mirror of
https://github.com/kakwa/ldapcherry
synced 2024-11-25 18:54:29 +01:00
Merge branch 'master' of https://github.com/kakwa/ldapcherry
This commit is contained in:
commit
fcf2002388
@ -67,8 +67,8 @@ roles.file = '/etc/ldapcherry/roles.yml'
|
|||||||
[backends]
|
[backends]
|
||||||
|
|
||||||
ldap.module = 'ldapcherry.backend.backendLdap'
|
ldap.module = 'ldapcherry.backend.backendLdap'
|
||||||
ldap.groupdn = 'ou=group,dc=example,dc=com'
|
ldap.groupdn = 'ou=groups,dc=example,dc=com'
|
||||||
ldap.userdn = 'ou=group,dc=example,dc=com'
|
ldap.userdn = 'ou=people,dc=example,dc=com'
|
||||||
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
|
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
|
||||||
ldap.password = 'password'
|
ldap.password = 'password'
|
||||||
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
||||||
@ -76,7 +76,10 @@ ldap.ca = '/etc/dnscherry/TEST-cacert.pem'
|
|||||||
ldap.starttls = 'on'
|
ldap.starttls = 'on'
|
||||||
ldap.checkcert = 'off'
|
ldap.checkcert = 'off'
|
||||||
ldap.user_filter_tmpl = '(uid=%(username)s)'
|
ldap.user_filter_tmpl = '(uid=%(username)s)'
|
||||||
ldap.group_filter_tmpl = '(member=%(userdn)s)'
|
ldap.group_filter_tmpl = '(member=%(username)s)'
|
||||||
|
ldap.search_filter_tmpl = '(|(uid=%(searchstring)s*)(sn=%(searchstring)s*))'
|
||||||
|
ldap.objectclasses = 'top, person, organizationalPerson, user'
|
||||||
|
ldap.dn_user_attr = 'uid'
|
||||||
ldap.timeout = 1
|
ldap.timeout = 1
|
||||||
|
|
||||||
|
|
||||||
|
@ -76,6 +76,21 @@ class LdapCherry(object):
|
|||||||
else:
|
else:
|
||||||
raise MissingParameter(section, key)
|
raise MissingParameter(section, key)
|
||||||
|
|
||||||
|
|
||||||
|
def _get_groups(self, username):
|
||||||
|
ret = {}
|
||||||
|
for b in self.backends:
|
||||||
|
ret[b] = self.backends[b].get_groups(username)
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def _get_roles(self, username):
|
||||||
|
groups = self._get_groups(username)
|
||||||
|
return self.roles.get_roles(groups)
|
||||||
|
|
||||||
|
def _is_admin(self, username):
|
||||||
|
roles = self._get_roles(username)
|
||||||
|
return self.roles.is_admin(roles['roles'])
|
||||||
|
|
||||||
def _check_backends(self):
|
def _check_backends(self):
|
||||||
backends = self.backends_params.keys()
|
backends = self.backends_params.keys()
|
||||||
for b in self.roles.get_backends():
|
for b in self.roles.get_backends():
|
||||||
@ -114,6 +129,27 @@ class LdapCherry(object):
|
|||||||
except:
|
except:
|
||||||
raise BackendModuleInitFail(module)
|
raise BackendModuleInitFail(module)
|
||||||
|
|
||||||
|
|
||||||
|
def _init_auth(self, config):
|
||||||
|
self.auth_mode = self._get_param('auth', 'auth.mode', config)
|
||||||
|
if self.auth_mode in ['and', 'or', 'none']:
|
||||||
|
pass
|
||||||
|
elif self.auth_mode == 'custom':
|
||||||
|
# load custom auth module
|
||||||
|
auth_module = self._get_param('auth', 'auth.module', config)
|
||||||
|
auth = __import__(auth_module, globals(), locals(), ['Auth'], -1)
|
||||||
|
self.auth = auth.Auth(config['auth'], cherrypy.log)
|
||||||
|
else:
|
||||||
|
raise WrongParamValue('auth.mode', 'auth', ['and', 'or', 'none', 'custom'])
|
||||||
|
|
||||||
|
self.roles_file = self._get_param('roles', 'roles.file', config)
|
||||||
|
cherrypy.log.error(
|
||||||
|
msg = "loading roles file <%(file)s>" % { 'file': self.roles_file },
