projects / cascardo / ipsilon.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Implement change registration
[cascardo/ipsilon.git] / ipsilon / login / authldap.py
diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py
old mode 100755 (executable)
new mode 100644 (file)
index f51f375..ce096f4
--- a/ipsilon/login/authldap.py
+++ b/ipsilon/login/authldap.py
@@ -1,14 +1,13 @@
-#!/usr/bin/python
-#
-# Copyright (C) 2014  Ipsilon Contributors, see COPYING for license
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
 
 
-from ipsilon.login.common import LoginFormBase, LoginManagerBase
-from ipsilon.login.common import FACILITY
+from ipsilon.login.common import LoginFormBase, LoginManagerBase, \
+    LoginManagerInstaller
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.log import Log
 from ipsilon.util import config as pconfig
 from ipsilon.info.infoldap import InfoProvider as LDAPInfo
 import ldap
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.log import Log
 from ipsilon.util import config as pconfig
 from ipsilon.info.infoldap import InfoProvider as LDAPInfo
 import ldap
+import subprocess
 
 
 class LDAP(LoginFormBase, Log):
 
 
 class LDAP(LoginFormBase, Log):
@@ -50,9 +49,11 @@ class LDAP(LoginFormBase, Log):
             self.lm.info = None
 
             if not self.ldap_info:
             self.lm.info = None
 
             if not self.ldap_info:
-                self.ldap_info = LDAPInfo()
+                self.ldap_info = LDAPInfo(self._site)
 
 
-            return self.ldap_info.get_user_data_from_conn(conn, dn)
+            base = self.lm.base_dn
+            return self.ldap_info.get_user_data_from_conn(conn, dn, base,
+                                                          username)
 
         return None
 
 
         return None
 
@@ -65,15 +66,7 @@ class LDAP(LoginFormBase, Log):
 
         if username and password:
             try:
 
         if username and password:
             try:
-                userdata = self._authenticate(username, password)
-                if userdata:
-                    userattrs = dict()
-                    for d, v in userdata.get('userdata', {}).items():
-                        userattrs[d] = v
-                    if 'groups' in userdata:
-                        userattrs['groups'] = userdata['groups']
-                    if 'extras' in userdata:
-                        userattrs['extras'] = userdata['extras']
+                userattrs = self._authenticate(username, password)
                 authed = True
             except Exception, e:  # pylint: disable=broad-except
                 errmsg = "Authentication failed"
                 authed = True
             except Exception, e:  # pylint: disable=broad-except
                 errmsg = "Authentication failed"
@@ -92,7 +85,7 @@ class LDAP(LoginFormBase, Log):
             error_password=not password,
             error_username=not username
         )
             error_password=not password,
             error_username=not username
         )
-        # pylint: disable=star-args
+        self.lm.set_auth_error()
         return self._template('login/form.html', **context)
 
 
         return self._template('login/form.html', **context)
 
 
@@ -118,6 +111,10 @@ authentication. """
                 'bind dn template',
                 'Template to turn username into DN.',
                 'uid=%(username)s,ou=People,dc=example,dc=com'),
                 'bind dn template',
                 'Template to turn username into DN.',
                 'uid=%(username)s,ou=People,dc=example,dc=com'),
+            pconfig.String(
+                'base dn',
+                'The base dn to look for users and groups',
+                'dc=example,dc=com'),
             pconfig.Condition(
                 'get user info',
                 'Get user info via ldap using user credentials',
             pconfig.Condition(
                 'get user info',
                 'Get user info via ldap using user credentials',
@@ -163,57 +160,71 @@ authentication. """
 
     @property
     def get_user_info(self):
 
     @property
     def get_user_info(self):
-        return (self.get_config_value('get user info').lower() == 'yes')
+        return self.get_config_value('get user info')
 
     @property
     def bind_dn_tmpl(self):
         return self.get_config_value('bind dn template')
 
 
     @property
     def bind_dn_tmpl(self):
         return self.get_config_value('bind dn template')
 
+    @property
+    def base_dn(self):
+        return self.get_config_value('base dn')
+
     def get_tree(self, site):
         self.page = LDAP(site, self, 'login/ldap')
         return self.page
 
 
     def get_tree(self, site):
         self.page = LDAP(site, self, 'login/ldap')
         return self.page
 
 
-class Installer(object):
+class Installer(LoginManagerInstaller):
 
 
-    def __init__(self):
+    def __init__(self, *pargs):
+        super(Installer, self).__init__()
         self.name = 'ldap'
         self.name = 'ldap'
-        self.ptype = 'login'
+        self.pargs = pargs
 
     def install_args(self, group):
         group.add_argument('--ldap', choices=['yes', 'no'], default='no',
 
     def install_args(self, group):
         group.add_argument('--ldap', choices=['yes', 'no'], default='no',
-                           help='Configure PAM authentication')
+                           help='Configure LDAP authentication')
         group.add_argument('--ldap-server-url', action='store',
                            help='LDAP Server Url')
         group.add_argument('--ldap-bind-dn-template', action='store',
                            help='LDAP Bind DN Template')
         group.add_argument('--ldap-server-url', action='store',
                            help='LDAP Server Url')
         group.add_argument('--ldap-bind-dn-template', action='store',
                            help='LDAP Bind DN Template')
+        group.add_argument('--ldap-tls-level', action='store', default=None,
+                           help='LDAP TLS level')
+        group.add_argument('--ldap-base-dn', action='store',
+                           help='LDAP Base DN')
 
 
-    def configure(self, opts):
+    def configure(self, opts, changes):
         if opts['ldap'] != 'yes':
             return
 
         # Add configuration data to database
         if opts['ldap'] != 'yes':
             return
 
         # Add configuration data to database
-        po = PluginObject()
+        po = PluginObject(*self.pargs)
         po.name = 'ldap'
         po.wipe_data()
         po.name = 'ldap'
         po.wipe_data()
+        po.wipe_config_values()
 
 
-        po.wipe_config_values(FACILITY)
         config = dict()
         if 'ldap_server_url' in opts:
             config['server url'] = opts['ldap_server_url']
         if 'ldap_bind_dn_template' in opts:
             config['bind dn template'] = opts['ldap_bind_dn_template']
         config = dict()
         if 'ldap_server_url' in opts:
             config['server url'] = opts['ldap_server_url']
         if 'ldap_bind_dn_template' in opts:
             config['bind dn template'] = opts['ldap_bind_dn_template']
-        config['tls'] = 'Demand'
-        po.save_plugin_config(FACILITY, config)
+        if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
+            config['tls'] = opts['ldap_tls_level']
+        else:
+            config['tls'] = 'Demand'
+        if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
+            config['base dn'] = opts['ldap_base_dn']
+        po.save_plugin_config(config)
 
         # Update global config to add login plugin
 
         # Update global config to add login plugin
-        po = PluginObject()
-        po.name = 'global'
-        globalconf = po.get_plugin_config(FACILITY)
-        if 'order' in globalconf:
-            order = globalconf['order'].split(',')
-        else:
-            order = []
-        order.append('ldap')
-        globalconf['order'] = ','.join(order)
-        po.save_plugin_config(FACILITY, globalconf)
+        po.is_enabled = True
+        po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass
Unnamed repository; edit this file 'description' to name the repository.