def ldap_fetch(uid=None, name=None, passwd=BIND_PASSWORD): try: if name is not None and passwd is not None: l = simpleldap.Connection(LDAP_SERVER, port=LDAP_PORT, dn=BIND_DN, password=BIND_PASSWORD) r = l.search('uid={0}'.format(name), base_dn=BASE_DN) else: conn = simpleldap.Connection(hostname=LDAP_SERVER, port=LDAP_PORT, dn=BIND_DN, password=BIND_PASSWORD) is_valid = conn.authenticate( 'uid={0},{1}'.format(uid, BASE_DN), 'password') r = conn.search('uid={0}'.format(uid), BASE_DN) return { 'name': unicode(r[0]['cn'][0]), 'id': unicode(r[0]['uid'][0]), 'mail': unicode(r[0]['mail'][0]) } except Exception as e: print e return None
def test_initialize_kwargs(self): from StringIO import StringIO output = StringIO() initialize_kwargs = {'trace_file': output, 'trace_level': 0} conn = simpleldap.Connection('ldap.utexas.edu', initialize_kwargs=initialize_kwargs) conn.close() self.assertFalse(output.getvalue()) initialize_kwargs = {'trace_file': output, 'trace_level': 1} conn = simpleldap.Connection('ldap.utexas.edu', initialize_kwargs=initialize_kwargs) conn.close() self.assertTrue(output.getvalue())
def ldap_user_verified(username, password): """Verify user via ldap.""" host = app.config['LDAP_HOST'] base_dn = app.config['LDAP_BASEDN'] groups = app.config['LDAP_GROUPS'] opts = {'OPT_NETWORK_TIMEOUT': 10} try: l = simpleldap.Connection(host, dn='uid=%s,%s' % (username, base_dn), encryption='ssl', password=password, options=opts) except Exception as e: app.logger.info("Got error trying to verify LDAP user %s:" % username) app.logger.info("%s:\n\n%s" % (str(e), traceback.format_exc())) return None # validate user r = l.search('uid=%s' % username, base_dn=base_dn) if len(r) != 1: app.logger.info("Got invalid number of entries for %s: %s" % (username, len(r))) app.logger.info("r: %s" % str(r)) return None # validate user is part of a group allowed uid = 'uid=%s,%s' % (username, base_dn) for group in groups: g = l.search('cn=%s' % group, base_dn=base_dn) for this_g in g: if uid in this_g['uniqueMember']: return dict(r[0]) app.logger.info( "User %s is not part of any approved LDAP groups." % username) return None
def authenticate(self): conn = simpleldap.Connection(self.conf.get('ad','adserver')) if not conn.authenticate(dn=self.conf.get('ad','username'), password=self.conf.get('ad','password')): raise "Auth problem!" return conn
def test_context_manager(self): host, port, method, cert = self.hosts[0] with simpleldap.Connection(hostname=host, port=port, encryption=method, require_cert=cert) as conn: conn.connection.whoami_s()
def _get_entitlements(self): """_get_entitlements() returns a space-separated list of ldap entitlements. :returns: space-separated list of ldap entitlements, or ``classad.Value.Undefined`` if ldap server is unreachable :rtype: ``str`` :rtype: ``classad.Value.Undefined`` :Example: >>> from hmdccondor import HMDCCondor >>> HMDCCondor()._get_entitlements() """ # FIXME: Figure out a way to read basedn and uri from openldap # configuration, natively. _my_username = pwd.getpwuid(os.getuid())[0] try: return ','.join( simpleldap.Connection(self.ldap_server, encryption='ssl') .search("uid={0}".format(_my_username), attrs = ['eduPersonEntitlement'], base_dn = self.ldap_base_dn)[-1].values()[-1]) except: # DEBUG HERE: Unable to contact LDAP server rcelog('critical', "_get_entitlements(): Unable to contact ldap server {0}".format(self.ldap_server)) return classad.Value.Undefined
