security-and-privacy/ldapcherry
security-and-privacy
/
ldapcherry
mirror of https://github.com/kakwa/ldapcherry
1
0
Fork 0
Code Releases Activity

many fixes in unit tests + fix in params + fix in constant 

Oh god, python-ldap is crap...
* add better unit test
* correct params name
* correct exception handling
* disable testConnectSSLNoCheck (impossible to test with a certificate
  previously defined)
This commit is contained in:
kakwa 2015-05-22 01:16:53 +02:00
parent 93ed190913
commit 189079cf21
5 changed files with 79 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/ldapcherry.ini
View File

@ -68,7 +68,7 @@ roles.file = '/etc/ldapcherry/roles.yml'
ldap.module = 'ldapcherry.backend.backendLdap'
ldap.groupdn = 'ou=group,dc=example,dc=com'
ldap.people = 'ou=group,dc=example,dc=com'
ldap.userdn = 'ou=group,dc=example,dc=com'
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
ldap.password = 'password'
ldap.uri = 'ldaps://ldap.ldapcherry.org'

25
ldapcherry/backend/backendLdap.py
View File

@ -17,10 +17,13 @@ class Backend(ldapcherry.backend.Backend):
self._logger = logger
self.backend_name = name
self.binddn = self.get_param('binddn')
self.bindpassword = self.get_param('password')
self.ca = self.get_param('ca', False)
self.checkcert = self.get_param('checkcert', 'on')
self.starttls = self.get_param('starttls', 'off')
self.uri = self.get_param('uri')
self.userdn = self.get_param('userdn')
self.groupdn = self.get_param('groupdn')
self.user_filter_tmpl = self.get_param('user_filter_tmpl')
def auth(self, username, password):
@ -57,22 +60,23 @@ class Backend(ldapcherry.backend.Backend):
ldap_client = self._connect()
try:
ldap_client.simple_bind_s(self.binddn, self.bindpassword)
except ldap.INVALID_CREDENTIALS:
except ldap.INVALID_CREDENTIALS as e:
self._logger(
logging.ERROR,
"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
)
raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
except ldap.SERVER_DOWN:
#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
raise e
except ldap.SERVER_DOWN as e:
self._logger(
logging.ERROR,
"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
)
return False
raise e
user_filter = self.user_filter_tmpl % {
'login': username
}
user_filter = self.user_filter_tmpl % {
'username': username
}
r = ldap_client.search_s(self.userdn,
ldap.SCOPE_SUBTREE,
@ -90,13 +94,16 @@ class Backend(ldapcherry.backend.Backend):
ldap_client.set_option(ldap.OPT_REFERRALS, 0)
if self.starttls == 'on':
ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
if self.ca:
else:
ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
if self.ca and self.checkcert == 'on':
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
#else:
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
if self.checkcert == 'off':
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
else:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
if self.starttls == 'on':
try:
ldap_client.start_tls_s()

4
tests/cfg/ldapcherry.ini
View File

@ -68,8 +68,8 @@ roles.file = './tests/cfg/roles.yml'
ldap.module = 'ldapcherry.backend.backendLdap'
ldap.groupdn = 'ou=group,dc=example,dc=com'
ldap.people = 'ou=group,dc=example,dc=com'
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
ldap.userdn = 'ou=group,dc=example,dc=com'
ldap.binddn = 'cn=dnscherry,dc=example,dc=org'
ldap.password = 'password'
ldap.uri = 'ldaps://ldap.ldapcherry.org'
ldap.ca = '/etc/dnscherry/TEST-cacert.pem'

