def encrypt_password(self, password): """ Encrypts the password before storing it in LDAP. :param password: The password to encrypt. """ return ldap_md5_crypt.encrypt(password)
def test_remove_leftovers_before_adding_secondary_password(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) set_secondary_password(request, 'ldaptest') self.assertNotIn(leftover, get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'])
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_remove_leftovers_before_adding_secondary_password(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertNotIn(leftover, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt) request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session["secondary_password"] = cipher.encrypt(secondary_password) logout(request) self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def add_mailbox(self, name, dom, passwd, fullname, quota=False): dbase = apis.databases(self.app).get_interface('MariaDB') conn = apis.databases(self.app).get_dbconn('MariaDB') pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1] dbase.execute('vmail', 'INSERT INTO `mailbox` VALUES (\"'+name+'@'+dom+'\", '+\ '\"'+pwhash+'\", \"'+fullname+'\", \"'+name+'@'+dom+'/\", '+\ (quota if quota else '0')+', \"'+name+'\", \"'+dom+'\", '+\ 'NOW(), 1)', conn, False)
def test_dont_remove_primary_password_while_removing_secondary_password(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) request.session['secondary_password'] = cipher.encrypt(secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify( 'ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def password_reset(request, uidb64, token): # urlsafe_base64_decode() decodes to bytestring uid = urlsafe_base64_decode(uidb64).decode() user = UserModel._default_manager.get(pk=uid) token_generator = default_token_generator user = LDAPBackend().populate_user(user.username) if not user: return HttpResponse("Kein bekannter Benutzer") context = dict( reason='password_reset', vorname=user.ldap_user.attrs['givenName'][0], nachname=user.ldap_user.attrs['sn'][0], username=user.username, user=user ) if not token_generator.check_token(user, token): messages.add_message(request, messages.INFO, "Passwort-Reset-Link bereits verbraucht") if not request.user: return HttpResponse("Invalid Request. (43)") else: # Establish conn = ldap.initialize(config.AUTH_LDAP_SERVER_URI) conn.simple_bind_s(config.AUTH_LDAP_BIND_DN, config.AUTH_LDAP_BIND_PASSWORD) #note salt generation is automatically handled password = passlib.pwd.genword() password_hash = ldap_md5_crypt.encrypt(password).encode('utf-8') modlist = [(ldap.MOD_REPLACE, 'userPassword', [password_hash] )] logger.info(f"reset/LDAP: changed to {user.ldap_user.dn}") conn.modify_s(user.ldap_user.dn, modlist) context['password'] = password msg_plain = render_to_string('registration/account_info.txt', context) send_mail("[EVH Account] Neues Passwort", msg_plain, config.EMAIL_FROM, [user.email], fail_silently=False) user = authenticate(username=user.username, password=password) login(request, user) messages.add_message(request, messages.SUCCESS, "Passwort erfolgreich zurückgesetzt.") return render(request, 'registration/password_reset_success.html', context)
def test_dont_remove_unknown_hashes_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) leftover2 = 'plain_leftover2' self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover2) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertIn(leftover2, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_remove_secondary_password_from_ldap(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertNotIn(secondary_password_crypt, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_dont_remove_primary_password_when_removing_secondary_passwd(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def edit(self, name, dom, quota, passwd): dbase = apis.databases(self.app).get_interface('MariaDB') conn = apis.databases(self.app).get_dbconn('MariaDB') if passwd: pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1] if passwd and quota: dbase.execute('vmail', 'UPDATE mailbox SET quota = %s, password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'%(quota,pwhash,name,dom), conn, False) elif passwd: dbase.execute('vmail', 'UPDATE mailbox SET password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"'%(pwhash,name,dom), conn, False) elif quota: dbase.execute('vmail', 'UPDATE mailbox SET quota = %s WHERE local_part = \"%s\" AND domain = \"%s\"'%(quota,name,dom), conn, False)
