(value, 'somevalue')
def test_bind(self): self.server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4).toWire()) self.assertEqual( self.server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4).toWire())
def test_bind_cache_cleared(self): dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) yield client.bind(dn, 'secret') time.sleep(3) # which cleans the bind cache server2, client2 = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) yield client2.bind(dn, 'secret') # two authentication requests to privacyIDEA! self.assertEqual(self.privacyidea.authentication_requests, [('hugo', 'default', 'secret', True), ('hugo', 'default', 'secret', True)]) time.sleep(2) # to clean the reactor
def _bind_callback(self, data): cookies, user = data self.cookies = cookies return pureldap.LDAPBindResponse( resultCode=ldaperrors.Success.resultCode, matchedDN=user.dn)
def test_simple_bind(self): dn = 'uid=thegreathugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client() service_account_client = self.inject_service_account_server( [ pureldap.LDAPBindResponse(resultCode=0), # for service account ], [ pureldap.LDAPSearchResultEntry(dn, [('sAMAccountName', ['hugo'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client.bind(dn, 'secret') # Assert that Proxy<->Backend (the actual connection) did not send anything server.client.assertNothingSent() # Assert that Proxy<->Backend (the lookup connection) did send something service_account_client.assertSent( pureldap.LDAPBindRequest( dn='uid=service,cn=users,dc=test,dc=local', auth='service-secret'), pureldap.LDAPSearchRequest( baseObject='uid=thegreathugo,cn=users,dc=test,dc=local', scope=0, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=pureldap.LDAPFilter_present(value='objectClass'), attributes=()), 'fake-unbind-by-LDAPClientTestDriver')
def test_realm_mapping_fails_fake_search_by_user(self): service_dn = 'uid=passthrough,cn=users,dc=test,dc=local' dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client( [ pureldap.LDAPBindResponse(resultCode=0), # for service account ], [ pureldap.LDAPSearchResultEntry(dn, [('someattr', ['somevalue'])]), pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client.bind(service_dn, 'service-secret') # Assert that Proxy<->Backend uses the correct credentials server.client.assertSent( pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), ) # Perform a simple search in the context of the service account entry = LDAPEntry(client, dn) r = yield entry.search( '(|(objectClass=*)(objectcLAsS=App-markerSecret))', scope=pureldap.LDAP_SCOPE_baseObject) # sleep half a second and then try to bind as hugo time.sleep(0.5) server2, client2 = self.create_server_and_client( [ pureldap.LDAPBindResponse( resultCode=0 ), # for service account (successful hugo bind) ], [ pureldap.LDAPSearchResultEntry( dn, [('someattr', ['somevalue'])]), # hugo's search pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode), ]) yield client2.bind(dn, 'secret') self.assertEqual(self.privacyidea.authentication_requests, [('hugo', 'realmSecret', 'secret', True)]) # Perform another search in hugo's context entry2 = LDAPEntry(client2, dn) r = yield entry2.search( '(|(objectClass=*)(objectcLAsS=App-markerOfficial))', scope=pureldap.LDAP_SCOPE_baseObject) self.assertTrue( server.factory.app_cache.get_cached_marker(dn) in ('markerSecret', None)) time.sleep(1) # to clean the reactor
def send_bind_response(self, result, request, reply): """ Given a bind request, authentication result and a reply function, send a successful or a failed bind response. :param result: A tuple ``(success, message/app marker)`` :param request: The corresponding ``LDAPBindRequest`` :param reply: A function that expects a ``LDAPResult`` object :return: nothing """ success, message = result if success: log.info('Sending BindResponse "success"') app_marker = message self.factory.finalize_authentication(request.dn, app_marker, request.auth) reply(pureldap.LDAPBindResponse(ldaperrors.Success.resultCode)) else: log.info('Sending BindResponse "invalid credentials": {message}', message=message) reply(pureldap.LDAPBindResponse(ldaperrors.LDAPInvalidCredentials.resultCode, errorMessage=message))
def test_bind_cache_different_password(self): dn = 'uid=hugo,cn=users,dc=test,dc=local' server, client = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) yield client.bind(dn, 'secret') time.sleep(0.5) server2, client2 = self.create_server_and_client([ pureldap.LDAPBindResponse(resultCode=0), # for service account ]) d = client2.bind(dn, 'something-else') yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials) # two authentication requests to privacyIDEA! self.assertEqual(self.privacyidea.authentication_requests, [('hugo', 'default', 'secret', True), ('hugo', 'default', 'something-else', False)]) time.sleep(2) # to clean the reactor
def test_reusing_connection_fails2(self): # Scenario 2: User Bind, Passthrough Bind server, client = self.create_server_and_client( [pureldap.LDAPBindResponse(resultCode=0)]) yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret') d = client.bind('uid=passthrough,cn=users,dc=test,dc=local', 'some-secret') yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
def test_bind_sasl_no_credentials(self): # result code 14 is saslInprogress, with some server credentials. server = self.createServer([ pureldap.LDAPBindResponse(resultCode=14, serverSaslCreds='test123'), ]) server.dataReceived( pureldap.LDAPMessage(pureldap.LDAPBindRequest(auth=('GSS-SPNEGO', None), sasl=True), id=4).toWire()) reactor.iterate() #TODO self.assertEqual( server.transport.value(), pureldap.LDAPMessage(pureldap.LDAPBindResponse( resultCode=14, serverSaslCreds='test123'), id=4).toWire())
def _cb(entry): """ Called when BIND operation was successful. """ self.boundUser = entry msg = pureldap.LDAPBindResponse( resultCode=ldaperrors.Success.resultCode, matchedDN=entry.dn) return msg