def get_users_info(self, usernames): """ :param usernames: a list of usernames :return: a dict containing key/pairs {username: (realname, email)} if the user is available with this auth method, {username: None} else """ retval = {username: None for username in usernames} # Connect to the ldap try: conn = simpleldap.Connection(self._host, port=self._port, encryption=self._encryption, require_cert=self._require_cert, search_defaults={"base_dn": self._base_dn}) except: return retval # Search for users for username in usernames: if username.startswith(self._prefix): try: login = username[len(self._prefix):] request = self._request.format(login) user_data = conn.get(request) email = user_data["mail"][0] realname = user_data["cn"][0] retval[username] = (realname, email) except: pass return retval
def auth(self, login_data): try: # Get configuration login = login_data["login"] password = login_data["password"] # do not send empty password to the LDAP if password.rstrip() == "": return None # Connect to the ldap conn = simpleldap.Connection(self._host, port=self._port, encryption=self._encryption, require_cert=self._require_cert, search_defaults={"base_dn": self._base_dn}) request = self._request.format(login) user_data = conn.get(request) if conn.authenticate(user_data.dn, password): email = user_data["mail"][0] username = self._prefix + login realname = user_data["cn"][0] return (username, realname, email) else: return None except: return None
def authenticate(self, login, password): user = login or "Ninguno" password = password or "Ninguno" self.conn = simpleldap.Connection(LDAPWrapper.CONNECTION_DOMAIN) is_valid = self.conn.authenticate('uid=' + user + ', ' + self.BASE_DN, password) return is_valid
def test_connection_options(self): opt = 'OPT_TIMELIMIT' value = 1000 conn = simpleldap.Connection(hostname='ldap.utexas.edu', options={opt: value}, # No way to really test debug output, but # thrown in for coverage. debug=True) self.assertEqual(conn.connection.get_option(getattr(ldap, opt)), value)
def _get_email(self): """get_email() attempts to find users' email in gecos field or mail ldap field. If unable to find in either, returns None. :returns: e-mail address or None :rtype: ``str`` :rtype: ``None`` :Example: >>> from hmdccondor import HMDCCondor >>> HMDCCondor()._get_email() """ _my_username = pwd.getpwuid(os.getuid())[0] _email_regex = re.compile( "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$") try: _emails = simpleldap.Connection(self.ldap_server, encryption='ssl').search( "uid={0}".format(_my_username), attrs = ['gecos', 'mail'], base_dn = self.ldap_base_dn) except: # DEBUG HERE: Unable to contact LDAP server rcelog('critical', "_get_email(): Unable to contact ldap server {0}".format(self.ldap_server)) return None assert len(_emails) == 1 _email_from_gecos = ','.join(list(itertools.chain.from_iterable(filter( lambda email: len(email) > 0, map( lambda email: _email_regex.findall(email), _emails[0]['gecos'][0].split(',')))))) if len(_email_from_gecos) > 0: rcelog('info', "_get_email(): Found email {0} in gecos field.".format(_email_from_gecos)) return _email_from_gecos # Print INFO: Unable to find email rcelog('critical', "_get_email(): Unable to find email in gecos field. Using mail field.") _email_from_mail = ','.join(list(itertools.chain_from_iterable(map( lambda email: _email_regex.findall(email), _emails[0]['mail'])))) if len(_email_from_mail) > 0: rcelog('info', "_get_email(): Found email in mail field: {0}".format(_email_from_mail)) return _email_from_mail # Print unable to find any email at all rcelog('critical', "_get_email(): Unable to find email in either gecos or mail field. Investigate.") return None
