def authenticate(self, environ, identity): "Authenticate identity" try: if check_failed_logins(environ): raise TypeError login = identity['login'] username, domain = login.split('@') ldapsettings = self.dbsession.query(self.ldapsettingsmodel, self.authsettingsmodel.address, self.authsettingsmodel.port, self.authsettingsmodel.split_address, self.domainmodel.name)\ .join(self.authsettingsmodel)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_(\ self.domainmodel.id == self.alias.domain_id, self.alias.name == domain, self.alias.status == True) ) )).all() (settings, address, port, split_address, domain_name) = ldapsettings[0] ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) ldap_uri = make_ldap_uri(address, port) ldap_connection = make_ldap_connection(ldap_uri) kwargs = dict(naming_attribute=settings.nameattribute, returned_id=self.returned_id, bind_dn=settings.binddn, bind_pass=settings.bindpw, start_tls=settings.usetls) if domain != domain_name: # override alias domain domain = domain_name if settings.usesearch: ldap_module = 'LDAPSearchAuthenticatorPlugin' # build_search_filters(kwargs, settings.search_scope, # settings.searchfilter, domain, # login, username) kwargs['search_scope'] = settings.search_scope if settings.searchfilter != '': params = [] domaindn = ','.join(['dc=' + part for part in domain.split('.')]) mapping = { '%n':login, '%u':username, '%d':domain, '%D': domaindn } searchfilter = escape_filter_chars(settings.searchfilter) for key in ['%n', '%u', '%d', '%D']: for _ in xrange(searchfilter.count(key)): searchfilter = searchfilter.replace(key, '%s', 1) params.append(mapping[key]) searchfilter = filter_format(searchfilter, params) kwargs['filterstr'] = searchfilter else: ldap_module = 'LDAPAuthenticatorPlugin' if split_address: identity['login'] = username else: # use main domain name not alias reset above identity['login'] = "******" % (username, domain) auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module) ldap_auth = auth(ldap_connection, settings.basedn, **kwargs) userid = ldap_auth.authenticate(environ, identity) fulladdr = "%s@%s" % (username, domain) return userid if userid is None or '@' in userid else fulladdr except (KeyError, TypeError, ValueError, AttributeError, NoResultFound, IndexError, ldap.LDAPError): return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'].decode('utf-8') password = identity['password'].decode('utf-8') username = login domain = None is_alias = False if '@' not in login: return None username, domain = login.split('@') try: dma = self.dbsession.query(self.dommodel.name)\ .join(self.dam)\ .filter(self.dam.name == domain).one() domain = dma.name is_alias = True except NoResultFound: pass radiussettings = self.dbsession.query(self.rsm, self.asm.address, self.asm.port, self.asm.split_address, self.asm.user_map_template)\ .join(self.asm)\ .join(self.dommodel)\ .filter(self.asm.enabled == True)\ .filter(self.dommodel.status == True)\ .filter(self.dommodel.name == domain)\ .one() settings, address, port, split_address, template = radiussettings if not port: port = 1812 radclient = Client(server=address, authport=port, secret=settings.secret.encode('utf-8'), dict=Dictionary(StringIO(DICTIONARY))) if settings.timeout: radclient.timeout = settings.timeout if split_address: login = username if is_alias: identity['login'] = "******" % (username, domain) if not split_address: login = "******" % (username, domain) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) request = radclient.CreateAuthPacket(code=packet.AccessRequest, User_Name=login) request["User-Password"] = request.PwCrypt(password) reply = radclient.SendPacket(request) if reply.code == packet.AccessAccept: identity['login'] = identity['login'].lower() return identity['login'] except (KeyError, IndexError, NoResultFound, Timeout): return None return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'] password = identity['password'] username = login domain = None if '@' not in login: return None username, domain = login.split('@') and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id, self.aliasmodel.name == domain, self.aliasmodel.status == True) smtpsettings = self.dbsession.query(self.authsettingsmodel.port, self.authsettingsmodel.address, self.authsettingsmodel.split_address, self.authsettingsmodel.user_map_template, self.domainmodel.name)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.protocol == 3)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_clause)))\ .all() port, address, split_address, template, \ domain_name = smtpsettings[0] if split_address: login = username if domain != domain_name: identity['login'] = "******" % (username, domain_name) if not split_address: login = "******" % (username, domain_name) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) if port == 465: conn = smtplib.SMTP_SSL(address, timeout=5) elif port == 25 or port is None: conn = smtplib.SMTP(address, timeout=5) else: conn = smtplib.SMTP(address, port, timeout=5) conn.ehlo() if conn.has_extn('STARTTLS') and port != 465: conn.starttls() conn.ehlo() conn.login(login, password) return