ldapcherry/ldapcherry/backend/backendLdap.py

# -*- coding: utf-8 -*-
# vim:set expandtab tabstop=4 shiftwidth=4:
#
# The MIT License (MIT)
# LdapCherry
# Copyright (c) 2014 Carpentier Pierre-Francois

import cherrypy
import ldap
import logging
import ldapcherry.backend

class Backend(ldapcherry.backend.Backend):

    def __init__(self, config, logger, name, attrslist):
        self.config = config
        self._logger = logger
        self.backend_name = name
        self.binddn = self.get_param('binddn')
        self.bindpassword = self.get_param('password')
        self.ca = self.get_param('ca', False)
        self.checkcert = self.get_param('checkcert', 'on')
        self.starttls = self.get_param('starttls', 'off')
        self.uri = self.get_param('uri')
        self.timeout = self.get_param('timeout', 1)
        self.userdn = self.get_param('userdn')
        self.groupdn = self.get_param('groupdn')
        self.user_filter_tmpl = self.get_param('user_filter_tmpl')
        self.group_filter_tmpl = self.get_param('group_filter_tmpl')
        self.search_filter_tmpl = self.get_param('search_filter_tmpl')
        self.objectclasses = self.get_param('objectclasses')
        self.attrlist = []
        for a in attrslist:
            try:
                self.attrlist.append(str(a))
            except UnicodeEncodeError:
                tmp = unicode(a).encode('unicode_escape')
                self.attrlist.append(tmp)

    def auth(self, username, password):

        binddn = self.get_user(username, False)
        if not binddn is None:
            ldap_client = self._connect()
            try:
                ldap_client.simple_bind_s(binddn, password)
            except ldap.INVALID_CREDENTIALS:
                ldap_client.unbind_s()
                return False
            ldap_client.unbind_s()
            return True
        else:
            return False

    def add_to_group(self):
        pass

    def set_attrs(self, attrs):
        pass

    def rm_from_group(self,username):
        pass

    def add_user(self, username):
        pass

    def del_user(self, username):
        pass

    def _bind(self):
        ldap_client = self._connect()
        try:
            ldap_client.simple_bind_s(self.binddn, self.bindpassword)
        except ldap.INVALID_CREDENTIALS as e:
            self._logger(
                    logging.ERROR,
                    "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
                )
            ldap_client.unbind_s()
            raise e
        except ldap.SERVER_DOWN as e:
            self._logger(
                    logging.ERROR,
                    "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
                )
            ldap_client.unbind_s()
            raise e 
        return ldap_client


    def _search(self, searchfilter, attrs):
        ldap_client = self._bind()
        try:
            r = ldap_client.search_s(self.userdn,
                    ldap.SCOPE_SUBTREE,
                    searchfilter,
                    attrlist=attrs
            )
        except ldap.FILTER_ERROR as e:
            self._logger(
                    logging.ERROR,
                    "Bad search filter, check '" + self.backend_name + ".*_filter_tmpl' params",
                )
            ldap_client.unbind_s()
            raise e

        ldap_client.unbind_s()
        return r


    def search(self, searchstring):

        searchfilter = self.search_filter_tmpl % {
            'searchstring': searchstring
        }

        return self._search(searchfilter, None)

    def get_user(self, username, attrs=True):
        if attrs:
            a = self.attrlist
        else:
            a = None

        user_filter = self.user_filter_tmpl % {
            'username': username
        }

        r = self._search(user_filter, a)

        if len(r) == 0:
            return None

        if attrs:
            dn_entry = r[0]
        else:
            dn_entry = r[0][0]
        return dn_entry

    def _connect(self):
        ldap_client = ldap.initialize(self.uri)
        ldap_client.set_option(ldap.OPT_REFERRALS, 0)
        ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)
        if self.starttls == 'on':
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
        else:
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
        if self.ca and self.checkcert == 'on':
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
        #else:
        #    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
        if self.checkcert == 'off':
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
        else:
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
        if self.starttls == 'on': 
            try:
                ldap_client.start_tls_s()
            except ldap.OPERATIONS_ERROR as e:
                self._logger(
                    logging.ERROR,
                    "cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",
                )
                raise e
                #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
        return ldap_client
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`# -- coding: utf-8 --`
			`# vim:set expandtab tabstop=4 shiftwidth=4:`
			`#`
			`# The MIT License (MIT)`
			`# LdapCherry`
			`# Copyright (c) 2014 Carpentier Pierre-Francois`

begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`import cherrypy`
			`import ldap`
			`import logging`
implementing loading backends * fix conf file * add exceptions * fix modules skeletons 2015-05-20 14:21:43 +02:00			`import ldapcherry.backend`

adding skeleton for most files 2015-04-15 21:13:14 +02:00			`class Backend(ldapcherry.backend.Backend):`

