def verify_bind_dn_pw(dn,
password,
uri=settings.ldap_uri,
close_connection=True):
dn = web.safestr(dn.strip())
password = password.strip()
# Detect STARTTLS support.
starttls = False
if uri.startswith('ldaps://'):
starttls = True
# Rebuild uri, use ldap:// + STARTTLS (with normal port 389)
# instead of ldaps:// (port 636) for secure connection.
uri = uri.replace('ldaps://', 'ldap://')
# Don't check CA cert
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn = ldap.initialize(uri)
# Set LDAP protocol version: LDAP v3.
conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
if starttls:
conn.start_tls_s()
try:
# bind as vmailadmin
conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password)
qr = conn.search_s(dn,
ldap.SCOPE_BASE,
'(objectClass=*)',
['userPassword'])
if not qr:
return (False, 'INVALID_CREDENTIALS')
entries = qr[0][1]
qr_password = entries.get('userPassword', [''])[0]
if iredutils.verify_password_hash(qr_password, password):
if close_connection:
conn.unbind_s()
return (True, )
else:
# Return connection
return (True, conn)
else:
return (False, 'INVALID_CREDENTIALS')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def verify_bind_dn_pw(dn,
password,
uri=settings.ldap_uri,
close_connection=True):
dn = web.safestr(dn.strip())
password = password.strip()
# Detect STARTTLS support.
starttls = False
if uri.startswith('ldaps://'):
starttls = True
# Rebuild uri, use ldap:// + STARTTLS (with normal port 389)
# instead of ldaps:// (port 636) for secure connection.
uri = uri.replace('ldaps://', 'ldap://')
# Don't check CA cert
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn = ldap.initialize(uri)
# Set LDAP protocol version: LDAP v3.
conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
if starttls:
conn.start_tls_s()
try:
# bind as vmailadmin
conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password)
qr = conn.search_s(dn,
ldap.SCOPE_BASE,
'(objectClass=*)',
['userPassword'])
if not qr:
return (False, 'INVALID_CREDENTIALS')
entries = qr[0][1]
qr_password = entries.get('userPassword', [''])[0]
if iredutils.verify_password_hash(qr_password, password):
if close_connection:
conn.unbind_s()
return (True, )
else:
# Return connection
return (True, conn)
else:
return (False, 'INVALID_CREDENTIALS')
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def auth(
self,
username,
password,
accountType='admin',
verifyPassword=False,
):
if not iredutils.is_email(username):
return (False, 'INVALID_USERNAME')
if len(password) == 0:
return (False, 'EMPTY_PASSWORD')
session['isMailUser'] = False
# Query account from SQL database.
if accountType == 'admin':
# separate admin accounts
result = self.conn.select(
'admin',
vars={
'username': username,
},
where="username=$username AND active=1",
limit=1,
)
# mail users as domain admin
if not result:
# Don't specify what= to work with old versions of iRedMail
result = self.conn.select(
'mailbox',
vars={
'username': username,
},
where="username=$username AND active=1 AND isadmin=1",
limit=1,
)
if result:
session['isMailUser'] = True
elif accountType == 'user':
result = self.conn.select(
'mailbox',
vars={
'username': username,
},
where="username=$username AND active=1",
limit=1,
)
else:
return (False, 'INVALID_ACCOUNT_TYPE')
if len(result) != 1:
# Account not found.
# Do NOT return msg like 'Account does not ***EXIST***', crackers
# can use it to verify valid accounts.
return (False, 'INVALID_CREDENTIALS')
# It's a valid account.
record = result[0]
password_sql = str(record.password)
# Verify password
authenticated = False
if iredutils.verify_password_hash(password_sql, password):
authenticated = True
if authenticated is False:
return (False, 'INVALID_CREDENTIALS')
if verifyPassword is not True:
session['username'] = username
session['logged'] = True
# Set preferred language.
session['lang'] = web.safestr(record.get('language', 'en_US'))
# Set session['domainGlobalAdmin']
try:
if session.get('isMailUser'):
if record.get('isglobaladmin', 0) == 1:
session['domainGlobalAdmin'] = True
else:
result = self.conn.select(
'domain_admins',
vars={
'username': username,
'domain': 'ALL',
},
what='domain',
where='username=$username AND domain=$domain',
limit=1,
)
if len(result) == 1:
session['domainGlobalAdmin'] = True
except:
pass
return (True, )
def auth(self, username, password, accountType='admin', verifyPassword=False,):
if not iredutils.is_email(username):
return (False, 'INVALID_USERNAME')
if len(password) == 0:
return (False, 'EMPTY_PASSWORD')
session['isMailUser'] = False
# Query account from SQL database.
if accountType == 'admin':
# separate admin accounts
result = self.conn.select(
'admin',
vars={'username': username, },
where="username=$username AND active=1",
limit=1,
)
# mail users as domain admin
if not result:
# Don't specify what= to work with old versions of iRedMail
result = self.conn.select(
'mailbox',
vars={'username': username, },
where="username=$username AND active=1 AND isadmin=1",
#what='username,password,language,isadmin,isglobaladmin',
limit=1,
)
if result:
session['isMailUser'] = True
elif accountType == 'user':
result = self.conn.select(
'mailbox',
vars={'username': username, },
where="username=$username AND active=1",
limit=1,
)
else:
return (False, 'INVALID_ACCOUNT_TYPE')
if len(result) != 1:
# Account not found.
# Do NOT return msg like 'Account does not ***EXIST***', crackers
# can use it to verify valid accounts.
return (False, 'INVALID_CREDENTIALS')
# It's a valid account.
record = result[0]
password_sql = str(record.password)
# Verify password
authenticated = False
if iredutils.verify_password_hash(password_sql, password):
authenticated = True
if authenticated is False:
return (False, 'INVALID_CREDENTIALS')
if verifyPassword is not True:
session['username'] = username
session['logged'] = True
# Set preferred language.
session['lang'] = web.safestr(record.get('language', 'en_US'))
# Set session['domainGlobalAdmin']
try:
if session.get('isMailUser'):
if record.get('isglobaladmin', 0) == 1:
session['domainGlobalAdmin'] = True
else:
result = self.conn.select(
'domain_admins',
vars={'username': username, 'domain': 'ALL', },
what='domain',
where='username=$username AND domain=$domain',
limit=1,
)
if len(result) == 1:
session['domainGlobalAdmin'] = True
except:
pass
return (True,)
