X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Flogin%2Fauthldap.py;h=ce096f4b12bde15c792f2c30c18a82e76ae3fe9c;hp=f51f3757b6f7d2081c317857403d1e6971a8abfe;hb=485baf6ee7a315d1af1086fe5b5da8cff6c4ba37;hpb=83da2bf3963db3e4427bced3b4c0681e751e54da diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py old mode 100755 new mode 100644 index f51f375..ce096f4 --- a/ipsilon/login/authldap.py +++ b/ipsilon/login/authldap.py @@ -1,14 +1,13 @@ -#!/usr/bin/python -# -# Copyright (C) 2014 Ipsilon Contributors, see COPYING for license +# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING -from ipsilon.login.common import LoginFormBase, LoginManagerBase -from ipsilon.login.common import FACILITY +from ipsilon.login.common import LoginFormBase, LoginManagerBase, \ + LoginManagerInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.log import Log from ipsilon.util import config as pconfig from ipsilon.info.infoldap import InfoProvider as LDAPInfo import ldap +import subprocess class LDAP(LoginFormBase, Log): @@ -50,9 +49,11 @@ class LDAP(LoginFormBase, Log): self.lm.info = None if not self.ldap_info: - self.ldap_info = LDAPInfo() + self.ldap_info = LDAPInfo(self._site) - return self.ldap_info.get_user_data_from_conn(conn, dn) + base = self.lm.base_dn + return self.ldap_info.get_user_data_from_conn(conn, dn, base, + username) return None @@ -65,15 +66,7 @@ class LDAP(LoginFormBase, Log): if username and password: try: - userdata = self._authenticate(username, password) - if userdata: - userattrs = dict() - for d, v in userdata.get('userdata', {}).items(): - userattrs[d] = v - if 'groups' in userdata: - userattrs['groups'] = userdata['groups'] - if 'extras' in userdata: - userattrs['extras'] = userdata['extras'] + userattrs = self._authenticate(username, password) authed = True except Exception, e: # pylint: disable=broad-except errmsg = "Authentication failed" @@ -92,7 +85,7 @@ class LDAP(LoginFormBase, Log): error_password=not password, error_username=not username ) - # pylint: disable=star-args + self.lm.set_auth_error() return self._template('login/form.html', **context) @@ -118,6 +111,10 @@ authentication. """ 'bind dn template', 'Template to turn username into DN.', 'uid=%(username)s,ou=People,dc=example,dc=com'), + pconfig.String( + 'base dn', + 'The base dn to look for users and groups', + 'dc=example,dc=com'), pconfig.Condition( 'get user info', 'Get user info via ldap using user credentials', @@ -163,57 +160,71 @@ authentication. """ @property def get_user_info(self): - return (self.get_config_value('get user info').lower() == 'yes') + return self.get_config_value('get user info') @property def bind_dn_tmpl(self): return self.get_config_value('bind dn template') + @property + def base_dn(self): + return self.get_config_value('base dn') + def get_tree(self, site): self.page = LDAP(site, self, 'login/ldap') return self.page -class Installer(object): +class Installer(LoginManagerInstaller): - def __init__(self): + def __init__(self, *pargs): + super(Installer, self).__init__() self.name = 'ldap' - self.ptype = 'login' + self.pargs = pargs def install_args(self, group): group.add_argument('--ldap', choices=['yes', 'no'], default='no', - help='Configure PAM authentication') + help='Configure LDAP authentication') group.add_argument('--ldap-server-url', action='store', help='LDAP Server Url') group.add_argument('--ldap-bind-dn-template', action='store', help='LDAP Bind DN Template') + group.add_argument('--ldap-tls-level', action='store', default=None, + help='LDAP TLS level') + group.add_argument('--ldap-base-dn', action='store', + help='LDAP Base DN') - def configure(self, opts): + def configure(self, opts, changes): if opts['ldap'] != 'yes': return # Add configuration data to database - po = PluginObject() + po = PluginObject(*self.pargs) po.name = 'ldap' po.wipe_data() + po.wipe_config_values() - po.wipe_config_values(FACILITY) config = dict() if 'ldap_server_url' in opts: config['server url'] = opts['ldap_server_url'] if 'ldap_bind_dn_template' in opts: config['bind dn template'] = opts['ldap_bind_dn_template'] - config['tls'] = 'Demand' - po.save_plugin_config(FACILITY, config) + if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None: + config['tls'] = opts['ldap_tls_level'] + else: + config['tls'] = 'Demand' + if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None: + config['base dn'] = opts['ldap_base_dn'] + po.save_plugin_config(config) # Update global config to add login plugin - po = PluginObject() - po.name = 'global' - globalconf = po.get_plugin_config(FACILITY) - if 'order' in globalconf: - order = globalconf['order'].split(',') - else: - order = [] - order.append('ldap') - globalconf['order'] = ','.join(order) - po.save_plugin_config(FACILITY, globalconf) + po.is_enabled = True + po.save_enabled_state() + + # For selinux enabled platforms permit httpd to connect to ldap, + # ignore if it fails + try: + subprocess.call(['/usr/sbin/setsebool', '-P', + 'httpd_can_connect_ldap=on']) + except Exception: # pylint: disable=broad-except + pass