Esempio n. 1
0
def worker():
    session = search.Connection()
    while True:
        try:
            acceptconnection(session)
        except:
            logging.exception('exception in worker')
Esempio n. 2
0
def worker(nslcd_serversocket):
    session = search.Connection()
    while True:
        try:
            acceptconnection(nslcd_serversocket, session)
        except Exception:
            logging.exception('exception in worker')
Esempio n. 3
0
def authenticate(binddn, password):
    # open a new connection
    conn = search.Connection()
    # bind using the specified credentials
    serverctrls = []
    if cfg.pam_authc_ppolicy:
        serverctrls.append(PasswordPolicyControl())
    res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls)
    # go over bind result server controls
    for ctrl in ctrls:
        if ctrl.controlType == PasswordPolicyControl.controlType:
            # found a password policy control
            logging.debug(
                'PasswordPolicyControl found: error=%s (%s), '
                'timeBeforeExpiration=%s, graceAuthNsRemaining=%s',
                'None' if ctrl.error is None else PasswordPolicyError(ctrl.error).prettyPrint(),
                ctrl.error, ctrl.timeBeforeExpiration, ctrl.graceAuthNsRemaining)
            if ctrl.error == 0:  # passwordExpired
                return (
                    conn, constants.NSLCD_PAM_AUTHTOK_EXPIRED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.error == 1:  # accountLocked
                return (
                    conn, constants.NSLCD_PAM_ACCT_EXPIRED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.error == 2:  # changeAfterReset
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password change is needed after reset')
            elif ctrl.error:
                return (
                    conn, constants.NSLCD_PAM_PERM_DENIED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.timeBeforeExpiration is not None:
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password will expire in %d seconds' % ctrl.timeBeforeExpiration)
            elif ctrl.graceAuthNsRemaining is not None:
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password expired, %d grace logins left' % ctrl.graceAuthNsRemaining)
    # perform search for own object (just to do any kind of search)
    results = search.LDAPSearch(
        conn, base=binddn, scope=ldap.SCOPE_BASE,
        filter='(objectClass=*)', attributes=['dn'])
    for entry in results:
        if entry[0] == binddn:
            return conn, constants.NSLCD_PAM_SUCCESS, ''
    # if our DN wasn't found raise an error to signal bind failure
    raise ldap.NO_SUCH_OBJECT()