def test_connect(self): for host, port, method, cert in self.hosts: try: conn = simpleldap.Connection(hostname=host, port=port, encryption=method, require_cert=cert) except Exception, e: self.fail("Got error connecting to %s %s %s %s: %s" % (host, port, method, cert, e)) else: conn.close()
def test_get(self): conn = simpleldap.Connection('ldap.ucdavis.edu') obj = conn.get('cn=External Anonymous', base_dn='ou=Groups,dc=ucdavis,dc=edu') self.assertTrue(isinstance(obj, conn.result_item_class)) self.assertEqual(obj['cn'], ['External Anonymous']) self.assertRaises(simpleldap.ObjectNotFound, conn.get, 'cn=Does not exist', base_dn='ou=Groups,dc=ucdavis,dc=edu') self.assertRaises(simpleldap.MultipleObjectsFound, conn.get, 'cn=*', base_dn='ou=Groups,dc=ucdavis,dc=edu')
def test_search_params(self): conn = simpleldap.Connection('ldap.ucdavis.edu') self.assertRaises(ldap.SIZELIMIT_EXCEEDED, conn.search, 'cn=*', base_dn='ou=Groups,dc=ucdavis,dc=edu', limit=1) kwargs = {'filter': 'cn=External Anonymous', 'base_dn': 'ou=Groups,dc=ucdavis,dc=edu'} # Should return all attrs. self.assertTrue(len(conn.search(**kwargs)[0]) > 2) # Should return just cn attr. obj = conn.search(attrs=['cn'], **kwargs)[0] self.assertEqual(len(obj), 1) self.assertTrue('cn' in obj)
def authenticate(self, username, password): server = settings.get('authentication.config.server') port = settings.get('authentication.config.port') bind_user = settings.get('authentication.config.bind_user') bind_password = settings.get('authentication.config.bind_password') query = Template(settings.get('authentication.config.user_query')) with simpleldap.Connection(server, port, bind_user, bind_password) as conn: try: user = conn.get(query.substitute(username=username)) except simpleldap.ObjectNotFound: return None with simpleldap.Connection(server, port) as conn: if conn.authenticate(user.dn, password): return User(username=username, name=user.first('cn'), groups=[ self._split_ldap_spec(x)['CN'] for x in user.get('memberof', []) ]) return None
def ldap_fetch(uid=None, name=None, passwd=None): # try: result = None if name is not None and passwd is not None: # weird hack to auth with WPI CCC conn = simpleldap.Connection(config.LDAP_SERVER, port=config.LDAP_PORT, require_cert=False, dn=config.BIND_DN, password=config.LDAP_PASSWORD, encryption='ssl') res = conn.search('uid={0}'.format(name), base_dn=config.BASE_DN) dn = config.BIND_DN_FORMAT.format(res[0]['wpieduPersonUUID'][0]) try: conn2 = simpleldap.Connection(config.LDAP_SERVER, port=config.LDAP_PORT, require_cert=False, dn=dn, password=passwd, encryption='ssl') result = conn.search('uid={0}'.format(name), base_dn=config.BASE_DN) except: return None else: conn = simpleldap.Connection(config.LDAP_SERVER) result = conn.search('uidNumber={0}'.format(uid), base_dn=config.BASE_DN) if result: return { 'name': result[0]['gecos'][0].split(' ')[0], 'uid': result[0]['uid'][0], 'id': unicode(result[0]['uidNumber'][0]), 'gid': int(result[0]['gidNumber'][0]), 'mail': result[0]['mail'][0] } else: return None
def authenticate(self, username=None, password=None): with simpleldap.Connection(settings.LDAP_HOST) as conn: login_valid = conn.authenticate( dn="%s,%s" % (settings.LDAP_UID.format(user=username), settings.LDAP_BN), password=password) if login_valid is False: self._set_active(username, False) return None with simpleldap.Connection(settings.LDAP_HOST, dn=settings.LDAP_DN, password=settings.LDAP_PASSWORD) as conn: try: rets = conn.search("(%s)" % (settings.LDAP_UID.format(user=username), ), base_dn=settings.LDAP_BN) except simpleldap.ObjectNotFound: self._set_active(username, False) return None self._set_active(username, True) ldap_user = rets[0] user = self._user_from_ldap(ldap_user, password) return user