identity['login'] except (KeyError, IndexError, NoResultFound, smtplib.SMTPException, socket.error, SSLError): return None finally: if 'conn' in locals(): try: conn.quit() except smtplib.SMTPServerDisconnected: pass return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'] password = identity['password'] username = login domain = None if '@' not in login: return None username, domain = login.split('@') and_clause = and_(self.dommodel.id == self.aliasmodel.domain_id, self.aliasmodel.name == domain, self.aliasmodel.status == True) query = self.dbsession.query(self.authsettingsmodel.port, self.authsettingsmodel.address, self.authsettingsmodel.split_address, self.authsettingsmodel.user_map_template, self.dommodel.name)\ .join(self.dommodel)\ .filter(self.authsettingsmodel.protocol == 2)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.dommodel.status == True)\ .filter(or_(self.dommodel.name == domain, func._(and_clause)))\ .all() port, address, split_address, template, domain_name = query[0] if split_address: login = username if domain != domain_name: identity['login'] = "******" % (username, domain_name) if not split_address: login = "******" % (username, domain_name) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) if port == 993: conn = imaplib.IMAP4_SSL(address) elif port == 143 or port is None: conn = imaplib.IMAP4(address) else: conn = imaplib.IMAP4(address, port) conn.login(login, password) return identity['login'] except (KeyError, IndexError, NoResultFound, imaplib.IMAP4.error, socket.error, SSLError): return None finally: if 'conn' in locals(): conn.logout() return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'] password = identity['password'] username = login domain = None if '@' not in login: return None username, domain = login.split('@') and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id, self.aliasmodel.name == domain, self.aliasmodel.status == True) popsettings = self.dbsession.query(self.authsettingsmodel.port, self.authsettingsmodel.address, self.authsettingsmodel.split_address, self.authsettingsmodel.user_map_template, self.domainmodel.name)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.protocol == 1)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_clause)))\ .all() port, address, split_address, template, domain_name = popsettings[0] if split_address: login = username if domain != domain_name: identity['login'] = "******" % (username, domain_name) if not split_address: login = "******" % (username, domain_name) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) if port == 995: conn = poplib.POP3_SSL(address) elif port == 110 or port is None: conn = poplib.POP3(address) else: conn = poplib.POP3(address, port) if APOP_RE.match(conn.getwelcome()): conn.apop(login, password) else: conn.user(login) conn.pass_(password) return identity['login'] except (KeyError, IndexError, NoResultFound, poplib.error_proto, socket.error, SSLError): return None finally: if 'conn' in locals(): conn.quit() return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'].encode('utf-8') password = identity['password'].encode('utf-8') username = login domain = None is_alias = False if '@' not in login: return None username, domain = login.split('@') try: dma = self.dbsession.query(self.dommodel.name)\ .join(self.dam)\ .filter(self.dam.name == domain).one() domain = dma.name is_alias = True except NoResultFound: pass smtpsettings = self.dbsession.query(self.asm.port, self.asm.address, self.asm.split_address, self.asm.user_map_template)\ .join(self.dommodel)\ .filter(self.asm.protocol == 3)\ .filter(self.asm.enabled == True)\ .filter(self.dommodel.status == True)\ .filter(self.dommodel.name == domain).one() port, address, split_address, template = smtpsettings if split_address: login = username if is_alias: identity['login'] = u"%s@%s" % (username, domain) if not split_address: login = u"%s@%s" % (username, domain) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) if port == 465: conn = smtplib.SMTP_SSL(address, timeout=5) elif port == 25 or port is None: conn = smtplib.SMTP(address, timeout=5) else: conn = smtplib.SMTP(address, port, timeout=5) conn.ehlo() if conn.has_extn('STARTTLS') and port != 465: conn.starttls() conn.ehlo() conn.login(login, password) identity['login'] = identity['login'].lower() return identity['login'] except (KeyError, IndexError, NoResultFound, smtplib.SMTPException, socket.error, SSLError): return None finally: if 'conn' in locals(): try: conn.quit() except smtplib.SMTPServerDisconnected: pass return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'] password = identity['password'] username = login is_alias = False domain = None if '@' not in login: return None username, domain = login.split('@') try: dma = self.dbsession.query(self.dommodel.name)\ .join(self.dam)\ .filter(self.dam.name == domain).one() domain = dma.name is_alias = True except NoResultFound: pass popsettings = self.dbsession.query(self.asm.port, self.asm.address, self.asm.split_address, self.asm.user_map_template)\ .join(self.dommodel)\ .filter(self.asm.protocol == 1)\ .filter(self.asm.enabled == True)\ .filter(self.dommodel.status == True)\ .filter(self.dommodel.name == domain)\ .one() port, address, split_address, template = popsettings if split_address: login = username if is_alias: identity['login'] = "******" % (username, domain) if not split_address: login = "******" % (username, domain) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) if port == 995: conn = poplib.POP3_SSL(address) elif port == 110 or port is None: conn = poplib.POP3(address) else: conn = poplib.POP3(address, port) if APOP_RE.match(conn.getwelcome()): conn.apop(login, password) else: conn.user(login) conn.pass_(password) identity['login'] = identity['login'].lower() return identity['login'] except (KeyError, IndexError, NoResultFound, poplib.error_proto, socket.error, SSLError): return None finally: if 'conn' in locals(): conn.quit() return None
def authenticate(self, environ, identity): """authenticator""" try: if check_failed_logins(environ): return None login = identity['login'].decode('utf-8') password = identity['password'].decode('utf-8') username = login domain = None if '@' not in login: return None username, domain = login.split('@') and_clause = and_(self.domainmodel.id == self.aliasmodel.domain_id, self.aliasmodel.name == domain, self.aliasmodel.status == True) radiussettings = self.dbsession.query(self.radsettingsmodel, self.authsettingsmodel.address, self.authsettingsmodel.port, self.authsettingsmodel.split_address, self.authsettingsmodel.user_map_template, self.domainmodel.name)\ .join(self.authsettingsmodel)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_clause)))\ .all() settings, address, port, split_address, template, \ domain_name = radiussettings[0] if not port: port = 1812 radclient = Client(server=address, authport=port, secret=settings.secret.encode('utf-8'), dict=Dictionary(StringIO(DICTIONARY))) if settings.timeout: radclient.timeout = settings.timeout if split_address: login = username if domain != domain_name: identity['login'] = "******" % (username, domain_name) if not split_address: login = "******" % (username, domain_name) if (template and (USER_TEMPLATE_MAP_RE.search(template) or DOM_TEMPLATE_MAP_RE.search(template))): # domain has user template login = USER_TEMPLATE_MAP_RE.sub(username, template) login = DOM_TEMPLATE_MAP_RE.sub(domain, login) request = radclient.CreateAuthPacket(code=packet.AccessRequest, User_Name=login) request["User-Password"] = request.PwCrypt(password) reply = radclient.SendPacket(request) if reply.code == packet.AccessAccept: return identity['login'] except (KeyError, IndexError, NoResultFound, Timeout): return None return None
def authenticate(self, environ, identity): "Authenticate identity" try: if check_failed_logins(environ): raise TypeError login = identity['login'] username, domain = login.split('@') ldapsettings = self.dbsession.query(self.ldapsettingsmodel, self.authsettingsmodel.address, self.authsettingsmodel.port, self.authsettingsmodel.split_address, self.domainmodel.name)\ .join(self.authsettingsmodel)\ .join(self.domainmodel)\ .filter(self.authsettingsmodel.enabled == True)\ .filter(self.domainmodel.status == True)\ .filter(or_(self.domainmodel.name == domain, func._(and_(\ self.domainmodel.id == self.alias.domain_id, self.alias.name == domain, self.alias.status == True) ) )).all() (settings, address, port, split_address, domain_name) = ldapsettings[0] ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) ldap_uri = make_ldap_uri(address, port) ldap_connection = make_ldap_connection(ldap_uri) kwargs = dict(naming_attribute=settings.nameattribute, returned_id=self.returned_id, bind_dn=settings.binddn, bind_pass=settings.bindpw, start_tls=settings.usetls) if domain != domain_name: # override alias domain domain = domain_name if settings.usesearch: ldap_module = 'LDAPSearchAuthenticatorPlugin' # build_search_filters(kwargs, settings.search_scope, # settings.searchfilter, domain, # login, username) kwargs['search_scope'] = settings.search_scope if settings.searchfilter != '': params = [] domaindn = ','.join( ['dc=' + part for part in domain.split('.')]) mapping = { '%n': login, '%u': username, '%d': domain, '%D': domaindn } searchfilter = escape_filter_chars(settings.searchfilter) for key in ['%n', '%u', '%d', '%D']: for _ in xrange(searchfilter.count(key)): searchfilter = searchfilter.replace(key, '%s', 1) params.append(mapping[key]) searchfilter = filter_format(searchfilter, params) kwargs['filterstr'] = searchfilter else: ldap_module = 'LDAPAuthenticatorPlugin' if split_address: identity['login'] = username else: # use main domain name not alias reset above identity['login'] = "******" % (username, domain) auth = resolveDotted('repoze.who.plugins.ldap:%s' % ldap_module) ldap_auth = auth(ldap_connection, settings.basedn, **kwargs) userid = ldap_auth.authenticate(environ, identity) fulladdr = "%s@%s" % (username, domain) return userid if userid is None or '@' in userid else fulladdr except (KeyError, TypeError, ValueError, AttributeError, NoResultFound, IndexError, ldap.LDAPError): return None