def __call__(self):
settings = get_root()['settings']
server_settings = settings['ldap_server']
if not server_settings.ldap_connectivity:
logger.error(
'Could not initialize authentication implementation. '
'LDAP Server is not available or invalid credentials.')
return
props = server_settings.ldap_props
users_settings = settings['ldap_users']
if not users_settings.container_exists:
logger.error('Could not initialize authentication implementation. '
'Configured users container invalid.')
return
ucfg = users_settings.ldap_ucfg
groups_settings = settings['ldap_groups']
gcfg = None
if groups_settings.container_exists:
gcfg = groups_settings.ldap_gcfg
else:
logger.warning(u"Configured groups container invalid.")
roles_settings = settings['ldap_roles']
rcfg = None
if roles_settings.container_exists:
rcfg = roles_settings.ldap_rcfg
else:
logger.warning(u"Configured roles container invalid.")
return Ugm(name='ldap_ugm',
props=props,
ucfg=ucfg,
gcfg=gcfg,
rcfg=rcfg)
def connection_test(self):
props = ILDAPProps(self.plugin)
users = ILDAPUsersConfig(self.plugin)
groups = ILDAPGroupsConfig(self.plugin)
ugm = Ugm('test', props=props, ucfg=users, gcfg=groups)
try:
ugm.users.iterkeys().next()
except ldap.SERVER_DOWN, e:
return False, _("Server Down")
def _ugm(self):
plugin_cache = get_plugin_cache(self)
ugm = plugin_cache.get()
if ugm is not VALUE_NOT_CACHED:
return ugm
ucfg = ILDAPUsersConfig(self)
gcfg = ILDAPGroupsConfig(self)
ugm = Ugm(props=self._ldap_props, ucfg=ucfg, gcfg=gcfg, rcfg=None)
plugin_cache.set(ugm)
return ugm
def create_ugm():
props = layer['props']
ucfg = layer['ucfg']
gcfg = layer['gcfg']
rcfg = None # XXX: later
return Ugm(name='ugm',
parent=None,
props=props,
ucfg=ucfg,
gcfg=gcfg,
rcfg=rcfg)
def test_samba_users(self):
ucfg = self.layer['ucfg']
gcfg = self.layer['gcfg']
props = self.layer['props']
ugm = Ugm(props=props, ucfg=ucfg, gcfg=gcfg)
self.assertEqual(ugm.users.search(), [u'uid0', u'uid1', u'uid2'])
self.assertEqual(ugm.users['uid0'].context.attrs['userPassword'],
u'secret0')
self.assertEqual(ugm.users['uid0'].context.attrs['sambaLMPassword'],
u'FF3750BCC2B22412AAD3B435B51404EE')
self.assertEqual(ugm.users['uid0'].context.attrs['sambaNTPassword'],
u'62CF067F093CD75BBAA5D49E04689ED7')
ugm.users['uid0'].passwd('secret0', 'newsecret')
password = ugm.users['uid0'].context.attrs['userPassword']
self.assertTrue(password.startswith('{SSHA}'))
self.assertEqual(ugm.users['uid0'].context.attrs['sambaLMPassword'],
u'db6574a2642d294b9a0f5d12d8f612d0')
self.assertEqual(ugm.users['uid0'].context.attrs['sambaNTPassword'],
u'58d9f1588236ee9d4ed739e89ffca25b')
def connection_test(self):
try:
props = ILDAPProps(self.plugin)
except Exception as e:
msg = _("Non-LDAP error while getting ILDAPProps!")
logger.exception(msg)
return False, msg + str(e)
try:
users = ILDAPUsersConfig(self.plugin)
except Exception as e:
msg = _("Non-LDAP error while getting ILDAPUsersConfig!")
logger.exception(msg)
return False, msg + str(e)
try:
groups = ILDAPGroupsConfig(self.plugin)
except Exception as e:
msg = _("Non-LDAP error while getting ILDAPGroupsConfig!")
logger.exception(msg)
return False, msg + str(e)
try:
ugm = Ugm("test", props=props, ucfg=users, gcfg=groups)
ugm.users
except ldap.SERVER_DOWN:
return False, _("Server Down")
except ldap.LDAPError as e:
return False, _("LDAP users; ") + str(e)
except Exception as e:
logger.exception("Non-LDAP error while connection test!")
return False, _("Exception in Users; ") + str(e)
try:
ugm.groups
except ldap.LDAPError as e:
return False, _(
"LDAP Users ok, but groups not; ") + e.message["desc"]
except Exception as e:
logger.exception("Non-LDAP error while connection test!")
return False, _("Exception in Groups; ") + str(e)
return True, "Connection, users- and groups-access tested successfully."
