def verify_bind_dn_pw(dn, password, uri=settings.ldap_uri, close_connection=True): dn = web.safestr(dn.strip()) password = password.strip() # Detect STARTTLS support. starttls = False if uri.startswith('ldaps://'): starttls = True # Rebuild uri, use ldap:// + STARTTLS (with normal port 389) # instead of ldaps:// (port 636) for secure connection. uri = uri.replace('ldaps://', 'ldap://') # Don't check CA cert ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) conn = ldap.initialize(uri) # Set LDAP protocol version: LDAP v3. conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) if starttls: conn.start_tls_s() try: # bind as vmailadmin conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password) qr = conn.search_s(dn, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword']) if not qr: return (False, 'INVALID_CREDENTIALS') entries = qr[0][1] qr_password = entries.get('userPassword', [''])[0] if iredutils.verify_password_hash(qr_password, password): if close_connection: conn.unbind_s() return (True, ) else: # Return connection return (True, conn) else: return (False, 'INVALID_CREDENTIALS') except Exception, e: return (False, ldaputils.getExceptionDesc(e))
def verify_bind_dn_pw(dn, password, uri=settings.ldap_uri, close_connection=True): dn = web.safestr(dn.strip()) password = password.strip() # Detect STARTTLS support. starttls = False if uri.startswith('ldaps://'): starttls = True # Rebuild uri, use ldap:// + STARTTLS (with normal port 389) # instead of ldaps:// (port 636) for secure connection. uri = uri.replace('ldaps://', 'ldap://') # Don't check CA cert ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) conn = ldap.initialize(uri) # Set LDAP protocol version: LDAP v3. conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) if starttls: conn.start_tls_s() try: # bind as vmailadmin conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password) qr = conn.search_s(dn, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword']) if not qr: return (False, 'INVALID_CREDENTIALS') entries = qr[0][1] qr_password = entries.get('userPassword', [''])[0] if iredutils.verify_password_hash(qr_password, password): if close_connection: conn.unbind_s() return (True, ) else: # Return connection return (True, conn) else: return (False, 'INVALID_CREDENTIALS') except Exception as e: return (False, ldaputils.getExceptionDesc(e))
def auth( self, username, password, accountType='admin', verifyPassword=False, ): if not iredutils.is_email(username): return (False, 'INVALID_USERNAME') if len(password) == 0: return (False, 'EMPTY_PASSWORD') session['isMailUser'] = False # Query account from SQL database. if accountType == 'admin': # separate admin accounts result = self.conn.select( 'admin', vars={ 'username': username, }, where="username=$username AND active=1", limit=1, ) # mail users as domain admin if not result: # Don't specify what= to work with old versions of iRedMail result = self.conn.select( 'mailbox', vars={ 'username': username, }, where="username=$username AND active=1 AND isadmin=1", limit=1, ) if result: session['isMailUser'] = True elif accountType == 'user': result = self.conn.select( 'mailbox', vars={ 'username': username, }, where="username=$username AND active=1", limit=1, ) else: return (False, 'INVALID_ACCOUNT_TYPE') if len(result) != 1: # Account not found. # Do NOT return msg like 'Account does not ***EXIST***', crackers # can use it to verify valid accounts. return (False, 'INVALID_CREDENTIALS') # It's a valid account. record = result[0] password_sql = str(record.password) # Verify password authenticated = False if iredutils.verify_password_hash(password_sql, password): authenticated = True if authenticated is False: return (False, 'INVALID_CREDENTIALS') if verifyPassword is not True: session['username'] = username session['logged'] = True # Set preferred language. session['lang'] = web.safestr(record.get('language', 'en_US')) # Set session['domainGlobalAdmin'] try: if session.get('isMailUser'): if record.get('isglobaladmin', 0) == 1: session['domainGlobalAdmin'] = True else: result = self.conn.select( 'domain_admins', vars={ 'username': username, 'domain': 'ALL', }, what='domain', where='username=$username AND domain=$domain', limit=1, ) if len(result) == 1: session['domainGlobalAdmin'] = True except: pass return (True, )
def auth(self, username, password, accountType='admin', verifyPassword=False,): if not iredutils.is_email(username): return (False, 'INVALID_USERNAME') if len(password) == 0: return (False, 'EMPTY_PASSWORD') session['isMailUser'] = False # Query account from SQL database. if accountType == 'admin': # separate admin accounts result = self.conn.select( 'admin', vars={'username': username, }, where="username=$username AND active=1", limit=1, ) # mail users as domain admin if not result: # Don't specify what= to work with old versions of iRedMail result = self.conn.select( 'mailbox', vars={'username': username, }, where="username=$username AND active=1 AND isadmin=1", #what='username,password,language,isadmin,isglobaladmin', limit=1, ) if result: session['isMailUser'] = True elif accountType == 'user': result = self.conn.select( 'mailbox', vars={'username': username, }, where="username=$username AND active=1", limit=1, ) else: return (False, 'INVALID_ACCOUNT_TYPE') if len(result) != 1: # Account not found. # Do NOT return msg like 'Account does not ***EXIST***', crackers # can use it to verify valid accounts. return (False, 'INVALID_CREDENTIALS') # It's a valid account. record = result[0] password_sql = str(record.password) # Verify password authenticated = False if iredutils.verify_password_hash(password_sql, password): authenticated = True if authenticated is False: return (False, 'INVALID_CREDENTIALS') if verifyPassword is not True: session['username'] = username session['logged'] = True # Set preferred language. session['lang'] = web.safestr(record.get('language', 'en_US')) # Set session['domainGlobalAdmin'] try: if session.get('isMailUser'): if record.get('isglobaladmin', 0) == 1: session['domainGlobalAdmin'] = True else: result = self.conn.select( 'domain_admins', vars={'username': username, 'domain': 'ALL', }, what='domain', where='username=$username AND domain=$domain', limit=1, ) if len(result) == 1: session['domainGlobalAdmin'] = True except: pass return (True,)