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def edit(self, name, dom, quota, passwd): dbase = apis.databases(self.app).get_interface('SQLite3') if passwd: pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1] if passwd and quota: dbase.execute('vmail', 'UPDATE mailbox SET quota = %s, password = "******" WHERE local_part = "%s" AND domain = "%s"' \ %(quota,pwhash,name,dom)) elif passwd: dbase.execute('vmail', 'UPDATE mailbox SET password = "******" WHERE local_part = "%s\" AND domain = "%s"' \ %(pwhash,name,dom)) elif quota: dbase.execute('vmail', 'UPDATE mailbox SET quota = %s WHERE local_part = "%s" AND domain = "%s"' \ %(quota,name,dom))
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request(uri='/login', post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) logout(request) self.assertEqual( len( ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 1)
def activate(request, token): """ The page that users get to activate their accounts It is in the form /activate/$TOKEN """ try: try: queued = Queue.objects.get(encrypted_id=token) except (Queue.DoesNotExist, OverflowError, TypeError, ValueError): raise OkupyError('Invalid URL') except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact the database") # get max uidNumber try: uidnumber = LDAPUser.objects.latest('uid').uid + 1 except LDAPUser.DoesNotExist: uidnumber = 1 except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact LDAP server") # add account to ldap new_user = LDAPUser( object_class=settings.AUTH_LDAP_USER_OBJECTCLASS, last_name=queued.last_name, full_name='%s %s' % (queued.first_name, queued.last_name), password=[ldap_md5_crypt.encrypt(queued.password)], first_name=queued.first_name, email=[queued.email], username=queued.username, uid=uidnumber, gid=100, gecos='%s %s' % (queued.first_name, queued.last_name), home_directory='/home/%s' % queued.username, ACL=['user.group'], ) new_user.save() # remove queued account from DB queued.delete() messages.success( request, "Your account has been activated successfully") except OkupyError as error: messages.error(request, str(error)) return redirect(login)
def activate(request, token): """ The page that users get to activate their accounts It is in the form /activate/$TOKEN """ try: try: queued = Queue.objects.get(encrypted_id=token) except (Queue.DoesNotExist, OverflowError, TypeError, ValueError): raise OkupyError('Invalid URL') except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact the database") # get max uidNumber try: uidnumber = LDAPUser.objects.latest('uid').uid + 1 except LDAPUser.DoesNotExist: uidnumber = 1 except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact LDAP server") # add account to ldap new_user = LDAPUser( object_class=settings.AUTH_LDAP_USER_OBJECTCLASS, last_name=queued.last_name, full_name='%s %s' % (queued.first_name, queued.last_name), password=[ldap_md5_crypt.encrypt(queued.password)], first_name=queued.first_name, email=[queued.email], username=queued.username, uid=uidnumber, gid=100, gecos='%s %s' % (queued.first_name, queued.last_name), home_directory='/home/%s' % queued.username, ACL=['user.group'], ) new_user.save() # remove queued account from DB queued.delete() messages.success(request, "Your account has been activated successfully") except OkupyError as error: messages.error(request, str(error)) return redirect(login)
def password_settings(request): """ Password settings """ with get_bound_ldapuser(request) as user_info: password_settings = None if request.method == "POST": password_settings = PasswordSettingsForm(request.POST) if password_settings.is_valid(): try: new_password = password_settings.cleaned_data[ 'new_password'] new_password_verify = password_settings.cleaned_data[ 'new_password_verify'] old_password = password_settings.cleaned_data[ 'old_password'] if old_password and (new_password == new_password_verify): for hash in list(user_info.password): print hash try: if ldap_md5_crypt.verify(old_password, hash): user_info.password.append( ldap_md5_crypt.encrypt( new_password_verify)) user_info.password.remove(hash) break except ValueError: # ignore unknown hashes pass try: user_info.save() except IntegrityError: pass except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact LDAP server") else: password_settings = PasswordSettingsForm() return render(request, 'settings-password.html', { 'password_settings': password_settings, 'user_info': user_info, })
def set_secondary_password(request, password): """ Generate a secondary passsword and encrypt it in the session """ with get_bound_ldapuser(request, password) as user: secondary_password = Random.get_random_bytes(48) request.session['secondary_password'] = \ cipher.encrypt(secondary_password) # Clean up possible leftover secondary passwords from the LDAP account if len(user.password) > 1: for hash in list(user.password): try: if not ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # don't remove unknown hashes pass # Add a new generated encrypted password to LDAP user.password.append( ldap_md5_crypt.encrypt(b64encode(secondary_password))) user.save()
