def __init__(self, props=None):
connector = LDAPConnector(props=props)
communicator = LDAPCommunicator(connector)
communicator.baseDN = 'dc=my-domain,dc=com'
communicator.bind()
res = communicator.search('(objectclass=*)', ldap.SCOPE_BASE,
'cn=subschema', attrlist=['*','+'])
if len(res) != 1:
raise ValueError, 'subschema not found'
self.subschema = ldap.schema.SubSchema(ldap.cidict.cidict(res[0][1]))
def subschema(self):
if hasattr(self, '_subschema'):
return self._subschema
connector = LDAPConnector(props=self._props)
communicator = LDAPCommunicator(connector)
communicator.bind()
res = communicator.search('(objectclass=*)', ldap.SCOPE_BASE,
'cn=subschema', attrlist=['*', '+'])
if len(res) != 1:
raise ValueError('subschema not found')
self._subschema = ldap.schema.SubSchema(ldap.cidict.cidict(res[0][1]))
return self._subschema
def subschema(self):
if hasattr(self, '_subschema'):
return self._subschema
connector = LDAPConnector(props=self._props)
communicator = LDAPCommunicator(connector)
communicator.bind()
res = communicator.search('(objectclass=*)',
ldap.SCOPE_BASE,
'cn=subschema',
attrlist=['*', '+'])
if len(res) != 1:
raise ValueError('subschema not found')
self._subschema = ldap.schema.SubSchema(ldap.cidict.cidict(res[0][1]))
return self._subschema
def getLdapCommunicator(base):
"""
:param base: soit "users" soit "groups"
:type base: str
:returns: un communicateur de node.ext.ldap qui permet de réaliser
des requêtes au serveur LDAP
"""
props = getLdapProps()
conn = LDAPConnector(props=props)
comm = LDAPCommunicator(conn)
if base in ['u', 'U', 'users']:
comm.baseDN = getSettingValue('users_base')
else:
comm.baseDN = getSettingValue('groups_base')
comm.bind()
return comm
def test_base(self):
# NullCachManager registration
provideAdapter(NullCacheManager)
# Test main script, could be used by command line with
# 'python base.py server port'::
old_argv = sys.argv
sys.argv = ['base.py', '127.0.0.1', '12345']
self.assertEqual(main(), 'success')
sys.argv[-1] = '12346'
self.assertEqual(main().args[0], {
'info': 'Transport endpoint is not connected',
'errno': 107,
'desc': "Can't contact LDAP server"
})
sys.argv = []
self.assertEqual(main(), 'usage: python base.py [server] [port]')
sys.argv = old_argv
# Test node.ext.ldap base objects. Test LDAP connectivity
self.assertEqual(testLDAPConnectivity('127.0.0.1', 12345), 'success')
self.assertEqual(testLDAPConnectivity('127.0.0.1', 12346).args[0], {
'info': 'Transport endpoint is not connected',
'errno': 107,
'desc': u"Can't contact LDAP server"}
)
# LDAP credentials
host = "127.0.0.1"
port = 12345
binddn = "cn=Manager,dc=my-domain,dc=com"
bindpw = "secret"
props = LDAPProps(
server=host,
port=port,
user=binddn,
password=bindpw
)
# Create connector.
connector = LDAPConnector(props=props)
# Create communicator.
communicator = LDAPCommunicator(connector)
# Bind to directory.
communicator.bind()
# Search fails if baseDN is not set and not given to search function
self.assertEqual(communicator.baseDN, '')
err = self.expect_error(
ValueError,
communicator.search,
'(objectClass=*)',
SUBTREE
)
self.assertEqual(str(err), 'baseDN unset.')
# Set base dn and check if previously imported entries are present.
communicator.baseDN = 'dc=my-domain,dc=com'
res = communicator.search('(objectClass=*)', SUBTREE)
self.assertEqual(len(res), 7)
# Test search pagination
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=''
)
self.assertEqual(len(res), 4)
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=cookie
)
self.assertEqual(len(res), 3)
self.assertEqual(cookie, b'')
# Pagination search fails if cookie but no page size given
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=''
)
err = self.expect_error(
ValueError,
communicator.search,
'(objectClass=*)',
SUBTREE,
cookie=cookie
)
self.assertEqual(str(err), 'cookie passed without page_size')
# Test inserting entries.
entry = {
'cn': b'foo',
'sn': b'bar',
'objectclass': (b'person', b'top'),
}
dn = 'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com'
communicator.add(dn, entry)
# Now there's one more entry in the directory.
res = communicator.search('(objectClass=*)', SUBTREE)
self.assertEqual(len(res), 8)
# Query added entry directly.
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'bar']}
)])
# Modify this entry and check the result.
communicator.modify(res[0][0], [(MOD_REPLACE, 'sn', b'baz')])
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'baz']}
)])
# Finally delete this entry and check the result.
communicator.delete(res[0][0])
self.assertEqual(communicator.search('(cn=foo)', SUBTREE), [])
# Unbind from server.
communicator.unbind()
# Connector using cache.
connector = LDAPConnector(props)
communicator = LDAPCommunicator(connector)
communicator.bind()
# Add entry
entry = {
'cn': b'foo',
'sn': b'bar',
'objectclass': (b'person', b'top'),
}
dn = 'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com'
communicator.add(dn, entry)
communicator.baseDN = 'dc=my-domain,dc=com'
# Search cached entry. Does not get cached here since no real cache
# provider is registered. Thus the nullcacheProviderFactory is used.
# But cache API is used anyways::
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'bar']}
)])
# Delete entry
communicator.delete(res[0][0])
res = communicator.search('(cn=foo)', SUBTREE, force_reload=True)
self.assertEqual(res, [])
communicator.unbind()
def test_base(self):
# NullCachManager registration
provideAdapter(NullCacheManager)
# Test main script, could be used by command line with
# 'python base.py server port'::
old_argv = sys.argv
sys.argv = ['base.py', '127.0.0.1', '12345']
self.assertEqual(main(), 'success')
sys.argv[-1] = '12346'
self.assertEqual(main().args[0], {
'info': 'Transport endpoint is not connected',
'errno': 107,
'desc': "Can't contact LDAP server"
})
sys.argv = []
self.assertEqual(main(), 'usage: python base.py [server] [port]')
sys.argv = old_argv
# Test node.ext.ldap base objects. Test LDAP connectivity
self.assertEqual(testLDAPConnectivity('127.0.0.1', 12345), 'success')
self.assertEqual(testLDAPConnectivity('127.0.0.1', 12346).args[0], {
'info': 'Transport endpoint is not connected',
'errno': 107,
'desc': u"Can't contact LDAP server"}
)
# LDAP credentials
host = "127.0.0.1"
port = 12345
binddn = "cn=Manager,dc=my-domain,dc=com"
bindpw = "secret"
props = LDAPProps(
server=host,
port=port,
user=binddn,
password=bindpw
)
# Create connector.
connector = LDAPConnector(props=props)
# Create communicator.
communicator = LDAPCommunicator(connector)
# Bind to directory.
communicator.bind()
# Search fails if baseDN is not set and not given to search function
self.assertEqual(communicator.baseDN, '')
err = self.expect_error(
ValueError,
communicator.search,
'(objectClass=*)',
SUBTREE
)
self.assertEqual(str(err), 'baseDN unset.')
# Set base dn and check if previously imported entries are present.
communicator.baseDN = 'dc=my-domain,dc=com'
res = communicator.search('(objectClass=*)', SUBTREE)
self.assertEqual(len(res), 7)
# Test search pagination
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=''
)
self.assertEqual(len(res), 4)
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=cookie
)
self.assertEqual(len(res), 3)
self.assertEqual(cookie, b'')
# Pagination search fails if cookie but no page size given
res, cookie = communicator.search(
'(objectClass=*)',
SUBTREE,
page_size=4,
cookie=''
)
err = self.expect_error(
ValueError,
communicator.search,
'(objectClass=*)',
SUBTREE,
cookie=cookie
)
self.assertEqual(str(err), 'cookie passed without page_size')
# Test inserting entries.
entry = {
'cn': b'foo',
'sn': b'bar',
'objectclass': (b'person', b'top'),
}
dn = 'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com'
communicator.add(dn, entry)
# Now there's one more entry in the directory.
res = communicator.search('(objectClass=*)', SUBTREE)
self.assertEqual(len(res), 8)
# Query added entry directly.
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'bar']}
)])
# Modify this entry and check the result.
communicator.modify(res[0][0], [(MOD_REPLACE, 'sn', b'baz')])
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'baz']}
)])
# Finally delete this entry and check the result.
communicator.delete(res[0][0])
self.assertEqual(communicator.search('(cn=foo)', SUBTREE), [])
# Unbind from server.
communicator.unbind()
# Connector using cache.
connector = LDAPConnector(props)
communicator = LDAPCommunicator(connector)
communicator.bind()
# Add entry
entry = {
'cn': b'foo',
'sn': b'bar',
'objectclass': (b'person', b'top'),
}
dn = 'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com'
communicator.add(dn, entry)
communicator.baseDN = 'dc=my-domain,dc=com'
# Search cached entry. Does not get cached here since no real cache
# provider is registered. Thus the nullcacheProviderFactory is used.
# But cache API is used anyways::
res = communicator.search('(cn=foo)', SUBTREE)
self.assertEqual(res, [(
'cn=foo,ou=customer1,ou=customers,dc=my-domain,dc=com',
{'objectClass': [b'person', b'top'], 'cn': [b'foo'], 'sn': [b'bar']}
)])
# Delete entry
communicator.delete(res[0][0])
res = communicator.search('(cn=foo)', SUBTREE, force_reload=True)
self.assertEqual(res, [])
communicator.unbind()
class LDAPSession(object):
"""LDAP Session binds always.
all strings must be utf8 encoded!
"""
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
def checkServerProperties(self):
"""Test if connection can be established.
"""
res = testLDAPConnectivity(props=self._props)
if res == 'success':
return (True, 'OK')
else:
return (False, res)
@property
def baseDN(self):
baseDN = self._communicator.baseDN
return baseDN
@baseDN.setter
def baseDN(self, baseDN):
"""baseDN must be utf8-encoded.
"""
self._communicator.baseDN = baseDN
def ensure_connection(self):
"""If LDAP directory is down, bind again and retry given function.
XXX: * Improve retry logic
* Extend LDAPSession object to handle Fallback server(s)
"""
if self._communicator._con is None:
self._communicator.bind()
def search(self,
queryFilter='(objectClass=*)',
scope=BASE,
baseDN=None,
force_reload=False,
attrlist=None,
attrsonly=0,
page_size=None,
cookie=None):
if not queryFilter:
# It makes no sense to really pass these to LDAP, therefore, we
# interpret them as "don't filter" which in LDAP terms is
# '(objectClass=*)'
queryFilter = '(objectClass=*)'
self.ensure_connection()
res = self._communicator.search(queryFilter, scope, baseDN,
force_reload, attrlist, attrsonly,
page_size, cookie)
if page_size:
res, cookie = res
# ActiveDirectory returns entries with dn None, which can be ignored
res = filter(lambda x: x[0] is not None, res)
if page_size:
return res, cookie
return res
def add(self, dn, data):
self.ensure_connection()
self._communicator.add(dn, data)
def authenticate(self, dn, pw):
"""Verify credentials, but don't rebind the session to that user
"""
# Let's bypass connector/communicator until they are sorted out
if self._props.ignore_cert:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
con = ldap.initialize(self._props.uri)
# Turning referrals off since they cause problems with MS Active
# Directory More info: https://www.python-ldap.org/faq.html#usage
con.set_option(ldap.OPT_REFERRALS, 0)
try:
con.simple_bind_s(dn, pw)
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM):
# The UNWILLING_TO_PERFORM event might be thrown, if you query a
# local user named ``admin``, but the LDAP server is configured to
# deny such queries. Instead of raising an exception, just ignore
# this.
return False
else:
return True
def modify(self, dn, data, replace=False):
"""Modify an existing entry in the directory.
:param dn: Modification DN
:param data: Either list of 3 tuples (look at
``node.ext.ldap.base.LDAPCommunicator.modify`` for details), or a
dictionary representing the entry or parts of the entry.
XXX: dicts not yet
:param replace: If set to True, replace entry at DN entirely with data.
"""
self.ensure_connection()
result = self._communicator.modify(dn, data)
return result
def delete(self, dn):
self._communicator.delete(dn)
def passwd(self, userdn, oldpw, newpw):
self.ensure_connection()
result = self._communicator.passwd(userdn, oldpw, newpw)
return result
def unbind(self):
self._communicator.unbind()
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
class LDAPSession(object):
"""LDAP Session binds always.
"""
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
def checkServerProperties(self):
"""Test if connection can be established.
"""
res = testLDAPConnectivity(props=self._props)
if res == 'success':
return (True, 'OK')
else:
return (False, res)
@property
def baseDN(self):
baseDN = self._communicator.baseDN
return baseDN
@baseDN.setter
def baseDN(self, baseDN):
self._communicator.baseDN = baseDN
def ensure_connection(self):
"""If LDAP directory is down, bind again and retry given function.
