ldapcherry/ldapcherry/backend/backendLdap.py

# -*- coding: utf-8 -*-
# vim:set expandtab tabstop=4 shiftwidth=4:
#
# The MIT License (MIT)
# LdapCherry
# Copyright (c) 2014 Carpentier Pierre-Francois

import cherrypy
import ldap
import logging
import ldapcherry.backend

class Backend(ldapcherry.backend.Backend):

    def __init__(self, config, logger, name, attrslist):
        self.config = config
        self._logger = logger
        self.backend_name = name
        self.binddn = self.get_param('binddn')
        self.bindpassword = self.get_param('password')
        self.ca = self.get_param('ca', False)
        self.checkcert = self.get_param('checkcert', 'on')
        self.starttls = self.get_param('starttls', 'off')
        self.uri = self.get_param('uri')
        self.userdn = self.get_param('userdn')
        self.groupdn = self.get_param('groupdn')
        self.user_filter_tmpl = self.get_param('user_filter_tmpl')
        self.attrlist = attrslist

    def auth(self, username, password):

        binddn = self.get_user(username)
        if binddn:
            ldap_client = self._connect()
            try:
                ldap_client.simple_bind_s(binddn, password)
            except ldap.INVALID_CREDENTIALS:
                ldap_client.unbind_s()
                return False
            ldap_client.unbind_s()
            return True
        else:
            return False

    def add_to_group(self):
        pass

    def set_attrs(self, attrs):
        pass

    def rm_from_group(self):
        pass

    def add_user(self, username):
        pass

    def del_user(self, username):
        pass

    def get_user(self, username, attrs=None):
        ldap_client = self._connect()
        try:
            ldap_client.simple_bind_s(self.binddn, self.bindpassword)
        except ldap.INVALID_CREDENTIALS as e:
            self._logger(
                    logging.ERROR,
                    "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
                )
            #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
            raise e
        except ldap.SERVER_DOWN as e:
            self._logger(
                    logging.ERROR,
                    "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
                )
            raise e 

        user_filter = self.user_filter_tmpl % {
            'username': username
        }

        r = ldap_client.search_s(self.userdn,
                ldap.SCOPE_SUBTREE,
                user_filter,
                attrlist=attrs
            )
        if len(r) == 0:
            ldap_client.unbind_s()
            return False

        ldap_client.unbind_s()
        dn_entry = r[0][0]
        return dn_entry

    def _connect(self):
        ldap_client = ldap.initialize(self.uri)
        ldap_client.set_option(ldap.OPT_REFERRALS, 0)
        if self.starttls == 'on':
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
        else:
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
        if self.ca and self.checkcert == 'on':
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
        #else:
        #    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
        if self.checkcert == 'off':
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
        else:
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
        if self.starttls == 'on': 
            try:
                ldap_client.start_tls_s()
            except ldap.OPERATIONS_ERROR as e:
                self._logger(
                    logging.ERROR,
                    "cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",
                )
                raise e
                #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
        return ldap_client
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`# -- coding: utf-8 --`
			`# vim:set expandtab tabstop=4 shiftwidth=4:`
			`#`
			`# The MIT License (MIT)`
			`# LdapCherry`
			`# Copyright (c) 2014 Carpentier Pierre-Francois`

begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`import cherrypy`
			`import ldap`
			`import logging`
implementing loading backends * fix conf file * add exceptions * fix modules skeletons 2015-05-20 14:21:43 +02:00			`import ldapcherry.backend`

adding skeleton for most files 2015-04-15 21:13:14 +02:00			`class Backend(ldapcherry.backend.Backend):`

add passing attributes list to backend 2015-05-22 10:27:46 +02:00			`def __init__(self, config, logger, name, attrslist):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self.config = config`
fix backend name (collision with libraries name) 2015-05-21 08:52:06 +02:00			`self._logger = logger`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`self.backend_name = name`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.binddn = self.get_param('binddn')`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.bindpassword = self.get_param('password')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.ca = self.get_param('ca', False)`
			`self.checkcert = self.get_param('checkcert', 'on')`
			`self.starttls = self.get_param('starttls', 'off')`
			`self.uri = self.get_param('uri')`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.userdn = self.get_param('userdn')`
			`self.groupdn = self.get_param('groupdn')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.user_filter_tmpl = self.get_param('user_filter_tmpl')`
add passing attributes list to backend 2015-05-22 10:27:46 +02:00			`self.attrlist = attrslist`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def auth(self, username, password):`

fix wrong call to method 2015-05-22 01:32:35 +02:00			`binddn = self.get_user(username)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`if binddn:`
			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(binddn, password)`
			`except ldap.INVALID_CREDENTIALS:`
			`ldap_client.unbind_s()`
			`return False`
			`ldap_client.unbind_s()`
			`return True`
			`else:`
			`return False`

			`def add_to_group(self):`
			`pass`

			`def set_attrs(self, attrs):`
			`pass`

			`def rm_from_group(self):`
			`pass`

			`def add_user(self, username):`
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`pass`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def del_user(self, username):`
			`pass`

adding the possibility to get a list of attributes in get_user 2015-05-22 09:51:46 +02:00			`def get_user(self, username, attrs=None):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(self.binddn, self.bindpassword)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`except ldap.INVALID_CREDENTIALS as e:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self._logger(`
			`logging.ERROR,`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")`
			`raise e`
			`except ldap.SERVER_DOWN as e:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self._logger(`
			`logging.ERROR,`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`raise e`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`user_filter = self.user_filter_tmpl % {`
			`'username': username`
			`}`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`r = ldap_client.search_s(self.userdn,`
			`ldap.SCOPE_SUBTREE,`
adding the possibility to get a list of attributes in get_user 2015-05-22 09:51:46 +02:00			`user_filter,`
			`attrlist=attrs`
			`)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`if len(r) == 0:`
			`ldap_client.unbind_s()`
			`return False`

adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`ldap_client.unbind_s()`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`dn_entry = r[0][0]`
			`return dn_entry`

			`def _connect(self):`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap_client = ldap.initialize(self.uri)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client.set_option(ldap.OPT_REFERRALS, 0)`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)`
			`if self.ca and self.checkcert == 'on':`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`#else:`
			`# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.checkcert == 'off':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)`
			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`try:`
			`ldap_client.start_tls_s()`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`except ldap.OPERATIONS_ERROR as e:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self._logger(`
			`logging.ERROR,`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`"cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`)`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`raise e`
			`#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`return ldap_client`