X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Flogin%2Fauthldap.py;h=ce096f4b12bde15c792f2c30c18a82e76ae3fe9c;hp=895841046852292edf715b23f106ba257827daf2;hb=485baf6ee7a315d1af1086fe5b5da8cff6c4ba37;hpb=771b8fd095f3bcb922f761d297c62f1a56a997d5 diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py index 8958410..ce096f4 100644 --- a/ipsilon/login/authldap.py +++ b/ipsilon/login/authldap.py @@ -1,11 +1,13 @@ -# Copyright (C) 2014 Ipsilon Contributors, see COPYING for license +# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING -from ipsilon.login.common import LoginFormBase, LoginManagerBase +from ipsilon.login.common import LoginFormBase, LoginManagerBase, \ + LoginManagerInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.log import Log from ipsilon.util import config as pconfig from ipsilon.info.infoldap import InfoProvider as LDAPInfo import ldap +import subprocess class LDAP(LoginFormBase, Log): @@ -49,7 +51,9 @@ class LDAP(LoginFormBase, Log): if not self.ldap_info: self.ldap_info = LDAPInfo(self._site) - return self.ldap_info.get_user_data_from_conn(conn, dn) + base = self.lm.base_dn + return self.ldap_info.get_user_data_from_conn(conn, dn, base, + username) return None @@ -81,7 +85,7 @@ class LDAP(LoginFormBase, Log): error_password=not password, error_username=not username ) - # pylint: disable=star-args + self.lm.set_auth_error() return self._template('login/form.html', **context) @@ -107,6 +111,10 @@ authentication. """ 'bind dn template', 'Template to turn username into DN.', 'uid=%(username)s,ou=People,dc=example,dc=com'), + pconfig.String( + 'base dn', + 'The base dn to look for users and groups', + 'dc=example,dc=com'), pconfig.Condition( 'get user info', 'Get user info via ldap using user credentials', @@ -158,16 +166,20 @@ authentication. """ def bind_dn_tmpl(self): return self.get_config_value('bind dn template') + @property + def base_dn(self): + return self.get_config_value('base dn') + def get_tree(self, site): self.page = LDAP(site, self, 'login/ldap') return self.page -class Installer(object): +class Installer(LoginManagerInstaller): def __init__(self, *pargs): + super(Installer, self).__init__() self.name = 'ldap' - self.ptype = 'login' self.pargs = pargs def install_args(self, group): @@ -177,8 +189,12 @@ class Installer(object): help='LDAP Server Url') group.add_argument('--ldap-bind-dn-template', action='store', help='LDAP Bind DN Template') + group.add_argument('--ldap-tls-level', action='store', default=None, + help='LDAP TLS level') + group.add_argument('--ldap-base-dn', action='store', + help='LDAP Base DN') - def configure(self, opts): + def configure(self, opts, changes): if opts['ldap'] != 'yes': return @@ -193,9 +209,22 @@ class Installer(object): config['server url'] = opts['ldap_server_url'] if 'ldap_bind_dn_template' in opts: config['bind dn template'] = opts['ldap_bind_dn_template'] - config['tls'] = 'Demand' + if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None: + config['tls'] = opts['ldap_tls_level'] + else: + config['tls'] = 'Demand' + if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None: + config['base dn'] = opts['ldap_base_dn'] po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() + + # For selinux enabled platforms permit httpd to connect to ldap, + # ignore if it fails + try: + subprocess.call(['/usr/sbin/setsebool', '-P', + 'httpd_can_connect_ldap=on']) + except Exception: # pylint: disable=broad-except + pass