"""
if self._communicator._con is None:
self._communicator.bind()
def search(self, queryFilter='(objectClass=*)', scope=BASE, baseDN=None,
force_reload=False, attrlist=None, attrsonly=0,
page_size=None, cookie=None):
if not queryFilter:
# It makes no sense to really pass these to LDAP, therefore, we
# interpret them as "don't filter" which in LDAP terms is
# '(objectClass=*)'
queryFilter = '(objectClass=*)'
self.ensure_connection()
res = self._communicator.search(
queryFilter,
scope,
baseDN,
force_reload,
attrlist,
attrsonly,
page_size,
cookie
)
if page_size:
res, cookie = res
# ActiveDirectory returns entries with dn None, which can be ignored
res = [x for x in res if x[0] is not None]
if page_size:
return res, cookie
return res
def add(self, dn, data):
self.ensure_connection()
self._communicator.add(dn, data)
def authenticate(self, dn, pw):
"""Verify credentials, but don't rebind the session to that user
"""
# Let's bypass connector/communicator until they are sorted out
if self._props.ignore_cert: # pragma: no cover
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
con = ldap.initialize(
self._props.uri,
bytes_mode=False,
bytes_strictness='silent'
)
# Turning referrals off since they cause problems with MS Active
# Directory More info: https://www.python-ldap.org/faq.html#usage
con.set_option(ldap.OPT_REFERRALS, 0)
try:
con.simple_bind_s(dn, pw)
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM):
# The UNWILLING_TO_PERFORM event might be thrown, if you query a
# local user named ``admin``, but the LDAP server is configured to
# deny such queries. Instead of raising an exception, just ignore
# this.
return False
else:
return True
def modify(self, dn, data, replace=False):
"""Modify an existing entry in the directory.
:param dn: Modification DN
:param data: Either list of 3 tuples (look at
``node.ext.ldap.base.LDAPCommunicator.modify`` for details), or a
dictionary representing the entry or parts of the entry.
XXX: dicts not yet
:param replace: If set to True, replace entry at DN entirely with data.
"""
self.ensure_connection()
result = self._communicator.modify(dn, data)
return result
def delete(self, dn):
self._communicator.delete(dn)
def passwd(self, userdn, oldpw, newpw):
self.ensure_connection()
result = self._communicator.passwd(userdn, oldpw, newpw)
return result
def unbind(self):
self._communicator.unbind()
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
class LDAPSession(object):
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
def checkServerProperties(self):
"""Test if connection can be established.
"""
res = testLDAPConnectivity(props=self._props)
if res == 'success':
return (True, 'OK')
else:
return (False, res)
def _get_baseDN(self):
baseDN = self._communicator.baseDN
baseDN = decode(baseDN)
return baseDN
def _set_baseDN(self, baseDN):
if isinstance(baseDN, str):
# make sure its utf8
baseDN = decode(baseDN)
baseDN = encode(baseDN)
self._communicator.baseDN = baseDN
baseDN = property(_get_baseDN, _set_baseDN)
def search(self, queryFilter='(objectClass=*)', scope=BASE, baseDN=None,
force_reload=False, attrlist=None, attrsonly=0, page_size=None, cookie=None):
#if self._props.escape_queries and baseDN is not None:
# baseDN = escape(baseDN)
if queryFilter in ('', u'', None):
# It makes no sense to really pass these to LDAP, therefore, we
# interpret them as "don't filter" which in LDAP terms is
# '(objectClass=*)'
queryFilter='(objectClass=*)'
func = self._communicator.search
# bug in node when using string: https://github.com/bluedynamics/node/issues/5
if isinstance(cookie, str):
cookie = unicode(cookie)
res = self._perform(func, queryFilter, scope, baseDN,
force_reload, attrlist, attrsonly, page_size, cookie)
# ActiveDirectory returns entries with dn None, which can be ignored
if page_size:
res, cookie = res
res = filter(lambda x: x[0] is not None, res)
if page_size:
return res, cookie
else:
return res
def add(self, dn, data):
func = self._communicator.add
return self._perform(func, dn, data)
def authenticate(self, dn, pw):
"""Verify credentials, but don't rebind the session to that user
"""
# Let's bypass connector/communicator until they are sorted out
con = ldap.initialize(self._props.uri)
try:
con.simple_bind_s(dn, pw)
except ldap.INVALID_CREDENTIALS:
return False
else:
return True
def modify(self, dn, data, replace=False):
"""Modify an existing entry in the directory.
dn
Modification DN
#data
# either list of 3 tuples (look at
# node.ext.ldap.base.LDAPCommunicator.modify for details), or
# a dictionary representing the entry or parts of the entry.
# XXX: dicts not yet
replace
if set to True, replace entry at DN entirely with data.