def test_search_defaults(self): conn = simpleldap.Connection('ldap.ucdavis.edu', search_defaults={'limit': 1}) conn.set_search_defaults(base_dn='ou=Groups,dc=ucdavis,dc=edu') self.assertRaises(ldap.SIZELIMIT_EXCEEDED, conn.search, 'cn=*') kwargs = {'filter': 'cn=External Anonymous', } conn.clear_search_defaults(['limit']) # Should return all attrs. self.assertTrue(len(conn.search(**kwargs)[0]) > 2) # Should return just cn attr. conn.set_search_defaults(attrs=['cn']) obj = conn.search(**kwargs)[0] self.assertEqual(len(obj), 1) self.assertTrue('cn' in obj) conn.clear_search_defaults() self.assertEqual(conn._search_defaults, {})
def ldap_user_verified(username, password): """Verify user via ldap.""" host = app.config['LDAP_HOST'] base_dn = app.config['LDAP_BASEDN'] groups = app.config['LDAP_GROUPS'] try: l = simpleldap.Connection(host, dn='uid=%s,%s' % (username, base_dn), encryption='ssl', password=password) except Exception, e: app.logger.info("Got error trying to verify LDAP user %s:" % username) app.logger.info("%s:\n\n%s" % (str(e), traceback.format_exc())) return None
def auth_function(request, session, root_object_class, storage_controller): """ """ auth = root_object_class() if 'NO_AUTHENTICATION' not in os.environ: base_dn = os.environ[ 'LDAP_BASE_DN_TEMPLATE'] % request.username # 'uid=%s,cn=users,cn=accounts,dc=us,dc=alcatel-lucent,dc=com' % request.username ldap_connection = simpleldap.Connection( os.environ['LDAP_ADDRESS']) # 'nuageldap1.us.alcatel-lucent.com' if not ldap_connection.authenticate(base_dn, request.token): return None auth.id = request.username auth.api_key = session.uuid auth.password = None auth.user_name = request.username return auth
def get_ldap_student(self, obj): if getattr(self, '_user_ldap', None): return getattr(self, '_user_ldap', 'None') filtre = '(&(uid=*)(up8Diplome=*)(supannetuid={}))'.format(obj.cod_etu) attr = ['sn', 'givenName', 'supannEtuId', 'uid'] search = { 'base_dn': 'dc=univ-paris8,dc=fr', 'list': 'sn,uid,givenName,supannEtuId' } conn = simpleldap.Connection('ldap.etud.univ-paris8.fr', dn='cn=admin,dc=univ-paris8,dc=fr', search_defaults=search, password='******') # results = conn.search(filtre, # attrs=attr # ) try: results = conn.get('supannetuid={}'.format(obj.cod_etu)) self._user_ldap = str(results['uid'][0]) return self._user_ldap except simpleldap.ObjectNotFound: return None
def test_success(self): conn = simpleldap.Connection('ldap.ucdavis.edu') self.assertTrue(conn.authenticate('cn=External Anonymous,ou=Groups,dc=ucdavis,dc=edu', ''))
def test_search(self): conn = simpleldap.Connection('ldap.ucdavis.edu') objs = conn.search('cn=*', base_dn='ou=Groups,dc=ucdavis,dc=edu') self.assertTrue(len(objs) > 3) for obj in objs: self.assertTrue(isinstance(obj, conn.result_item_class))
def test_fail_unwilling_to_perform(self): conn = simpleldap.Connection('ldap.utexas.edu') self.assertFalse(conn.authenticate('cn=Anonymous', ''))
def create(cls): me = cls() me.conn = simpleldap.Connection(LDAPWrapper.CONNECTION_DOMAIN) me.conn = simpleldap.Connection('ldap.uniandes.edu.co') return me
def test_fail_no_such_object(self): conn = simpleldap.Connection('ldap.ucdavis.edu') self.assertFalse(conn.authenticate('uid=foobar', 'baz'))
def test_compare(self): conn = simpleldap.Connection('ldap.ucdavis.edu') obj = conn.get('cn=External Anonymous', base_dn='ou=Groups,dc=ucdavis,dc=edu') self.assertTrue(conn.compare(obj.dn, 'cn', 'External Anonymous')) self.assertFalse(conn.compare(obj.dn, 'cn', 'foo'))
def test_fail_invalid_credentials(self): conn = simpleldap.Connection('ldap.utexas.edu') self.assertFalse(conn.authenticate('uid=foobar', 'baz'))