27
tests/cfg/wrong_ca.crt Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJAJPjqWBPSpcrMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJGUjELMAkGA1UECBMCRlIxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVQ
YXJpczERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYD
VQQpEwhjaGFuZ2VtZTEdMBsGCSqGSIb3DQEJARYOa2Frd2FAa2Frd2EuZnIwHhcN
MTIwNzIxMTgwMzExWhcNMjIwNzE5MTgwMzExWjCBkjELMAkGA1UEBhMCRlIxCzAJ
BgNVBAgTAkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNV
BAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdl
bWUxHTAbBgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA2JAYpMeudhVLgUOCdnA4a4R+sGv7dNxcrBTK9Eh3
PHbCwBtAfX8J2NXjKiSNlZLw2xc5A7wEks7JxieynBfClL3kruZ2pj9yxT4BH4ro
fY560b887miofiqKjB1dEnpoOfQNxUwUKVdKlOU0U8oteHwEnet8EbJ3Th4bkftz
Bk8PYDOCt2x+SK6mHJz8yOsezsLfsrNdOLlY+dDrgZFmIGekTdo7okGaiPIndr1s
OYcDLlow188oHnUZ8I9uPQW6Tk6gveh65sDc4ThpdrF8dV7UQxOrP+lBTcbrQNf0
dMy2UDuA4TauIA6o6JsxtBbsBRph4vmgGXc1AGfmC2QXqwIDAQABo4H6MIH3MB0G
A1UdDgQWBBTS1NffwUVvC47DSsSh5WCPGXMvxDCBxwYDVR0jBIG/MIG8gBTS1Nff
wUVvC47DSsSh5WCPGXMvxKGBmKSBlTCBkjELMAkGA1UEBhMCRlIxCzAJBgNVBAgT
AkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNVBAsTCGNo
YW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHTAb
BgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyggkAk+OpYE9KlyswDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATGrU92RcniJ5QkOPLR/Zy2850jtknHKq
VynTH5+smoRqDm6MJNSXb4Hy437qRFZdIyPcIXLgn+C31z0yfkSxW6MoGvYsWo86
SKjow/OG4XQcHiOr0ydOSqdWL9EXWq+0DwnwWcmaFpuRhN2pK4fZmIcokRBiIbv0
xnuyFvCTpsEOJHaYRQdE71omb47OBFhSA+ytGihmD6FycNqP9mriA0fPw2o/oVSd
WC55yNfi9JqimfH/AN2ApMXD6TQD9JyyNJ2Qciwf7WsU+h3I/qIS15RsG+VUFm5E
D62QGIMu6rRj06GO4e7+0+doiHvV9b8rk37aMOEhWmTw2v6aHJcGHw==
-----END CERTIFICATE-----

44
tests/test_BackendLdap.py
View File

@ -11,15 +11,16 @@ from ldapcherry.backend.backendLdap import Backend
from ldapcherry import syslog_error
from ldapcherry.exceptions import *
import cherrypy
from ldap import SERVER_DOWN
cfg = {
'module' : 'ldapcherry.backend.ldap',
'groupdn' : 'ou=group,dc=example,dc=com',
'people' : 'ou=group,dc=example,dc=com',
'binddn' : 'cn=ldapcherry,dc=example,dc=com',
'groupdn' : 'ou=group,dc=example,dc=org',
'userdn' : 'ou=People,dc=example,dc=org',
'binddn' : 'cn=dnscherry,dc=example,dc=org',
'password' : 'password',
'uri' : 'ldaps://ldap.ldapcherry.org',
'ca' : '/etc/dnscherry/TEST-cacert.pem',
'uri' : 'ldap://ldap.ldapcherry.org:390',
'ca' : './tests/test_env/etc/ldapcherry/TEST-cacert.pem',
'starttls' : 'off',
'checkcert' : 'off',
'user_filter_tmpl' : '(uid=%(username)s)',
@ -36,16 +37,37 @@ class TestError(object):
def testConnect(self):
inv = Backend(cfg, cherrypy.log, 'ldap')
inv._connect()
ldap = inv._connect()
ldap.simple_bind_s(inv.binddn, inv.bindpassword)
return True
def testConnectSSL(self):
inv = Backend(cfg, cherrypy.log, 'ldap')
return True
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
cfg2['checkcert'] = 'on'
inv = Backend(cfg2, cherrypy.log, 'ldap')
ldap = inv._connect()
ldap.simple_bind_s(inv.binddn, inv.bindpassword)
def testConnectSSLNoCheck(self):
inv = Backend(cfg, cherrypy.log, 'ldap')
return True
def testConnectSSLWrongCA(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
cfg2['checkcert'] = 'on'
cfg2['ca'] = './cfg/wrong_ca.crt'
inv = Backend(cfg2, cherrypy.log, 'ldap')
ldapc = inv._connect()
try:
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
except SERVER_DOWN as e:
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
# def testConnectSSLNoCheck(self):
# cfg2 = cfg.copy()
# cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
# cfg2['checkcert'] = 'off'
# inv = Backend(cfg2, cherrypy.log, 'ldap')
# ldap = inv._connect()
# ldap.simple_bind_s(inv.binddn, inv.bindpassword)
def testAuthSuccess(self):
inv = Backend(cfg, cherrypy.log, 'ldap')