|
||||||
|
severity = logging.DEBUG
|
||||||
|
)
|
||||||
|
self.roles = Roles(self.roles_file)
|
||||||
|
|
||||||
|
|
||||||
def _set_access_log(self, config, level):
|
def _set_access_log(self, config, level):
|
||||||
access_handler = self._get_param('global', 'log.access_handler', config, 'syslog')
|
access_handler = self._get_param('global', 'log.access_handler', config, 'syslog')
|
||||||
|
|
||||||
@ -201,6 +237,27 @@ class LdapCherry(object):
|
|||||||
else:
|
else:
|
||||||
return logging.INFO
|
return logging.INFO
|
||||||
|
|
||||||
|
def _auth(self, user, password):
|
||||||
|
if self.auth_mode == 'none':
|
||||||
|
return {'connected': True, 'isadmin': True}
|
||||||
|
elif self.auth_mode == 'and':
|
||||||
|
ret1 = True
|
||||||
|
for b in self.backends:
|
||||||
|
ret1 = self.backends[b].auth(user, password) and ret1
|
||||||
|
elif self.auth_mode == 'or':
|
||||||
|
ret1 = False
|
||||||
|
for b in self.backends:
|
||||||
|
ret1 = self.backends[b].auth(user, password) or ret1
|
||||||
|
elif self.auth_mode == 'custom':
|
||||||
|
ret1 = self.auth.auth(user, password)
|
||||||
|
else:
|
||||||
|
raise Exception()
|
||||||
|
if not ret1:
|
||||||
|
return {'connected': False, 'isadmin': False}
|
||||||
|
else:
|
||||||
|
isadmin = self._is_admin(user)
|
||||||
|
return {'connected': True, 'isadmin': isadmin}
|
||||||
|
|
||||||
def reload(self, config = None):
|
def reload(self, config = None):
|
||||||
""" load/reload the configuration
|
""" load/reload the configuration
|
||||||
"""
|
"""
|
||||||
@ -229,18 +286,14 @@ class LdapCherry(object):
|
|||||||
self.temp_login = self.temp_lookup.get_template('login.tmpl')
|
self.temp_login = self.temp_lookup.get_template('login.tmpl')
|
||||||
|
|
||||||
|
|
||||||
self.roles_file = self._get_param('roles', 'roles.file', config)
|
self._init_auth(config)
|
||||||
cherrypy.log.error(
|
|
||||||
msg = "loading roles file <%(file)s>" % { 'file': self.roles_file },
|
|
||||||
severity = logging.DEBUG
|
|
||||||
)
|
|
||||||
self.roles = Roles(self.roles_file)
|
|
||||||
|
|
||||||
self.attributes_file = self._get_param('attributes', 'attributes.file', config)
|
self.attributes_file = self._get_param('attributes', 'attributes.file', config)
|
||||||
cherrypy.log.error(
|
cherrypy.log.error(
|
||||||
msg = "loading attributes file <%(file)s>" % { 'file': self.attributes_file },
|
msg = "loading attributes file <%(file)s>" % { 'file': self.attributes_file },
|
||||||
severity = logging.DEBUG
|
severity = logging.DEBUG
|
||||||
)
|
)
|
||||||
|
|
||||||
self.attributes = Attributes(self.attributes_file)
|
self.attributes = Attributes(self.attributes_file)
|
||||||
|
|
||||||
cherrypy.log.error(
|
cherrypy.log.error(
|
||||||
@ -308,6 +361,21 @@ class LdapCherry(object):
|
|||||||
message = 'Example warning'
|
message = 'Example warning'
|
||||||
return render_error(alert, message)
|
return render_error(alert, message)
|
||||||
|
|
||||||
|
def _check_auth(self, must_admin):
|
||||||
|
if not 'connected' in cherrypy.session or not cherrypy.session['connected']:
|
||||||
|
raise cherrypy.HTTPRedirect("/signin")
|
||||||
|
if cherrypy.session['connected'] and \
|
||||||
|
not cherrypy.session['isadmin']:
|
||||||
|
if must_admin:
|
||||||
|
raise cherrypy.HTTPError("403 Forbidden", "You are not allowed to access this resource.")