def test_roles(self):
# Role Management. Create container for roles.
props = layer['props']
node = LDAPNode('dc=my-domain,dc=com', props)
node['ou=roles'] = LDAPNode()
node['ou=roles'].attrs['objectClass'] = ['organizationalUnit']
node()
ucfg = layer['ucfg']
gcfg = layer['gcfg']
rcfg = RolesConfig(
baseDN='ou=roles,dc=my-domain,dc=com',
attrmap=odict((
('rdn', 'cn'),
('id', 'cn')
)),
scope=SUBTREE,
queryFilter='(objectClass=posixGroup)',
objectClasses=['posixGroup'],
defaults={},
strict=False
)
ugm = Ugm(props=props, ucfg=ucfg, gcfg=gcfg, rcfg=rcfg)
user = ugm.users['uid1']
self.assertEqual(ugm.roles(user), [])
ugm.add_role('viewer', user)
self.assertEqual(ugm.roles(user), ['viewer'])
self.assertEqual(user.roles, ['viewer'])
user = ugm.users['uid2']
user.add_role('viewer')
user.add_role('editor')
self.assertEqual(sorted(user.roles), ['editor', 'viewer'])
ugm.roles_storage()
ugm.remove_role('viewer', user)
user.remove_role('editor')
self.assertEqual(user.roles, [])
ugm.roles_storage()
group = ugm.groups['group1']
self.assertEqual(ugm.roles(group), [])
ugm.add_role('viewer', group)
self.assertEqual(ugm.roles(group), ['viewer'])
self.assertEqual(group.roles, ['viewer'])
group = ugm.groups['group0']
group.add_role('viewer')
group.add_role('editor')
self.assertEqual(group.roles, ['viewer', 'editor'])
ugm.roles_storage()
err = self.expect_error(
ValueError,
group.add_role,
'editor'
)
self.assertEqual(str(err), "Principal already has role 'editor'")
ugm.remove_role('viewer', group)
self.assertEqual(ugm.roles_storage.keys(), [u'viewer', u'editor'])
group.remove_role('editor')
self.assertEqual(ugm.roles_storage.keys(), [u'viewer'])
self.assertEqual(ugm.roles_storage.storage.keys(), ['viewer'])
self.expect_error(KeyError, ugm.roles_storage.__getitem__, 'editor')
err = self.expect_error(
ValueError,
group.remove_role,
'editor'
)
self.assertEqual(str(err), "Role not exists 'editor'")
err = self.expect_error(
ValueError,
group.remove_role,
'viewer'
)
self.assertEqual(str(err), "Principal does not has role 'viewer'")
ugm.roles_storage()
node = LDAPNode('dc=my-domain,dc=com', props)
node['ou=roles'].clear()
node['ou=roles']()
del node['ou=roles']
node()
def test_roles(self):
# Role Management. Create container for roles.
props = layer['props']
node = LDAPNode('dc=my-domain,dc=com', props)
node['ou=roles'] = LDAPNode()
node['ou=roles'].attrs['objectClass'] = ['organizationalUnit']
node()
ucfg = layer['ucfg']
gcfg = layer['gcfg']
rcfg = RolesConfig(baseDN='ou=roles,dc=my-domain,dc=com',
attrmap=odict((('rdn', 'cn'), ('id', 'cn'))),
scope=SUBTREE,
queryFilter='(objectClass=posixGroup)',
objectClasses=['posixGroup'],
defaults={},
strict=False)
ugm = Ugm(props=props, ucfg=ucfg, gcfg=gcfg, rcfg=rcfg)
user = ugm.users['uid1']
self.assertEqual(ugm.roles(user), [])
ugm.add_role('viewer', user)
self.assertEqual(ugm.roles(user), ['viewer'])
self.assertEqual(user.roles, ['viewer'])
user = ugm.users['uid2']
user.add_role('viewer')
user.add_role('editor')
self.assertEqual(sorted(user.roles), ['editor', 'viewer'])
ugm.roles_storage()
ugm.remove_role('viewer', user)
user.remove_role('editor')
self.assertEqual(user.roles, [])
ugm.roles_storage()
group = ugm.groups['group1']
self.assertEqual(ugm.roles(group), [])
ugm.add_role('viewer', group)
self.assertEqual(ugm.roles(group), ['viewer'])
self.assertEqual(group.roles, ['viewer'])
group = ugm.groups['group0']
group.add_role('viewer')
group.add_role('editor')
self.assertEqual(group.roles, ['viewer', 'editor'])
ugm.roles_storage()
err = self.expect_error(ValueError, group.add_role, 'editor')
self.assertEqual(str(err), "Principal already has role 'editor'")
ugm.remove_role('viewer', group)
self.assertEqual(ugm.roles_storage.keys(), [u'viewer', u'editor'])
group.remove_role('editor')
self.assertEqual(ugm.roles_storage.keys(), [u'viewer'])
self.assertEqual(ugm.roles_storage.storage.keys(), ['viewer'])
self.expect_error(KeyError, ugm.roles_storage.__getitem__, 'editor')
err = self.expect_error(ValueError, group.remove_role, 'editor')
self.assertEqual(str(err), "Role not exists 'editor'")
err = self.expect_error(ValueError, group.remove_role, 'viewer')
self.assertEqual(str(err), "Principal does not has role 'viewer'")
ugm.roles_storage()
node = LDAPNode('dc=my-domain,dc=com', props)
node['ou=roles'].clear()
node['ou=roles']()
del node['ou=roles']
node()