def ldap_fetch(uid=None, name=None, passwd=BIND_PASSWORD):
try:
if name is not None and passwd is not None:
l = simpleldap.Connection(LDAP_SERVER,
port=LDAP_PORT,
dn=BIND_DN,
password=BIND_PASSWORD)
r = l.search('uid={0}'.format(name), base_dn=BASE_DN)
else:
conn = simpleldap.Connection(hostname=LDAP_SERVER,
port=LDAP_PORT,
dn=BIND_DN,
password=BIND_PASSWORD)
is_valid = conn.authenticate(
'uid={0},{1}'.format(uid, BASE_DN), 'password')
r = conn.search('uid={0}'.format(uid), BASE_DN)
return {
'name': unicode(r[0]['cn'][0]),
'id': unicode(r[0]['uid'][0]),
'mail': unicode(r[0]['mail'][0])
}
except Exception as e:
print e
return None
def test_initialize_kwargs(self):
from StringIO import StringIO
output = StringIO()
initialize_kwargs = {'trace_file': output, 'trace_level': 0}
conn = simpleldap.Connection('ldap.utexas.edu',
initialize_kwargs=initialize_kwargs)
conn.close()
self.assertFalse(output.getvalue())
initialize_kwargs = {'trace_file': output, 'trace_level': 1}
conn = simpleldap.Connection('ldap.utexas.edu',
initialize_kwargs=initialize_kwargs)
conn.close()
self.assertTrue(output.getvalue())
def ldap_user_verified(username, password):
"""Verify user via ldap."""
host = app.config['LDAP_HOST']
base_dn = app.config['LDAP_BASEDN']
groups = app.config['LDAP_GROUPS']
opts = {'OPT_NETWORK_TIMEOUT': 10}
try:
l = simpleldap.Connection(host, dn='uid=%s,%s' % (username, base_dn),
encryption='ssl', password=password, options=opts)
except Exception as e:
app.logger.info("Got error trying to verify LDAP user %s:" % username)
app.logger.info("%s:\n\n%s" % (str(e), traceback.format_exc()))
return None
# validate user
r = l.search('uid=%s' % username, base_dn=base_dn)
if len(r) != 1:
app.logger.info("Got invalid number of entries for %s: %s" %
(username, len(r)))
app.logger.info("r: %s" % str(r))
return None
# validate user is part of a group allowed
uid = 'uid=%s,%s' % (username, base_dn)
for group in groups:
g = l.search('cn=%s' % group, base_dn=base_dn)
for this_g in g:
if uid in this_g['uniqueMember']:
return dict(r[0])
app.logger.info(
"User %s is not part of any approved LDAP groups." % username)
return None
def authenticate(self):
conn = simpleldap.Connection(self.conf.get('ad','adserver'))
if not conn.authenticate(dn=self.conf.get('ad','username'),
password=self.conf.get('ad','password')):
raise "Auth problem!"
return conn
def test_context_manager(self):
host, port, method, cert = self.hosts[0]
with simpleldap.Connection(hostname=host,
port=port,
encryption=method,
require_cert=cert) as conn:
conn.connection.whoami_s()
def _get_entitlements(self):
"""_get_entitlements() returns a space-separated list of ldap
entitlements.
:returns: space-separated list of ldap entitlements, or
``classad.Value.Undefined`` if ldap server is unreachable
:rtype: ``str``
:rtype: ``classad.Value.Undefined``
:Example:
>>> from hmdccondor import HMDCCondor
>>> HMDCCondor()._get_entitlements()
"""
