def check_group(self, obj, group): """Check if user is in AD group""" found = False try: assert self.ldap_connection res2 = self.ldap_connection.search_ext_s(obj, ldap.SCOPE_BASE, "(objectClass=*)", self.ad_search_fields) if not res2: return False assert len(res2) >= 1, "Result should contain at least one element: %s\n" % res2 result = res2[0][1] if result.has_key('primaryGroupID'): pri_grp_rid = result['primaryGroupID'][0] domain_sid = self.ldap_connection.search_s(self.ad_search_dn, ldap.SCOPE_BASE)[0][1]['objectSid'][0] domain_sid_s = self.sid2str(domain_sid) obj_sid = domain_sid_s + '-' + pri_grp_rid pri_grp_cn = self.ldap_connection.search_s(self.ad_search_dn, ldap.SCOPE_SUBTREE, "objectSid=%s" % obj_sid, ['cn']) if self.check_group (pri_grp_cn[0][0], group): return True if result.has_key('sAMAccountName'): if result['sAMAccountName'][0] == group: return True if result.has_key('memberOf'): for group2 in result['memberOf']: if self.check_group (group2, group): return True except Exception, exp: logger.debug("AD auth backend error by fetching" " ldap data: %s (%s)\n" % (str(exp), get_exc_str()))
def __del__(self): "Disconnect" try: self.disconnect() except Exception, exp: logger.error("AD auth backend error when " "disconnecting: %s (%s)\n" % (str(exp), get_exc_str())) return False
def _connect(self, password): """connect to ad helper""" if not password: return False try: if ADUser.ldap_connection is None: logger.info("AD auth backend ldap connecting") ADUser.ldap_connection = ldap.initialize(self.get_ldap_url()) assert self.ldap_connection == ADUser.ldap_connection self.ldap_connection.simple_bind_s(self.user_bind_name, password) self.is_bound = True except Exception, exp: if str(exp.message).find("connection invalid") >= 0: logger.warning("AD reset connection - it " "looks like invalid: %s (%s)" % (str(exp), get_exc_str())) ADUser.ldap_connection = None else: logger.error("AD auth backend ldap - " "probably bad credentials: %s (%s)" % (str(exp), get_exc_str())) return False
def get_data(self): """Get the user data from AD""" try: res = self.ldap_connection.search_ext_s(settings.AD_SEARCH_DN, ldap.SCOPE_SUBTREE, "sAMAccountName=%s" % self.uname, self.AD_SEARCH_FIELDS) if not res: logger.error("b) AD auth ldap backend error by " "searching %s. No result.\n" % settings.AD_SEARCH_DN) return False assert len(res) >= 1, "c) Result should contain at least one element: %s\n" % res result = res[0][1] except Exception, exp: logger.error("a) Auth failed for (%s)\n" % self.uname ) logger.error("a) AD auth backend error by fetching" " ldap data: %s (%s)\n" % (str(exp), get_exc_str())) return False
def check_group(self, obj, group): """Check if user is in AD group""" found = False try: assert self.ldap_connection res2 = self.ldap_connection.search_ext_s(obj, ldap.SCOPE_BASE, "(objectClass=*)", self.AD_SEARCH_FIELDS) if not res2: return False assert len(res2) >= 1, "Result should contain at least one element: %s\n" % res2 result = res2[0][1] if result.has_key('sAMAccountName'): if result['sAMAccountName'][0] == group: return True for group2 in result['memberOf']: if self.check_group (group2, group): return True except Exception, exp: logger.debug("AD auth backend error by fetching" " ldap data: %s (%s)\n" % (str(exp), get_exc_str()))
self.email_addresses.append(mail1.split(':')[1]) logger.error("Adding Address: %s\n", mail1) basedn = res[0][0] if self.check_group(basedn, self.ad_admin_group): self.is_superuser = True elif self.check_group(basedn, self.ad_user_group): self.is_superuser = False else: logger.error("User %s not in group", self.username) return False self.has_data = True except Exception, exp: logger.error("AD auth backend error by reading" " fetched data: %s (%s)\n" % (str(exp), get_exc_str())) return False return True def __del__(self): "Disconnect" try: self.disconnect() except Exception, exp: logger.error("AD auth backend error when " "disconnecting: %s (%s)\n" % (str(exp), get_exc_str())) return False def __str__(self): "String representation"