annotate MoinMoin/auth/ldap_login.py @ 3125:40c4670c3410

refactored auth package to use own logger
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 27 Feb 2008 10:05:20 +0100
parents a94959a2aae7
children 1508feb6dbbf
rev   line source
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
1 # -*- coding: iso-8859-1 -*-
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
2 """
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
3 MoinMoin - LDAP / Active Directory authentication
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
4
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
5 This code only creates a user object, the session has to be established by
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
6 the auth.moin_session auth plugin.
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
7
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
8 python-ldap needs to be at least 2.0.0pre06 (available since mid 2002) for
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
9 ldaps support - some older debian installations (woody and older?) require
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
10 libldap2-tls and python2.x-ldap-tls, otherwise you get ldap.SERVER_DOWN:
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
11 "Can't contact LDAP server" - more recent debian installations have tls
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
12 support in libldap2 (see dependency on gnutls) and also in python-ldap.
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
13
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
14 TODO: migrate configuration items to constructor parameters,
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
15 allow more configuration (alias name, ...) by using
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
16 callables as parameters
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
17
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
18 @copyright: 2006-2008 MoinMoin:ThomasWaldmann,
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
19 2006 Nick Phillips
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
20 @license: GNU GPL, see COPYING for details.
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
21 """
1792
c907c2942372 Eclipse PyDev Check: fixed lots of its errors and warnings
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1769
diff changeset
22 import sys
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
23 import ldap
1769
2778c4ce1ea4 improved ldap auth (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 948
diff changeset
24
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
25 from MoinMoin import log
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
26 logging = log.getLogger(__name__)
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
27
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
28 from MoinMoin import user
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
29 from MoinMoin.auth import BaseAuth, CancelLogin, ContinueLogin
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
30
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
31
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
32 class LDAPAuth(BaseAuth):
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
33 """ get authentication data from form, authenticate against LDAP (or Active
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
34 Directory), fetch some user infos from LDAP and create a user object
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
35 for that user. The session is kept by the moin_session auth plugin.
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
36 """
1769
2778c4ce1ea4 improved ldap auth (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 948
diff changeset
37
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
38 login_inputs = ['username', 'password']
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
39 logout_possible = True
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
40 name = 'ldap'
1769
2778c4ce1ea4 improved ldap auth (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 948
diff changeset
41
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
42 def login(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
43 username = kw.get('username')
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
44 password = kw.get('password')
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
45 _ = request.getText
948
28ea5b3802b1 whitespace-only cleanup
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 865
diff changeset
46
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
47 cfg = request.cfg
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
48 verbose = cfg.ldap_verbose
1769
2778c4ce1ea4 improved ldap auth (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 948
diff changeset
49
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
50 # we require non-empty password as ldap bind does a anon (not password
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
51 # protected) bind if the password is empty and SUCCEEDS!
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
52 if not password:
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
53 return ContinueLogin(user_obj, _('Missing password. Please enter user name and password.'))
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
54
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
55 try:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
56 try:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
57 u = None
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
58 dn = None
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
59 coding = cfg.ldap_coding
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
60 if verbose: logging.info("Setting misc. ldap options...")
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
61 ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) # ldap v2 is outdated
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
62 ldap.set_option(ldap.OPT_REFERRALS, cfg.ldap_referrals)
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
63 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, cfg.ldap_timeout)
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
64
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
65 starttls = cfg.ldap_start_tls
3097
a94959a2aae7 Some python-ldap packages may not be built with TLS support. Let's
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3070
diff changeset
66 if hasattr(ldap, 'TLS_AVAIL') and ldap.TLS_AVAIL:
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
67 for option, value in (
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
68 (ldap.OPT_X_TLS_CACERTDIR, cfg.ldap_tls_cacertdir),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
69 (ldap.OPT_X_TLS_CACERTFILE, cfg.ldap_tls_cacertfile),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
70 (ldap.OPT_X_TLS_CERTFILE, cfg.ldap_tls_certfile),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
71 (ldap.OPT_X_TLS_KEYFILE, cfg.ldap_tls_keyfile),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
72 (ldap.OPT_X_TLS_REQUIRE_CERT, cfg.ldap_tls_require_cert),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
73 (ldap.OPT_X_TLS, starttls),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
74 #(ldap.OPT_X_TLS_ALLOW, 1),
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
75 ):
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
76 if value:
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
77 ldap.set_option(option, value)
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
78
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
79 server = cfg.ldap_uri
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
80 if verbose: logging.info("Trying to initialize %r." % server)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
81 l = ldap.initialize(server)
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
82 if verbose: logging.info("Connected to LDAP server %r." % server)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
83
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
84 if starttls and server.startswith('ldap:'):
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
85 if verbose: logging.info("Trying to start TLS to %r." % server)
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
86 try:
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
87 l.start_tls_s()
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
88 if verbose: logging.info("Using TLS to %r." % server)
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
89 except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR), err:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
90 if verbose: logging.info("Couldn't establish TLS to %r (err: %s)." % (server, str(err)))
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
91 raise
3070