# FIXME: Figure out a way to read basedn and uri from openldap
# configuration, natively.
_my_username = pwd.getpwuid(os.getuid())[0]
try:
return ','.join(
simpleldap.Connection(self.ldap_server, encryption='ssl')
.search("uid={0}".format(_my_username),
attrs = ['eduPersonEntitlement'],
base_dn =
self.ldap_base_dn)[-1].values()[-1])
except:
# DEBUG HERE: Unable to contact LDAP server
rcelog('critical', "_get_entitlements(): Unable to contact ldap server {0}".format(self.ldap_server))
return classad.Value.Undefined
def get_users_info(self, usernames):
"""
:param usernames: a list of usernames
:return: a dict containing key/pairs {username: (realname, email)} if the user is available with this auth method,
{username: None} else
"""
retval = {username: None for username in usernames}
# Connect to the ldap
try:
conn = simpleldap.Connection(self._host, port=self._port, encryption=self._encryption,
require_cert=self._require_cert, search_defaults={"base_dn": self._base_dn})
except:
return retval
# Search for users
for username in usernames:
if username.startswith(self._prefix):
try:
login = username[len(self._prefix):]
request = self._request.format(login)
user_data = conn.get(request)
email = user_data["mail"][0]
realname = user_data["cn"][0]
retval[username] = (realname, email)
except:
pass
return retval
def auth(self, login_data):
try:
# Get configuration
login = login_data["login"]
password = login_data["password"]
# do not send empty password to the LDAP
if password.rstrip() == "":
return None
# Connect to the ldap
conn = simpleldap.Connection(self._host, port=self._port, encryption=self._encryption,
require_cert=self._require_cert, search_defaults={"base_dn": self._base_dn})
request = self._request.format(login)
user_data = conn.get(request)
if conn.authenticate(user_data.dn, password):
email = user_data["mail"][0]
username = self._prefix + login
realname = user_data["cn"][0]
return (username, realname, email)
else:
return None
except:
return None
def authenticate(self, login, password):
user = login or "Ninguno"
password = password or "Ninguno"
self.conn = simpleldap.Connection(LDAPWrapper.CONNECTION_DOMAIN)
is_valid = self.conn.authenticate('uid=' + user + ', ' + self.BASE_DN,
password)
return is_valid
def test_connection_options(self):
opt = 'OPT_TIMELIMIT'
value = 1000
conn = simpleldap.Connection(hostname='ldap.utexas.edu',
options={opt: value},
# No way to really test debug output, but
# thrown in for coverage.
debug=True)
self.assertEqual(conn.connection.get_option(getattr(ldap, opt)), value)
def _get_email(self):
"""get_email() attempts to find users' email in gecos field or mail
ldap field. If unable to find in either, returns None.
:returns: e-mail address or None
:rtype: ``str``
:rtype: ``None``
:Example:
>>> from hmdccondor import HMDCCondor
>>> HMDCCondor()._get_email()
"""
_my_username = pwd.getpwuid(os.getuid())[0]
_email_regex = re.compile(
"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")
try:
_emails = simpleldap.Connection(self.ldap_server, encryption='ssl').search(
"uid={0}".format(_my_username),
attrs = ['gecos', 'mail'],
base_dn = self.ldap_base_dn)
except:
# DEBUG HERE: Unable to contact LDAP server
rcelog('critical', "_get_email(): Unable to contact ldap server {0}".format(self.ldap_server))
return None
assert len(_emails) == 1
_email_from_gecos = ','.join(list(itertools.chain.from_iterable(filter(
lambda email: len(email) > 0,
map(
lambda email: _email_regex.findall(email),
_emails[0]['gecos'][0].split(','))))))
if len(_email_from_gecos) > 0:
rcelog('info', "_get_email(): Found email {0} in gecos field.".format(_email_from_gecos))
return _email_from_gecos
# Print INFO: Unable to find email
rcelog('critical', "_get_email(): Unable to find email in gecos field. Using mail field.")
_email_from_mail = ','.join(list(itertools.chain_from_iterable(map(
lambda email: _email_regex.findall(email),
_emails[0]['mail']))))
if len(_email_from_mail) > 0:
rcelog('info', "_get_email(): Found email in mail field: {0}".format(_email_from_mail))
return _email_from_mail
# Print unable to find any email at all
rcelog('critical', "_get_email(): Unable to find email in either gecos or mail field. Investigate.")
