from ipsilon.info.common import InfoProviderBase
from ipsilon.info.common import InfoProviderInstaller
-from ipsilon.info.common import InfoMapping
from ipsilon.util.plugin import PluginObject
+from ipsilon.util.policy import Policy
from ipsilon.util import config as pconfig
import ldap
+import subprocess
# TODO: fetch mapping from configuration
-ldap_mapping = {
- 'cn': 'fullname',
- 'commonname': 'fullname',
- 'sn': 'surname',
- 'mail': 'email',
- 'destinationindicator': 'country',
- 'postalcode': 'postcode',
- 'st': 'state',
- 'statetorprovincename': 'state',
- 'streetaddress': 'street',
- 'telephonenumber': 'phone',
-}
+ldap_mapping = [
+ ['cn', 'fullname'],
+ ['commonname', 'fullname'],
+ ['sn', 'surname'],
+ ['mail', 'email'],
+ ['destinationindicator', 'country'],
+ ['postalcode', 'postcode'],
+ ['st', 'state'],
+ ['statetorprovincename', 'state'],
+ ['streetaddress', 'street'],
+ ['telephonenumber', 'phone'],
+]
class InfoProvider(InfoProviderBase):
def __init__(self, *pargs):
super(InfoProvider, self).__init__(*pargs)
- self.mapper = InfoMapping()
- self.mapper.set_mapping(ldap_mapping)
+ self.mapper = Policy(ldap_mapping)
self.name = 'ldap'
self.description = """
Info plugin that uses LDAP to retrieve user data. """
pconfig.String(
'bind password',
'Password to use for bind operation'),
+ pconfig.String(
+ 'base dn',
+ 'The base dn to look for users and groups',
+ 'dc=example,dc=com'),
)
@property
def user_dn_tmpl(self):
return self.get_config_value('user dn template')
+ @property
+ def base_dn(self):
+ return self.get_config_value('base dn')
+
def _ldap_bind(self):
tls = self.tls.lower()
raise Exception('No unique user object could be found!')
data = dict()
for name, value in result[0][1].iteritems():
- if type(value) is list and len(value) == 1:
+ if isinstance(value, list) and len(value) == 1:
value = value[0]
data[name] = value
return data
- def _get_user_groups(self, conn, dn, ldapattrs):
+ def _get_user_groups(self, conn, base, username):
# TODO: fixme to support RFC2307bis schemas
- if 'memberuid' in ldapattrs:
- return ldapattrs['memberuid']
- else:
+ results = conn.search_s(base, ldap.SCOPE_SUBTREE,
+ filterstr='memberuid=%s' % username)
+ if results is None or results == []:
+ self.debug('No groups for %s' % username)
return []
+ groups = []
+ for r in results:
+ if 'cn' in r[1]:
+ groups.append(r[1]['cn'][0])
+ return groups
- def get_user_data_from_conn(self, conn, dn):
+ def get_user_data_from_conn(self, conn, dn, base, username):
reply = dict()
try:
ldapattrs = self._get_user_data(conn, dn)
- userattrs, extras = self.mapper.map_attrs(ldapattrs)
- groups = self._get_user_groups(conn, dn, ldapattrs)
- reply['userdata'] = userattrs
- reply['groups'] = groups
- reply['extras'] = {'ldap': extras}
+ self.debug(ldapattrs)
+ userattrs, extras = self.mapper.map_attributes(ldapattrs)
+ groups = self._get_user_groups(conn, base, username)
+ reply = userattrs
+ reply['_groups'] = groups
+ reply['_extras'] = {'ldap': extras}
except Exception, e: # pylint: disable=broad-except
self.error(e)
try:
conn = self._ldap_bind()
dn = self.user_dn_tmpl % {'username': user}
- return self.get_user_data_from_conn(conn, dn)
+ base = self.base_dn
+ return self.get_user_data_from_conn(conn, dn, base, user)
except Exception, e: # pylint: disable=broad-except
self.error(e)
return {}
help='LDAP Bind Password')
group.add_argument('--info-ldap-user-dn-template', action='store',
help='LDAP User DN Template')
+ group.add_argument('--info-ldap-base-dn', action='store',
+ help='LDAP Base DN')
def configure(self, opts):
if opts['info_ldap'] != 'yes':
config['server url'] = opts['info_ldap_server_url']
elif 'ldap_server_url' in opts:
config['server url'] = opts['ldap_server_url']
- config = {'bind dn': opts['info_ldap_bind_dn']}
- config = {'bind password': opts['info_ldap_bind_pwd']}
- config = {'user dn template': opts['info_ldap_user_dn_template']}
if 'info_ldap_bind_dn' in opts:
config['bind dn'] = opts['info_ldap_bind_dn']
if 'info_ldap_bind_pwd' in opts:
config['user dn template'] = opts['info_ldap_user_dn_template']
elif 'ldap_bind_dn_template' in opts:
config['user dn template'] = opts['ldap_bind_dn_template']
- config['tls'] = 'Demand'
+ if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
+ config['tls'] = opts['info_ldap_tls_level']
+ elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
+ config['tls'] = opts['ldap_tls_level']
+ else:
+ config['tls'] = 'Demand'
+ if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
+ config['base dn'] = opts['info_ldap_base_dn']
+ elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
+ config['base dn'] = opts['ldap_base_dn']
po.save_plugin_config(config)
- # Update global config to add login plugin
+ # Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
+
+ # For selinux enabled platforms permit httpd to connect to ldap,
+ # ignore if it fails
+ try:
+ subprocess.call(['/usr/sbin/setsebool', '-P',
+ 'httpd_can_connect_ldap=on'])
+ except Exception: # pylint: disable=broad-except
+ pass