ed1a433803c6 PEP8 fixes
Reimar Bauer <rb.proj AT googlemail DOT com>
parents: 3004
diff changeset
92
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
93 # you can use %(username)s and %(password)s here to get the stuff entered in the form:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
94 ldap_binddn = cfg.ldap_binddn % locals()
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
95 ldap_bindpw = cfg.ldap_bindpw % locals()
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
96 l.simple_bind_s(ldap_binddn.encode(coding), ldap_bindpw.encode(coding))
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
97 if verbose: logging.info("Bound with binddn %r" % ldap_binddn)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
98
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
99 # you can use %(username)s here to get the stuff entered in the form:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
100 filterstr = cfg.ldap_filter % locals()
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
101 if verbose: logging.info("Searching %r" % filterstr)
2976
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
102 attrs = [getattr(cfg, attr) for attr in [
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
103 'ldap_email_attribute',
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
104 'ldap_aliasname_attribute',
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
105 'ldap_surname_attribute',
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
106 'ldap_givenname_attribute',
2977
6fdae05f0eeb ldap auth: set attribute names' default to None (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2976
diff changeset
107 ] if getattr(cfg, attr) is not None]
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
108 lusers = l.search_st(cfg.ldap_base, cfg.ldap_scope, filterstr.encode(coding),
2976
9314cf657f07 imported patch fix-ldap-patch (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2286
diff changeset
109 attrlist=attrs, timeout=cfg.ldap_timeout)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
110 # we remove entries with dn == None to get the real result list:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
111 lusers = [(dn, ldap_dict) for dn, ldap_dict in lusers if dn is not None]
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
112 if verbose:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
113 for dn, ldap_dict in lusers:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
114 logging.info("dn:%r" % dn)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
115 for key, val in ldap_dict.items():
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
116 logging.info(" %r: %r" % (key, val))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
117
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
118 result_length = len(lusers)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
119 if result_length != 1:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
120 if result_length > 1:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
121 logging.info("Search found more than one (%d) matches for %r." % (result_length, filterstr))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
122 if result_length == 0:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
123 if verbose: logging.info("Search found no matches for %r." % (filterstr, ))
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
124 return CancelLogin(_("Invalid username or password."))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
125
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
126 dn, ldap_dict = lusers[0]
3097
a94959a2aae7 Some python-ldap packages may not be built with TLS support. Let's
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3070
diff changeset
127 if not cfg.ldap_bindonce:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
128 if verbose: logging.info("DN found is %r, trying to bind with pw" % dn)
3097
a94959a2aae7 Some python-ldap packages may not be built with TLS support. Let's
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3070
diff changeset
129 l.simple_bind_s(dn, password.encode(coding))
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
130 if verbose: logging.info("Bound with dn %r (username: %r)" % (dn, username))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
131
2985
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
132 if cfg.ldap_email_callback is None:
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
133 if cfg.ldap_email_attribute:
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
134 email = ldap_dict.get(cfg.ldap_email_attribute, [''])[0].decode(coding)
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
135 else:
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
136 email = None
2234
b39475e79845 Introduce a callback to generate e-mail addresses for LDAP-imported accounts.
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2025
diff changeset
137 else:
b39475e79845 Introduce a callback to generate e-mail addresses for LDAP-imported accounts.
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2025
diff changeset
138 email = cfg.ldap_email_callback(ldap_dict)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
139
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
140 aliasname = ''
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
141 try:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
142 aliasname = ldap_dict[cfg.ldap_aliasname_attribute][0]
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
143 except (KeyError, IndexError):
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
144 pass
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
145 if not aliasname:
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
146 sn = ldap_dict.get(cfg.ldap_surname_attribute, [''])[0]
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
147 gn = ldap_dict.get(cfg.ldap_givenname_attribute, [''])[0]
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
148 if sn and gn:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
149 aliasname = "%s, %s" % (sn, gn)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
150 elif sn:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
151 aliasname = sn
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
152 aliasname = aliasname.decode(coding)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
153
2985
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
154 if email:
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
155 u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', ))
2985
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
156 u.email = email
af66750c66e4 don't overwrite email in userprofile with (empty) email addr from ldap (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2977
diff changeset
157 else:
3004
0ae378dc1edf updated ldap support from 1.5 branch: tls support, configuration defaults, comments/docs (port from 1.6)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2985
diff changeset
158 u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', ))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
159 u.name = username
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
160 u.aliasname = aliasname
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
161 u.remember_me = 0 # 0 enforces cookie_lifetime config param
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
162 if verbose: logging.info("creating userprefs with name %r email %r alias %r" % (username, email, aliasname))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
163
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
164 except ldap.INVALID_CREDENTIALS, err:
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
165 logging.info("invalid credentials (wrong password?) for dn %r (username: %r)" % (dn, username))
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
166 return CancelLogin(_("Invalid username or password."))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
167
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
168 if u:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
169 u.create_or_update(True)
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
170 return ContinueLogin(u)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
171
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
172 except:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
173 import traceback
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
174 info = sys.exc_info()
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
175 logging.error("caught an exception, traceback follows...")
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3097
diff changeset
176 logging.error(''.join(traceback.format_exception(*info)))
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
177 return CancelLogin(None)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
178