"""
func = self._communicator.modify
return self._perform(func, dn, data)
def delete(self, dn):
func = self._communicator.delete
return self._perform(func, dn)
def passwd(self, userdn, oldpw, newpw):
func = self._communicator.passwd
self._perform(func, userdn, oldpw, newpw)
def unbind(self):
self._communicator.unbind()
def _perform(self, function, *args, **kwargs):
"""Try to perform the given function with the given argument.
If LDAP directory is down, bind again and retry given function.
XXX: * Improve retry logic in LDAPSession
* Extend LDAPSession object to handle Fallback server(s)
"""
args = encode(args)
kwargs = encode(kwargs)
if self._communicator._con is None:
self._communicator.bind()
# XXX: it seems except block is never reached, call of
# self._communicator.bind() above already raises error if
# communication fails. And why server down?
#try:
# return decode(function(*args, **kwargs))
#except ldap.SERVER_DOWN:
# self._communicator.bind()
# return decode(function(*args, **kwargs))
return decode(function(*args, **kwargs))
class LDAPSession(object):
"""LDAP Session binds always.
all strings must be utf8 encoded!
"""
def __init__(self, props):
self._props = props
connector = LDAPConnector(props=props)
self._communicator = LDAPCommunicator(connector)
def checkServerProperties(self):
"""Test if connection can be established.
"""
res = testLDAPConnectivity(props=self._props)
if res == 'success':
return (True, 'OK')
else:
return (False, res)
def _get_baseDN(self):
baseDN = self._communicator.baseDN
return baseDN
def _set_baseDN(self, baseDN):
"""baseDN must be utf8-encoded.
"""
self._communicator.baseDN = baseDN
baseDN = property(_get_baseDN, _set_baseDN)
def ensure_connection(self):
"""If LDAP directory is down, bind again and retry given function.
XXX: * Improve retry logic
* Extend LDAPSession object to handle Fallback server(s)
"""
if self._communicator._con is None:
self._communicator.bind()
def search(self, queryFilter='(objectClass=*)', scope=BASE, baseDN=None,
force_reload=False, attrlist=None, attrsonly=0,
page_size=None, cookie=None):
if not queryFilter:
# It makes no sense to really pass these to LDAP, therefore, we
# interpret them as "don't filter" which in LDAP terms is
# '(objectClass=*)'
queryFilter = '(objectClass=*)'
self.ensure_connection()
res = self._communicator.search(queryFilter, scope, baseDN,
force_reload, attrlist, attrsonly,
page_size, cookie)
if page_size:
res, cookie = res
# ActiveDirectory returns entries with dn None, which can be ignored
res = filter(lambda x: x[0] is not None, res)
if page_size:
return res, cookie
return res
def add(self, dn, data):
self.ensure_connection()
self._communicator.add(dn, data)
def authenticate(self, dn, pw):
"""Verify credentials, but don't rebind the session to that user
"""
# Let's bypass connector/communicator until they are sorted out
if self._props.ignore_cert:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
con = ldap.initialize(self._props.uri)
try:
con.simple_bind_s(dn, pw)
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM):
# The UNWILLING_TO_PERFORM event might be thrown, if you query a
# local user named ``admin``, but the LDAP server is configured to
# deny such queries. Instead of raising an exception, just ignore
# this.
return False
else:
return True
def modify(self, dn, data, replace=False):
"""Modify an existing entry in the directory.
dn
Modification DN
#data
# either list of 3 tuples (look at
# node.ext.ldap.base.LDAPCommunicator.modify for details), or
# a dictionary representing the entry or parts of the entry.
# XXX: dicts not yet
replace
if set to True, replace entry at DN entirely with data.
"""
self.ensure_connection()
result = self._communicator.modify(dn, data)
return result
def delete(self, dn):
self._communicator.delete(dn)
def passwd(self, userdn, oldpw, newpw):
self.ensure_connection()
result = self._communicator.passwd(userdn, oldpw, newpw)
return result
def unbind(self):
self._communicator.unbind()
