def authenticate(binddn, password):
# open a new connection
conn = search.Connection()
# bind using the specified credentials
serverctrls = []
if cfg.pam_authc_ppolicy:
serverctrls.append(PasswordPolicyControl())
res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls)
# go over bind result server controls
for ctrl in ctrls:
if ctrl.controlType == PasswordPolicyControl.controlType:
# found a password policy control
logging.debug(
'PasswordPolicyControl found: error=%s (%s), '
'timeBeforeExpiration=%s, graceAuthNsRemaining=%s',
'None' if ctrl.error is None else PasswordPolicyError(ctrl.error).prettyPrint(),
ctrl.error, ctrl.timeBeforeExpiration, ctrl.graceAuthNsRemaining)
if ctrl.error == 0: # passwordExpired
return (
conn, constants.NSLCD_PAM_AUTHTOK_EXPIRED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.error == 1: # accountLocked
return (
conn, constants.NSLCD_PAM_ACCT_EXPIRED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.error == 2: # changeAfterReset
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password change is needed after reset')
elif ctrl.error:
return (
conn, constants.NSLCD_PAM_PERM_DENIED,
PasswordPolicyError(ctrl.error).prettyPrint())
elif ctrl.timeBeforeExpiration is not None:
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password will expire in %d seconds' % ctrl.timeBeforeExpiration)
elif ctrl.graceAuthNsRemaining is not None:
return (
conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
'Password expired, %d grace logins left' % ctrl.graceAuthNsRemaining)
# perform search for own object (just to do any kind of search)
results = search.LDAPSearch(
conn, base=binddn, scope=ldap.SCOPE_BASE,
filter='(objectClass=*)', attributes=['dn'])
for entry in results:
if entry[0] == binddn:
return conn, constants.NSLCD_PAM_SUCCESS, ''
# if our DN wasn't found raise an error to signal bind failure
raise ldap.NO_SUCH_OBJECT()
# Set debugging level
#ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 2
ldapmodule_trace_file = sys.stderr
ldap_conn = ldap.ldapobject.LDAPObject(ldap_url.initializeUrl(),
trace_level=ldapmodule_trace_level,
trace_file=ldapmodule_trace_file)
if ldap_url.cred is None:
print('Password for %s:' % (repr(ldap_url.who)))
ldap_url.cred = getpass.getpass()
try:
msgid = ldap_conn.simple_bind(ldap_url.who,
ldap_url.cred,
serverctrls=[PasswordPolicyControl()])
res_type, res_data, res_msgid, res_ctrls = ldap_conn.result3(msgid)
except ldap.INVALID_CREDENTIALS as e:
print('Simple bind failed:', str(e))
sys.exit(1)
else:
if res_ctrls[0].controlType == PasswordPolicyControl.controlType:
ppolicy_ctrl = res_ctrls[0]
print('PasswordPolicyControl')
print('error', repr(ppolicy_ctrl.error), (ppolicy_ctrl.error != None) *
repr(PasswordPolicyError(ppolicy_ctrl.error)))
print('timeBeforeExpiration', repr(ppolicy_ctrl.timeBeforeExpiration))
print('graceAuthNsRemaining', repr(ppolicy_ctrl.graceAuthNsRemaining))
sys.exit(1)
# Set debugging level
#ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 2
ldapmodule_trace_file = sys.stderr
ldap_conn = ldap.ldapobject.LDAPObject(
ldap_url.initializeUrl(),
trace_level=ldapmodule_trace_level,
trace_file=ldapmodule_trace_file
)
if ldap_url.cred is None:
print('Password for %s:' % (repr(ldap_url.who)))
ldap_url.cred = getpass.getpass()
try:
msgid = ldap_conn.simple_bind(ldap_url.who,ldap_url.cred,serverctrls=[PasswordPolicyControl()])
res_type,res_data,res_msgid,res_ctrls = ldap_conn.result3(msgid)
except ldap.INVALID_CREDENTIALS as e:
print('Simple bind failed:',str(e))
sys.exit(1)
else:
if res_ctrls[0].controlType==PasswordPolicyControl.controlType:
ppolicy_ctrl = res_ctrls[0]
print('PasswordPolicyControl')
print('error',repr(ppolicy_ctrl.error),(ppolicy_ctrl.error!=None)*repr(PasswordPolicyError(ppolicy_ctrl.error)))
print('timeBeforeExpiration',repr(ppolicy_ctrl.timeBeforeExpiration))
print('graceAuthNsRemaining',repr(ppolicy_ctrl.graceAuthNsRemaining))