Python LDAPSearch 예제들

예제 #1

파일: pam.py 프로젝트: cqcallaw/nss-pam-ldapd

 def check_authzsearch(self, parameters):
     if not cfg.pam_authz_searches:
         return
     # escape all parameters
     variables = dict(
         (k, escape_filter_chars(v)) for k, v in parameters.items())
     variables.update(
         hostname=escape_filter_chars(socket.gethostname()),
         fqdn=escape_filter_chars(socket.getfqdn()),
         dn=variables['userdn'],
         uid=variables['username'],
     )
     # go over all authz searches
     for x in cfg.pam_authz_searches:
         filter = x.value(variables)
         logging.debug('trying pam_authz_search "%s"', filter)
         srch = search.LDAPSearch(self.conn,
                                  filter=filter,
                                  attributes=('dn', ))
         try:
             dn, values = srch.items().next()
         except StopIteration:
             logging.error('pam_authz_search "%s" found no matches', filter)
             raise
         logging.debug('pam_authz_search found "%s"', dn)

예제 #2

def authenticate(binddn, password):
    # open a new connection
    conn = search.Connection()
    # bind using the specified credentials
    serverctrls = []
    if cfg.pam_authc_ppolicy:
        serverctrls.append(PasswordPolicyControl())
    res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls)
    # go over bind result server controls
    for ctrl in ctrls:
        if ctrl.controlType == PasswordPolicyControl.controlType:
            # found a password policy control
            logging.debug(
                'PasswordPolicyControl found: error=%s (%s), '
                'timeBeforeExpiration=%s, graceAuthNsRemaining=%s',
                'None' if ctrl.error is None else PasswordPolicyError(ctrl.error).prettyPrint(),
                ctrl.error, ctrl.timeBeforeExpiration, ctrl.graceAuthNsRemaining)
            if ctrl.error == 0:  # passwordExpired
                return (
                    conn, constants.NSLCD_PAM_AUTHTOK_EXPIRED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.error == 1:  # accountLocked
                return (
                    conn, constants.NSLCD_PAM_ACCT_EXPIRED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.error == 2:  # changeAfterReset
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password change is needed after reset')
            elif ctrl.error:
                return (
                    conn, constants.NSLCD_PAM_PERM_DENIED,
                    PasswordPolicyError(ctrl.error).prettyPrint())
            elif ctrl.timeBeforeExpiration is not None:
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password will expire in %d seconds' % ctrl.timeBeforeExpiration)
            elif ctrl.graceAuthNsRemaining is not None:
                return (
                    conn, constants.NSLCD_PAM_NEW_AUTHTOK_REQD,
                    'Password expired, %d grace logins left' % ctrl.graceAuthNsRemaining)
    # perform search for own object (just to do any kind of search)
    results = search.LDAPSearch(
        conn, base=binddn, scope=ldap.SCOPE_BASE,
        filter='(objectClass=*)', attributes=['dn'])
    for entry in results:
        if entry[0] == binddn:
            return conn, constants.NSLCD_PAM_SUCCESS, ''
    # if our DN wasn't found raise an error to signal bind failure
    raise ldap.NO_SUCH_OBJECT()