-# Copyright (C) 2014 Ipsilon Contributors, see COPYING for license
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.login.common import LoginFormBase, LoginManagerBase, \
LoginManagerInstaller
from ipsilon.util import config as pconfig
from ipsilon.info.infoldap import InfoProvider as LDAPInfo
import ldap
+import subprocess
class LDAP(LoginFormBase, Log):
if not self.ldap_info:
self.ldap_info = LDAPInfo(self._site)
- return self.ldap_info.get_user_data_from_conn(conn, dn)
+ base = self.lm.base_dn
+ return self.ldap_info.get_user_data_from_conn(conn, dn, base,
+ username)
return None
username = kwargs.get("login_name")
password = kwargs.get("login_password")
userattrs = None
- authed = False
+ authok = False
errmsg = None
if username and password:
try:
userattrs = self._authenticate(username, password)
- authed = True
- except Exception, e: # pylint: disable=broad-except
+ authok = True
+ except ldap.INVALID_CREDENTIALS as e:
errmsg = "Authentication failed"
+ self.error(errmsg)
+ except ldap.LDAPError as e:
+ errmsg = 'Internal system error'
+ if isinstance(e, ldap.TIMEOUT):
+ self.error('LDAP request timed out')
+ else:
+ desc = e.args[0]['desc'].strip()
+ info = e.args[0].get('info', '').strip()
+ self.error("%s: %s %s" % (e.__class__.__name__,
+ desc, info))
+ except Exception as e: # pylint: disable=broad-except
+ errmsg = 'Internal system error'
self.error("Exception raised: [%s]" % repr(e))
else:
- errmsg = "Username or password is missing"
- self.error(errmsg)
+ self.error("Username or password is missing")
- if authed:
+ if authok:
return self.lm.auth_successful(self.trans, username, 'password',
userdata=userattrs)
error_password=not password,
error_username=not username
)
- # pylint: disable=star-args
+ self.lm.set_auth_error()
return self._template('login/form.html', **context)
'bind dn template',
'Template to turn username into DN.',
'uid=%(username)s,ou=People,dc=example,dc=com'),
+ pconfig.String(
+ 'base dn',
+ 'The base dn to look for users and groups',
+ 'dc=example,dc=com'),
pconfig.Condition(
'get user info',
'Get user info via ldap using user credentials',
def bind_dn_tmpl(self):
return self.get_config_value('bind dn template')
+ @property
+ def base_dn(self):
+ return self.get_config_value('base dn')
+
def get_tree(self, site):
self.page = LDAP(site, self, 'login/ldap')
return self.page
help='LDAP Server Url')
group.add_argument('--ldap-bind-dn-template', action='store',
help='LDAP Bind DN Template')
+ group.add_argument('--ldap-tls-level', action='store', default=None,
+ help='LDAP TLS level')
+ group.add_argument('--ldap-base-dn', action='store',
+ help='LDAP Base DN')
- def configure(self, opts):
+ def configure(self, opts, changes):
if opts['ldap'] != 'yes':
return
config['server url'] = opts['ldap_server_url']
if 'ldap_bind_dn_template' in opts:
config['bind dn template'] = opts['ldap_bind_dn_template']
- config['tls'] = 'Demand'
+ if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
+ config['tls'] = opts['ldap_tls_level']
+ else:
+ config['tls'] = 'Demand'
+ if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
+ config['base dn'] = opts['ldap_base_dn']
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
+
+ # For selinux enabled platforms permit httpd to connect to ldap,
+ # ignore if it fails
+ try:
+ subprocess.call(['/usr/sbin/setsebool', '-P',
+ 'httpd_can_connect_ldap=on'])
+ except Exception: # pylint: disable=broad-except
+ pass