def edit(self, name, dom, quota, passwd): dbase = apis.databases(self.app).get_interface('MariaDB') conn = apis.databases(self.app).get_dbconn('MariaDB') if passwd: pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1] if passwd and quota: dbase.execute( 'vmail', 'UPDATE mailbox SET quota = %s, password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"' % (quota, pwhash, name, dom), conn, False) elif passwd: dbase.execute( 'vmail', 'UPDATE mailbox SET password = \"%s\" WHERE local_part = \"%s\" AND domain = \"%s\"' % (pwhash, name, dom), conn, False) elif quota: dbase.execute( 'vmail', 'UPDATE mailbox SET quota = %s WHERE local_part = \"%s\" AND domain = \"%s\"' % (quota, name, dom), conn, False)
def set_secondary_password(request, password): """ Generate a secondary passsword and encrypt it in the session """ username = request.user.username user = LDAPUser.bind_as(alias='ldap_%s' % username, username=username, password=password).objects.get(username=username) secondary_password = Random.get_random_bytes(48) request.session['secondary_password'] = cipher.encrypt(secondary_password) # Clean up possible leftover secondary passwords from the LDAP account if len(user.password) > 1: for hash in user.password: try: if not ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # don't remove unknown hashes pass # Add a new generated encrypted password to LDAP user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password))) user.save()
def create_ldap_user(username, first_name, last_name, email, password): # Python LDAP library doesn't like Unicode, so we convert everything to ascii here. # If you figure out a way to use Unicode, please let me know! username.encode('ascii', 'strict') first_name.encode('ascii', 'strict') last_name.encode('ascii', 'strict') email.encode('ascii', 'strict') password.encode('ascii', 'strict') con = ldap.initialize(settings.LDAP_URL) con.bind(settings.LDAP_ADMIN_CN, settings.LDAP_PASSWORD, ldap.AUTH_SIMPLE) # Figure out largest UID (is there a better way to do this?) users = LdapUser.objects.all() largestUid = 0 for user in users: if user.uid > largestUid: largestUid = user.uid print('Largest UID', largestUid) # Create the new user record: add_record = [ ('objectclass', [b'inetOrgPerson', b'posixAccount', b'top']), ('givenName', [ first_name.encode('ascii') ]), ('uidNumber', [ str(largestUid + 1).encode('ascii') ]), ('gidNumber', [ b'501' ]), ('cn', [ username.encode('ascii') ] ), ('uid', [ username.encode('ascii') ] ), ('sn', [ last_name.encode('ascii') ] ), ('mail', [ email.encode('ascii') ] ), ('userpassword', [ ldap_md5_crypt.encrypt(password).encode('ascii') ]), ('homeDirectory', [ ('/home/' + username).encode('ascii') ]), ('ou', [ b'users' ]) ] usercn = 'cn=' + username + ',' + settings.LDAP_USERS_CN con.add_s(usercn, add_record) con.unbind()
def index(request): if request.method == 'POST': form = NewUserForm(request.POST) if form.is_valid(): username = smart_text(form.cleaned_data['username']) first_name = smart_text(form.cleaned_data['first_name']) last_name = smart_text(form.cleaned_data['last_name']) email = smart_text(form.cleaned_data['email']) password = smart_text(form.cleaned_data['password']) password2 = smart_text(form.cleaned_data['password2']) # Python LDAP library doesn't like Unicode, so we convert everything to ascii here. # If you figure out a way to use Unicode, please let me know! try: username = username.encode('ascii', 'strict') first_name = first_name.encode('ascii', 'strict') last_name = last_name.encode('ascii', 'strict') email = email.encode('ascii', 'strict') password = password.encode('ascii', 'strict') password2 = password2.encode('ascii', 'strict') con = ldap.initialize(settings.LDAP_URL) con.bind(settings.LDAP_ADMIN_CN, settings.LDAP_PASSWORD, ldap.AUTH_SIMPLE) # Figure out largest UID (is there a better way to do this?) base_dn = settings.LDAP_USERS_CN filter = '(objectclass=person)' attrs = [b'uidNumber'] uidList = con.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs ) # print "Uids: " + str( uidList ) largestUid = 0 for user in uidList: uid = int(user[1]['uidNumber'][0]) if uid > largestUid: largestUid = uid # print 'Largest Uid:' + str(largestUid) # Create the new user record: add_record = [ ('objectclass', [b'inetOrgPerson', b'posixAccount', b'top']), ('givenName', [ first_name.encode('ascii','ignore') ]), ('uidNumber', [ str(largestUid + 1)]), ('gidNumber', [b'501']), ('cn', [ username ] ), ('uid', [ username ] ), ('sn', [ last_name ] ), ('mail', [ email ] ), ('userpassword', [ldap_md5_crypt.encrypt(password)]), ('homeDirectory', [ '/home/' + username ]), ('ou', [b'users']) ] try: usercn = 'cn=' + username + ',' + settings.LDAP_USERS_CN print ("User cn is:" + usercn + ", " + str(type(usercn))) con.add_s(usercn, add_record) except ldap.ALREADY_EXISTS: form.add_error('username', "User already exists") con.unbind() if form.is_valid(): return HttpResponseRedirect('thanks') except UnicodeEncodeError: form.add_error(None, 'Non-ascii characters inputted - use only a-z as ldap sucks with Unicode. Use Ä->A and Ö->O') else: form = NewUserForm() return render(request, 'registrationui/index.html', { 'form': form, 'settings': settings } )