|
||||||
|
else:
|
||||||
|
return
|
||||||
|
if cherrypy.session['connected'] and \
|
||||||
|
cherrypy.session['isadmin']:
|
||||||
|
return
|
||||||
|
else:
|
||||||
|
raise cherrypy.HTTPRedirect("/signin")
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def signin(self):
|
def signin(self):
|
||||||
"""simple signin page
|
"""simple signin page
|
||||||
@ -318,7 +386,11 @@ class LdapCherry(object):
|
|||||||
def login(self, login, password):
|
def login(self, login, password):
|
||||||
"""login page
|
"""login page
|
||||||
"""
|
"""
|
||||||
if self.auth.check_credentials(login, password):
|
auth = self._auth(login, password)
|
||||||
|
cherrypy.session['isadmin'] = auth['isadmin']
|
||||||
|
cherrypy.session['connected'] = auth['connected']
|
||||||
|
|
||||||
|
if auth['connected']:
|
||||||
message = "login success for user '%(user)s'" % {
|
message = "login success for user '%(user)s'" % {
|
||||||
'user': login
|
'user': login
|
||||||
}
|
}
|
||||||
@ -342,44 +414,54 @@ class LdapCherry(object):
|
|||||||
def logout(self):
|
def logout(self):
|
||||||
""" logout page
|
""" logout page
|
||||||
"""
|
"""
|
||||||
user = self.auth.end_session()
|
sess = cherrypy.session
|
||||||
|
username = sess.get(SESSION_KEY, None)
|
||||||
|
sess[SESSION_KEY] = None
|
||||||
|
if username:
|
||||||
|
cherrypy.request.login = None
|
||||||
|
|
||||||
message = "user '%(user)s' logout" % {
|
message = "user '%(user)s' logout" % {
|
||||||
'user': user
|
'user': username
|
||||||
}
|
}
|
||||||
cherrypy.log.error(
|
cherrypy.log.error(
|
||||||
msg = message,
|
msg = message,
|
||||||
severity = logging.INFO
|
severity = logging.INFO
|
||||||
)
|
)
|
||||||
|
|
||||||
raise cherrypy.HTTPRedirect("/signin")
|
raise cherrypy.HTTPRedirect("/signin")
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def index(self, **params):
|
def index(self, **params):
|
||||||
"""main page rendering
|
"""main page rendering
|
||||||
"""
|
"""
|
||||||
|
self._check_auth(must_admin=False)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def searchuser(self):
|
def searchuser(self):
|
||||||
""" search user page """
|
""" search user page """
|
||||||
|
self._check_auth(must_admin=True)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def adduser(self):
|
def adduser(self):
|
||||||
""" add user page """
|
""" add user page """
|
||||||
|
self._check_auth(must_admin=True)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def removeuser(self):
|
def removeuser(self):
|
||||||
""" remove user page """
|
""" remove user page """
|
||||||
|
self._check_auth(must_admin=True)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def modifyuser(self):
|
def modifyuser(self):
|
||||||
""" modify user page """
|
""" modify user page """
|
||||||
|
self._check_auth(must_admin=True)
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@cherrypy.expose
|
@cherrypy.expose
|
||||||
def modifyself(self):
|
def modifyself(self):
|
||||||
""" self modify user page """
|
""" self modify user page """
|
||||||
|
self._check_auth(must_admin=False)
|
||||||
pass
|
pass
|
||||||
|
@ -7,8 +7,16 @@
|
|||||||
|
|
||||||
import cherrypy
|
import cherrypy
|
||||||
import ldap
|
import ldap
|
||||||
|
import ldap.modlist as modlist
|
||||||
import logging
|
import logging
|
||||||
import ldapcherry.backend
|
import ldapcherry.backend
|
||||||
|
import re
|
||||||
|
|
||||||
|
class DelUserDontExists(Exception):
|
||||||
|
def __init__(self, user):
|
||||||
|
self.user = user
|
||||||
|
self.log = "cannot remove user, user <%(user)s> does not exist" % { 'user' : user}
|
||||||