add passing attributes list to backend 2015-05-22 10:27:46 +02:00			`def __init__(self, config, logger, name, attrslist):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self.config = config`
fix backend name (collision with libraries name) 2015-05-21 08:52:06 +02:00			`self._logger = logger`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`self.backend_name = name`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.binddn = self.get_param('binddn')`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.bindpassword = self.get_param('password')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.ca = self.get_param('ca', False)`
			`self.checkcert = self.get_param('checkcert', 'on')`
			`self.starttls = self.get_param('starttls', 'off')`
			`self.uri = self.get_param('uri')`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`self.timeout = self.get_param('timeout', 1)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.userdn = self.get_param('userdn')`
			`self.groupdn = self.get_param('groupdn')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.user_filter_tmpl = self.get_param('user_filter_tmpl')`
adding search template 2015-05-25 18:52:14 +02:00			`self.group_filter_tmpl = self.get_param('group_filter_tmpl')`
			`self.search_filter_tmpl = self.get_param('search_filter_tmpl')`
adding objectclasses options 2015-05-25 22:53:34 +02:00			`self.objectclasses = self.get_param('objectclasses')`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`self.attrlist = []`
			`for a in attrslist:`
			`try:`
			`self.attrlist.append(str(a))`
			`except UnicodeEncodeError:`
			`tmp = unicode(a).encode('unicode_escape')`
			`self.attrlist.append(tmp)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def auth(self, username, password):`

multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`binddn = self.get_user(username, False)`
more logical return for get_user 2015-05-24 15:11:49 +02:00			`if not binddn is None:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(binddn, password)`
			`except ldap.INVALID_CREDENTIALS:`
			`ldap_client.unbind_s()`
			`return False`
			`ldap_client.unbind_s()`
			`return True`
			`else:`
			`return False`

			`def add_to_group(self):`
			`pass`

			`def set_attrs(self, attrs):`
			`pass`

fix method arguments 2015-05-24 15:20:17 +02:00			`def rm_from_group(self,username):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`pass`

			`def add_user(self, username):`
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`pass`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def del_user(self, username):`
			`pass`

factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`def _bind(self):`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(self.binddn, self.bindpassword)`
			`except ldap.INVALID_CREDENTIALS as e:`
			`self._logger(`
			`logging.ERROR,`
			`"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",`
			`)`
code factoring 2015-05-25 19:52:54 +02:00			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
			`except ldap.SERVER_DOWN as e:`
			`self._logger(`
			`logging.ERROR,`
			`"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",`
			`)`
code factoring 2015-05-25 19:52:54 +02:00			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`return ldap_client`

implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00
factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`def _search(self, searchfilter, attrs):`
			`ldap_client = self._bind()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`try:`
			`r = ldap_client.search_s(self.userdn,`
			`ldap.SCOPE_SUBTREE,`
code factoring 2015-05-25 19:52:54 +02:00			`searchfilter,`
			`attrlist=attrs`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`)`
			`except ldap.FILTER_ERROR as e:`
code factoring 2015-05-25 19:52:54 +02:00			`self._logger(`
			`logging.ERROR,`
			`"Bad search filter, check '" + self.backend_name + ".*_filter_tmpl' params",`
			`)`
			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
code factoring 2015-05-25 19:52:54 +02:00
			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`return r`
adding skeleton of method search user 2015-05-24 17:32:03 +02:00
code factoring 2015-05-25 19:52:54 +02:00
			`def search(self, searchstring):`

			`searchfilter = self.search_filter_tmpl % {`
			`'searchstring': searchstring`
			`}`

			`return self._search(searchfilter, None)`

multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`def get_user(self, username, attrs=True):`
			`if attrs:`
			`a = self.attrlist`
			`else:`
			`a = None`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`user_filter = self.user_filter_tmpl % {`
			`'username': username`
			`}`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
code factoring 2015-05-25 19:52:54 +02:00			`r = self._search(user_filter, a)`

begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`if len(r) == 0:`
more logical return for get_user 2015-05-24 15:11:49 +02:00			`return None`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`if attrs:`
			`dn_entry = r[0]`
			`else:`
			`dn_entry = r[0][0]`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`return dn_entry`

			`def _connect(self):`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap_client = ldap.initialize(self.uri)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client.set_option(ldap.OPT_REFERRALS, 0)`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)`
			`if self.ca and self.checkcert == 'on':`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`#else:`
			`# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.checkcert == 'off':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)`
			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`try:`
			`ldap_client.start_tls_s()`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`except ldap.OPERATIONS_ERROR as e:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self._logger(`
			`logging.ERROR,`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`"cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`)`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`raise e`
			`#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`return ldap_client`