def add_mailbox(self, name, dom, passwd, fullname, quota=False): dbase = apis.databases(self.app).get_interface('SQLite3') pwhash = ldap_md5_crypt.encrypt(passwd).split('{CRYPT}')[1] dbase.execute('vmail', 'INSERT INTO mailbox VALUES ("%s@%s", "%s", "%s", "%s@%s", %s, "%s", "%s", datetime(), 1)' \ %(name,dom,pwhash,fullname,name,dom,(quota if quota else '0'),name,dom))
def __create(request, context, vorname, nachname, username, mail): conn = ldap.initialize(config.AUTH_LDAP_SERVER_URI) conn.simple_bind_s(config.AUTH_LDAP_BIND_DN, config.AUTH_LDAP_BIND_PASSWORD) #note salt generation is automatically handled password = passlib.pwd.genword() password_hash = ldap_md5_crypt.encrypt(password) ################################################################ # LDAP Account dn = f"cn={username},{config.AUTH_LDAP_USER_DN}" entry = { 'objectClass': [b'inetOrgPerson'], 'cn': [username.encode()], 'sn': [nachname.encode()], 'givenName': [vorname.encode()], 'mail': [mail.encode()], 'displayName': [f"{vorname} {nachname}".encode()], 'userPassword': [password_hash.encode()], } try: modlist = ldap.modlist.addModlist(entry) conn.add_s(dn, modlist) logger.info(f"create/LDAP: success {dn}") except ldap.ALREADY_EXISTS: messages.add_message(request, messages.ERROR, "Der Account existiert bereits. Du solltest bereits eine Mail mit Zugangsinformationen erhalten haben.") context['success'] = False return except Exception as e: messages.add_message(request, messages.ERROR, f"LDAP Fehler: {e}") logger.error(f"create/LDAP: {e}") context['success'] = False return User = LDAP().search_user(username) ################################################################ # Initial Groups invite = Invite.find_by_mail(mail) groups = [g for g in (invite.groups or "").split(",") if g] for group in groups: if ldap_addgroup(username, group): signals.group_member_add.send(sender=create, group=group, member=User) messages.add_message(request, messages.SUCCESS, "Du wurdest der Gruppe %s hinzugefügt" % group) ################################################################ # Login user user = authenticate(username=username, password=password) login(request, user) user_changed.send(sender=create, username=username) ################################################################ # Mail versenden try: c = dict( reason='create', vorname=vorname, nachname=nachname, username=username, user=user, password=password ) msg_plain = render_to_string('registration/account_info.txt', c) send_mail("[EVH Account] Account angelegt", msg_plain, config.EMAIL_FROM, [mail], fail_silently=False) except Exception as e: messages.add_message(request, messages.ERROR, f"Versenden der Passwort-Mail ist fehlgeschlagen: {e}") logger.error(f"create/SMTP: {e}") conn.delete_s(dn) logger.error(f"create/LDAP: deleted {dn}") context['success'] = False return messages.add_message(request, messages.SUCCESS, "Account wurde erstellt. Du hast eine E-Mail mit dem Passwort erhalten.") context['password'] = password context['success'] = True send_mail("[EVH Account] Nutzer angelegt: " +username, "", config.EMAIL_FROM, [config.EMAIL_FROM], fail_silently=True)
def set_password(secret): return ldap_md5_crypt.encrypt(secret)
print('Password is empty!') sys.exit() ldap_email = input('Enter the email address: ') # Email if not ldap_email: print('Email is empty!') sys.exit() # Checks if email is in a valid format if isValidEmail(ldap_email) == False: print('Not a valid email') sys.exit() # hashing password with md5_crypt # hash will be similar to '{CRYPT}$1$wa6OLvW3$uzcIj2Puf3GcFDf2KztQN0' ldap_userpass_hash = ldap_md5_crypt.encrypt(ldap_userpass) # Display summary on screen print('Username: '******'Password: '******'Email: ' + ldap_email) # Prompt for LDAP admin password. Using getpass.getpass so it doesn't echo ldap_adminpass = getpass.getpass('Enter LDAP admin password: '******'ldap-server.companyname.com', port=389) connection = ldap3.Connection(server, user='******', password=ldap_adminpass) connection.bind()
def convertPassword(password): newpassword = md5.new(password).digest() newpassword = ldap_md5_crypt.encrypt(password) return newpassword