|
|
||||||
|
|
||||||
class Backend(ldapcherry.backend.Backend):
|
class Backend(ldapcherry.backend.Backend):
|
||||||
|
|
||||||
@ -26,17 +34,26 @@ class Backend(ldapcherry.backend.Backend):
|
|||||||
self.userdn = self.get_param('userdn')
|
self.userdn = self.get_param('userdn')
|
||||||
self.groupdn = self.get_param('groupdn')
|
self.groupdn = self.get_param('groupdn')
|
||||||
self.user_filter_tmpl = self.get_param('user_filter_tmpl')
|
self.user_filter_tmpl = self.get_param('user_filter_tmpl')
|
||||||
|
self.group_filter_tmpl = self.get_param('group_filter_tmpl')
|
||||||
|
self.search_filter_tmpl = self.get_param('search_filter_tmpl')
|
||||||
|
self.dn_user_attr = self.get_param('dn_user_attr')
|
||||||
|
self.objectclasses = []
|
||||||
|
for o in re.split('\W+', self.get_param('objectclasses')):
|
||||||
|
self.objectclasses.append(self._str(o))
|
||||||
|
|
||||||
self.attrlist = []
|
self.attrlist = []
|
||||||
for a in attrslist:
|
for a in attrslist:
|
||||||
|
self.attrlist.append(self._str(a))
|
||||||
|
|
||||||
|
def _str(self, s):
|
||||||
try:
|
try:
|
||||||
self.attrlist.append(str(a))
|
return str(s)
|
||||||
except UnicodeEncodeError:
|
except UnicodeEncodeError:
|
||||||
tmp = unicode(a).encode('unicode_escape')
|
return unicode(s).encode('unicode_escape')
|
||||||
self.attrlist.append(tmp)
|
|
||||||
|
|
||||||
def auth(self, username, password):
|
def auth(self, username, password):
|
||||||
|
|
||||||
binddn = self.get_user(username, False)
|
binddn = self._get_user(username, False)
|
||||||
if not binddn is None:
|
if not binddn is None:
|
||||||
ldap_client = self._connect()
|
ldap_client = self._connect()
|
||||||
try:
|
try:
|
||||||
@ -58,48 +75,147 @@ class Backend(ldapcherry.backend.Backend):
|
|||||||
def rm_from_group(self, username):
|
def rm_from_group(self, username):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
def add_user(self, username):
|
def get_groups(self, username):
|
||||||
pass
|
userdn = self._get_user(username, False)
|
||||||
|
|
||||||
|
searchfilter = self.group_filter_tmpl % {
|
||||||
|
'userdn': userdn,
|
||||||
|
'username': username
|
||||||
|
}
|
||||||
|
|
||||||
|
groups = self._search(searchfilter, None, self.groupdn)
|
||||||
|
ret = []
|
||||||
|
for entry in groups:
|
||||||
|
ret.append(entry[0])
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def add_user(self, attrs):
|
||||||
|
ldap_client = self._bind()
|
||||||
|
attrs_str = {}
|
||||||
|
for a in attrs:
|
||||||
|
attrs_str[self._str(a)] = self._str(attrs[a])
|
||||||
|
attrs_str['objectClass'] = self.objectclasses
|
||||||
|
dn = self.dn_user_attr + '=' + attrs[self.dn_user_attr] + ',' + self.userdn
|
||||||
|
ldif = modlist.addModlist(attrs_str)
|
||||||
|
try:
|
||||||
|
ldap_client.add_s(dn,ldif)
|
||||||
|
except ldap.OBJECT_CLASS_VIOLATION as e:
|
||||||
|
info = e[0]['info']
|
||||||
|
desc = e[0]['desc']
|
||||||
|
self._logger(
|
||||||
|
severity = logging.ERROR,
|
||||||
|
msg = "Configuration error, " + desc + ", " + info,
|
||||||
|
)
|
||||||
|
raise e
|
||||||
|
except ldap.INSUFFICIENT_ACCESS as e:
|
||||||
|
info = e[0]['info']
|
||||||
|
desc = e[0]['desc']
|
||||||
|
self._logger(
|
||||||
|
severity = logging.ERROR,
|
||||||
|
msg = "Access error, " + desc + ", " + info,
|
||||||
|
)
|
||||||
|
raise e
|
||||||
|
except ldap.ALREADY_EXISTS as e:
|
||||||
|
desc = e[0]['desc']
|
||||||
|
self._logger(
|
||||||
|
severity = logging.ERROR,
|
||||||
|
msg = "adding user failed, " + desc,
|
||||||
|
)
|
||||||
|
raise e
|
||||||
|
|
||||||
def del_user(self, username):
|
def del_user(self, username):