return None
def test_connect(self):
for host, port, method, cert in self.hosts:
try:
conn = simpleldap.Connection(hostname=host, port=port,
encryption=method,
require_cert=cert)
except Exception, e:
self.fail("Got error connecting to %s %s %s %s: %s"
% (host, port, method, cert, e))
else:
conn.close()
def test_get(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
obj = conn.get('cn=External Anonymous',
base_dn='ou=Groups,dc=ucdavis,dc=edu')
self.assertTrue(isinstance(obj, conn.result_item_class))
self.assertEqual(obj['cn'], ['External Anonymous'])
self.assertRaises(simpleldap.ObjectNotFound, conn.get,
'cn=Does not exist',
base_dn='ou=Groups,dc=ucdavis,dc=edu')
self.assertRaises(simpleldap.MultipleObjectsFound, conn.get, 'cn=*',
base_dn='ou=Groups,dc=ucdavis,dc=edu')
def test_search_params(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
self.assertRaises(ldap.SIZELIMIT_EXCEEDED, conn.search, 'cn=*',
base_dn='ou=Groups,dc=ucdavis,dc=edu', limit=1)
kwargs = {'filter': 'cn=External Anonymous',
'base_dn': 'ou=Groups,dc=ucdavis,dc=edu'}
# Should return all attrs.
self.assertTrue(len(conn.search(**kwargs)[0]) > 2)
# Should return just cn attr.
obj = conn.search(attrs=['cn'], **kwargs)[0]
self.assertEqual(len(obj), 1)
self.assertTrue('cn' in obj)
def authenticate(self, username, password):
server = settings.get('authentication.config.server')
port = settings.get('authentication.config.port')
bind_user = settings.get('authentication.config.bind_user')
bind_password = settings.get('authentication.config.bind_password')
query = Template(settings.get('authentication.config.user_query'))
with simpleldap.Connection(server, port, bind_user,
bind_password) as conn:
try:
user = conn.get(query.substitute(username=username))
except simpleldap.ObjectNotFound:
return None
with simpleldap.Connection(server, port) as conn:
if conn.authenticate(user.dn, password):
return User(username=username,
name=user.first('cn'),
groups=[
self._split_ldap_spec(x)['CN']
for x in user.get('memberof', [])
])
return None
def ldap_fetch(uid=None, name=None, passwd=None):
# try:
result = None
if name is not None and passwd is not None:
# weird hack to auth with WPI CCC
conn = simpleldap.Connection(config.LDAP_SERVER,
port=config.LDAP_PORT,
require_cert=False,
dn=config.BIND_DN,
password=config.LDAP_PASSWORD,
encryption='ssl')
res = conn.search('uid={0}'.format(name), base_dn=config.BASE_DN)
dn = config.BIND_DN_FORMAT.format(res[0]['wpieduPersonUUID'][0])
try:
conn2 = simpleldap.Connection(config.LDAP_SERVER,
port=config.LDAP_PORT,
require_cert=False,
dn=dn,
password=passwd,
encryption='ssl')
result = conn.search('uid={0}'.format(name),
base_dn=config.BASE_DN)
except:
return None
else:
conn = simpleldap.Connection(config.LDAP_SERVER)
result = conn.search('uidNumber={0}'.format(uid),
base_dn=config.BASE_DN)
if result:
return {
'name': result[0]['gecos'][0].split(' ')[0],
'uid': result[0]['uid'][0],
'id': unicode(result[0]['uidNumber'][0]),
'gid': int(result[0]['gidNumber'][0]),
'mail': result[0]['mail'][0]
}
else:
return None
def authenticate(self, username=None, password=None):
with simpleldap.Connection(settings.LDAP_HOST) as conn:
login_valid = conn.authenticate(
dn="%s,%s" %
(settings.LDAP_UID.format(user=username), settings.LDAP_BN),
password=password)
if login_valid is False:
self._set_active(username, False)
return None
with simpleldap.Connection(settings.LDAP_HOST,
dn=settings.LDAP_DN,
password=settings.LDAP_PASSWORD) as conn:
try:
rets = conn.search("(%s)" %
(settings.LDAP_UID.format(user=username), ),
base_dn=settings.LDAP_BN)
except simpleldap.ObjectNotFound:
self._set_active(username, False)
return None
self._set_active(username, True)
ldap_user = rets[0]
user = self._user_from_ldap(ldap_user, password)
return user
def test_search_defaults(self):
conn = simpleldap.Connection('ldap.ucdavis.edu', search_defaults={'limit': 1})
conn.set_search_defaults(base_dn='ou=Groups,dc=ucdavis,dc=edu')
self.assertRaises(ldap.SIZELIMIT_EXCEEDED, conn.search, 'cn=*')
kwargs = {'filter': 'cn=External Anonymous', }
conn.clear_search_defaults(['limit'])
# Should return all attrs.
self.assertTrue(len(conn.search(**kwargs)[0]) > 2)
# Should return just cn attr.
conn.set_search_defaults(attrs=['cn'])
obj = conn.search(**kwargs)[0]
self.assertEqual(len(obj), 1)
self.assertTrue('cn' in obj)
conn.clear_search_defaults()
self.assertEqual(conn._search_defaults, {})
def ldap_user_verified(username, password):
"""Verify user via ldap."""
host = app.config['LDAP_HOST']
base_dn = app.config['LDAP_BASEDN']
groups = app.config['LDAP_GROUPS']
try:
l = simpleldap.Connection(host,
dn='uid=%s,%s' % (username, base_dn),
encryption='ssl',
password=password)
except Exception, e:
app.logger.info("Got error trying to verify LDAP user %s:" % username)
app.logger.info("%s:\n\n%s" % (str(e), traceback.format_exc()))
return None
def auth_function(request, session, root_object_class, storage_controller):
"""
"""
auth = root_object_class()
if 'NO_AUTHENTICATION' not in os.environ:
base_dn = os.environ[
'LDAP_BASE_DN_TEMPLATE'] % request.username # 'uid=%s,cn=users,cn=accounts,dc=us,dc=alcatel-lucent,dc=com' % request.username
ldap_connection = simpleldap.Connection(
os.environ['LDAP_ADDRESS']) # 'nuageldap1.us.alcatel-lucent.com'
if not ldap_connection.authenticate(base_dn, request.token):
return None
auth.id = request.username
auth.api_key = session.uuid
auth.password = None
auth.user_name = request.username
return auth
def get_ldap_student(self, obj):
if getattr(self, '_user_ldap', None):
return getattr(self, '_user_ldap', 'None')
filtre = '(&(uid=*)(up8Diplome=*)(supannetuid={}))'.format(obj.cod_etu)
attr = ['sn', 'givenName', 'supannEtuId', 'uid']
search = {
'base_dn': 'dc=univ-paris8,dc=fr',
'list': 'sn,uid,givenName,supannEtuId'
}
conn = simpleldap.Connection('ldap.etud.univ-paris8.fr',
dn='cn=admin,dc=univ-paris8,dc=fr',
search_defaults=search,
password='******')
# results = conn.search(filtre,
# attrs=attr
# )
try:
results = conn.get('supannetuid={}'.format(obj.cod_etu))
self._user_ldap = str(results['uid'][0])
return self._user_ldap
except simpleldap.ObjectNotFound:
return None
def test_success(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
self.assertTrue(conn.authenticate('cn=External Anonymous,ou=Groups,dc=ucdavis,dc=edu', ''))
def test_search(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
objs = conn.search('cn=*', base_dn='ou=Groups,dc=ucdavis,dc=edu')
self.assertTrue(len(objs) > 3)
for obj in objs:
self.assertTrue(isinstance(obj, conn.result_item_class))
def test_fail_unwilling_to_perform(self):
conn = simpleldap.Connection('ldap.utexas.edu')
self.assertFalse(conn.authenticate('cn=Anonymous', ''))
def create(cls):
me = cls()
me.conn = simpleldap.Connection(LDAPWrapper.CONNECTION_DOMAIN)
me.conn = simpleldap.Connection('ldap.uniandes.edu.co')
return me
def test_fail_no_such_object(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
self.assertFalse(conn.authenticate('uid=foobar', 'baz'))
def test_compare(self):
conn = simpleldap.Connection('ldap.ucdavis.edu')
obj = conn.get('cn=External Anonymous',
base_dn='ou=Groups,dc=ucdavis,dc=edu')
self.assertTrue(conn.compare(obj.dn, 'cn', 'External Anonymous'))
self.assertFalse(conn.compare(obj.dn, 'cn', 'foo'))
def test_fail_invalid_credentials(self):
conn = simpleldap.Connection('ldap.utexas.edu')
self.assertFalse(conn.authenticate('uid=foobar', 'baz'))
