X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Flogin%2Fauthldap.py;h=ce096f4b12bde15c792f2c30c18a82e76ae3fe9c;hp=46999169b43db611fbc9d01439923ce858e4d775;hb=485baf6ee7a315d1af1086fe5b5da8cff6c4ba37;hpb=05ab5acd2a57c273d06c5aa1176d2e9da6e7c824

diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py
old mode 100755
new mode 100644
index 4699916..ce096f4
--- a/ipsilon/login/authldap.py
+++ b/ipsilon/login/authldap.py
@@ -1,13 +1,13 @@
-#!/usr/bin/python
-#
-# Copyright (C) 2014  Ipsilon Contributors, see COPYING for license
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
 
-from ipsilon.login.common import LoginFormBase, LoginManagerBase
+from ipsilon.login.common import LoginFormBase, LoginManagerBase, \
+    LoginManagerInstaller
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.log import Log
 from ipsilon.util import config as pconfig
 from ipsilon.info.infoldap import InfoProvider as LDAPInfo
 import ldap
+import subprocess
 
 
 class LDAP(LoginFormBase, Log):
@@ -51,7 +51,9 @@ class LDAP(LoginFormBase, Log):
             if not self.ldap_info:
                 self.ldap_info = LDAPInfo(self._site)
 
-            return self.ldap_info.get_user_data_from_conn(conn, dn)
+            base = self.lm.base_dn
+            return self.ldap_info.get_user_data_from_conn(conn, dn, base,
+                                                          username)
 
         return None
 
@@ -64,15 +66,7 @@ class LDAP(LoginFormBase, Log):
 
         if username and password:
             try:
-                userdata = self._authenticate(username, password)
-                if userdata:
-                    userattrs = dict()
-                    for d, v in userdata.get('userdata', {}).items():
-                        userattrs[d] = v
-                    if 'groups' in userdata:
-                        userattrs['groups'] = userdata['groups']
-                    if 'extras' in userdata:
-                        userattrs['extras'] = userdata['extras']
+                userattrs = self._authenticate(username, password)
                 authed = True
             except Exception, e:  # pylint: disable=broad-except
                 errmsg = "Authentication failed"
@@ -91,7 +85,7 @@ class LDAP(LoginFormBase, Log):
             error_password=not password,
             error_username=not username
         )
-        # pylint: disable=star-args
+        self.lm.set_auth_error()
         return self._template('login/form.html', **context)
 
 
@@ -117,6 +111,10 @@ authentication. """
                 'bind dn template',
                 'Template to turn username into DN.',
                 'uid=%(username)s,ou=People,dc=example,dc=com'),
+            pconfig.String(
+                'base dn',
+                'The base dn to look for users and groups',
+                'dc=example,dc=com'),
             pconfig.Condition(
                 'get user info',
                 'Get user info via ldap using user credentials',
@@ -168,27 +166,35 @@ authentication. """
     def bind_dn_tmpl(self):
         return self.get_config_value('bind dn template')
 
+    @property
+    def base_dn(self):
+        return self.get_config_value('base dn')
+
     def get_tree(self, site):
         self.page = LDAP(site, self, 'login/ldap')
         return self.page
 
 
-class Installer(object):
+class Installer(LoginManagerInstaller):
 
     def __init__(self, *pargs):
+        super(Installer, self).__init__()
         self.name = 'ldap'
-        self.ptype = 'login'
         self.pargs = pargs
 
     def install_args(self, group):
         group.add_argument('--ldap', choices=['yes', 'no'], default='no',
-                           help='Configure PAM authentication')
+                           help='Configure LDAP authentication')
         group.add_argument('--ldap-server-url', action='store',
                            help='LDAP Server Url')
         group.add_argument('--ldap-bind-dn-template', action='store',
                            help='LDAP Bind DN Template')
+        group.add_argument('--ldap-tls-level', action='store', default=None,
+                           help='LDAP TLS level')
+        group.add_argument('--ldap-base-dn', action='store',
+                           help='LDAP Base DN')
 
-    def configure(self, opts):
+    def configure(self, opts, changes):
         if opts['ldap'] != 'yes':
             return
 
@@ -203,9 +209,22 @@ class Installer(object):
             config['server url'] = opts['ldap_server_url']
         if 'ldap_bind_dn_template' in opts:
             config['bind dn template'] = opts['ldap_bind_dn_template']
-        config['tls'] = 'Demand'
+        if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
+            config['tls'] = opts['ldap_tls_level']
+        else:
+            config['tls'] = 'Demand'
+        if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
+            config['base dn'] = opts['ldap_base_dn']
         po.save_plugin_config(config)
 
         # Update global config to add login plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass