def __init__(self, ldap_connection, base_dn, attributes=None, searchfilter='(objectClass=*)', start_tls=None, bind_dn='', bind_pass=''): "init" dict.__init__(self) if hasattr(attributes, 'split'): attributes = attributes.split(',') elif hasattr(attributes, '__iter__'): attributes = list(attributes) elif attributes is not None: raise ValueError('The needed LDAP attributes are not valid') self.conn = make_ldap_connection(ldap_connection) if start_tls: try: self.conn.start_tls_s() except: raise ValueError('Cannot upgrade the connection') self.bind_dn = bind_dn self.bind_pass = bind_pass self.base_dn = base_dn self.attributes = attributes self.searchfilter = searchfilter
def authenticate(self, environ, identity): "Authenticate identity" try: if check_failed_logins(environ): raise TypeError login = identity['login'] username, domain = login.split('@') ldapsettings = self.dbsession.query(self.ldapsettingsmodel, self.authsettingsmodel.address, self.authsettingsmodel.port, self.authsettingsmodel.split_address, self.domainmodel.name)\ .join(self.authsettingsmodel)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_(\ self.domainmodel.id == self.alias.domain_id, self.alias.name == domain, self.alias.status == True) ) )).all() (settings, address, port, split_address, domain_name) = ldapsettings[0] ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) ldap_uri = make_ldap_uri(address, port) ldap_connection = make_ldap_connection(ldap_uri) kwargs = dict(naming_attribute=settings.nameattribute, returned_id=self.returned_id, bind_dn=settings.binddn, bind_pass=settings.bindpw, start_tls=settings.usetls) if domain != domain_name: # override alias domain domain = domain_name if settings.usesearch: ldap_module = 'LDAPSearchAuthenticatorPlugin' # build_search_filters(kwargs, settings.search_scope, # settings.searchfilter, domain, # login, username) kwargs['search_scope'] = settings.search_scope if settings.searchfilter != '': params = [] domaindn = ','.join(['dc=' + part for part in domain.split('.')]) mapping = { '%n':login, '%u':username, '%d':domain, '%D': domaindn } searchfilter = escape_filter_chars(settings.searchfilter) for key in ['%n', '%u', '%d', '%D']: for _ in xrange(searchfilter.count(key)): searchfilter = searchfilter.replace(key, '%s', 1) params.append(mapping[key]) searchfilter = filter_format(searchfilter, params) kwargs['filterstr'] = searchfilter else: ldap_module = 'LDAPAuthenticatorPlugin' if split_address: identity['login'] = username else: # use main domain name not alias reset above identity['login'] = "******" % (username, domain) auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module) ldap_auth = auth(ldap_connection, settings.basedn, **kwargs) userid = ldap_auth.authenticate(environ, identity) fulladdr = "%s@%s" % (username, domain) return userid if userid is None or '@' in userid else fulladdr except (KeyError, TypeError, ValueError, AttributeError, NoResultFound, IndexError, ldap.LDAPError): return None
def test_connection_is_unicode(self): conn = make_ldap_connection(u'ldap://example.org') self.assertTrue(isinstance(conn, SimpleLDAPObject))
def test_connection_is_object(self): conn = fakeldap.FakeLDAPConnection() self.assertEqual(make_ldap_connection(conn), conn)
def authenticate(self, environ, identity): "Authenticate identity" try: if check_failed_logins(environ): raise TypeError login = identity['login'] username, domain = login.split('@') ldapsettings = self.dbsession.query(self.ldapsettingsmodel, self.authsettingsmodel.address, self.authsettingsmodel.port, self.authsettingsmodel.split_address, self.domainmodel.name)\ .join(self.authsettingsmodel)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_(\ self.domainmodel.id == self.alias.domain_id, self.alias.name == domain, self.alias.status == True) ) )).all() (settings, address, port, split_address, domain_name) = ldapsettings[0] ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) ldap_uri = make_ldap_uri(address, port) ldap_connection = make_ldap_connection(ldap_uri) kwargs = dict(naming_attribute=settings.nameattribute, returned_id=self.returned_id, bind_dn=settings.binddn, bind_pass=settings.bindpw, start_tls=settings.usetls) if domain != domain_name: # override alias domain domain = domain_name if settings.usesearch: ldap_module = 'LDAPSearchAuthenticatorPlugin' # build_search_filters(kwargs, settings.search_scope, # settings.searchfilter, domain, # login, username) kwargs['search_scope'] = settings.search_scope if settings.searchfilter != '': params = [] domaindn = ','.join( ['dc=' + part for part in domain.split('.')]) mapping = { '%n': login, '%u': username, '%d': domain, '%D': domaindn } searchfilter = escape_filter_chars(settings.searchfilter) for key in ['%n', '%u', '%d', '%D']: for _ in xrange(searchfilter.count(key)): searchfilter = searchfilter.replace(key, '%s', 1) params.append(mapping[key]) searchfilter = filter_format(searchfilter, params) kwargs['filterstr'] = searchfilter else: ldap_module = 'LDAPAuthenticatorPlugin' if split_address: identity['login'] = username else: # use main domain name not alias reset above identity['login'] = "******" % (username, domain) auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module) ldap_auth = auth(ldap_connection, settings.basedn, **kwargs) userid = ldap_auth.authenticate(environ, identity) fulladdr = "%s@%s" % (username, domain) return userid if userid is None or '@' in userid else fulladdr except (KeyError, TypeError, ValueError, AttributeError, NoResultFound, IndexError, ldap.LDAPError): return None