|
||||||
pass
|
ldap_client = self._bind()
|
||||||
|
dn = self._get_user(username, False)
|
||||||
def get_user(self, username, attrs=True):
|
if not dn is None:
|
||||||
if attrs:
|
ldap_client.delete_s(dn)
|
||||||
a = self.attrlist
|
|
||||||
else:
|
else:
|
||||||
a = None
|
raise DelUserDontExists(username)
|
||||||
|
|
||||||
|
def _bind(self):
|
||||||
ldap_client = self._connect()
|
ldap_client = self._connect()
|
||||||
try:
|
try:
|
||||||
ldap_client.simple_bind_s(self.binddn, self.bindpassword)
|
ldap_client.simple_bind_s(self.binddn, self.bindpassword)
|
||||||
except ldap.INVALID_CREDENTIALS as e:
|
except ldap.INVALID_CREDENTIALS as e:
|
||||||
self._logger(
|
self._logger(
|
||||||
logging.ERROR,
|
severity = logging.ERROR,
|
||||||
"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
|
msg = "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
|
||||||
)
|
)
|
||||||
#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
|
ldap_client.unbind_s()
|
||||||
raise e
|
raise e
|
||||||
except ldap.SERVER_DOWN as e:
|
except ldap.SERVER_DOWN as e:
|
||||||
self._logger(
|
self._logger(
|
||||||
logging.ERROR,
|
severity = logging.ERROR,
|
||||||
"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
|
msg = "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
|
||||||
)
|
)
|
||||||
|
ldap_client.unbind_s()
|
||||||
raise e
|
raise e
|
||||||
|
return ldap_client
|
||||||
|
|
||||||
|
|
||||||
|
def _search(self, searchfilter, attrs, basedn):
|
||||||
|
ldap_client = self._bind()
|
||||||
|
try:
|
||||||
|
r = ldap_client.search_s(basedn,
|
||||||
|
ldap.SCOPE_SUBTREE,
|
||||||
|
searchfilter,
|
||||||
|
attrlist=attrs
|
||||||
|
)
|
||||||
|
except ldap.FILTER_ERROR as e:
|
||||||
|
self._logger(
|
||||||
|
severity = logging.ERROR,
|
||||||
|
msg = "Bad search filter, check '" + self.backend_name + ".*_filter_tmpl' params",
|
||||||
|
)
|
||||||
|
ldap_client.unbind_s()
|
||||||
|
raise e
|
||||||
|
except ldap.NO_SUCH_OBJECT as e:
|
||||||
|
self._logger(
|
||||||
|
severity = logging.ERROR,
|
||||||
|
msg = "Search DN '" + basedn \
|
||||||
|
+ "' doesn't exist, check '" \
|
||||||
|
+ self.backend_name + ".userdn' or '" \
|
||||||
|
+ self.backend_name + ".groupdn'",
|
||||||
|
)
|
||||||
|
ldap_client.unbind_s()
|
||||||
|
raise e
|
||||||
|
|
||||||
|
ldap_client.unbind_s()
|
||||||
|
return r
|
||||||
|
|
||||||
|
|
||||||
|
def search(self, searchstring):
|
||||||
|
|
||||||
|
searchfilter = self.search_filter_tmpl % {
|
||||||
|
'searchstring': searchstring
|
||||||
|
}
|
||||||
|
|
||||||
|
return self._search(searchfilter, None, self.userdn)
|
||||||
|
|
||||||
|
def get_user(self, username):
|
||||||
|
ret = {}
|
||||||
|
attrs_tmp = self._get_user(username)[1]
|
||||||
|
for attr in attrs_tmp:
|
||||||
|
value_tmp = attrs_tmp[attr]
|
||||||
|
if len(value_tmp) == 1:
|
||||||
|
ret[attr] = value_tmp[0]
|
||||||
|
else:
|
||||||
|
ret[attr] = value_tmp
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def _get_user(self, username, attrs=True):
|
||||||
|
if attrs:
|
||||||
|
a = self.attrlist
|
||||||
|
else:
|
||||||
|
a = None
|
||||||
|
|
||||||
user_filter = self.user_filter_tmpl % {
|
user_filter = self.user_filter_tmpl % {
|
||||||
'username': username
|
'username': username
|
||||||
}
|
}
|
||||||
|
|
||||||
r = ldap_client.search_s(self.userdn,
|
r = self._search(user_filter, a, self.userdn)
|
||||||
ldap.SCOPE_SUBTREE,
|
|
||||||
user_filter,
|
|
||||||
attrlist=a
|
|
||||||
)
|
|
||||||
if len(r) == 0:
|
if len(r) == 0:
|
||||||
ldap_client.unbind_s()
|
|
||||||
return None
|
return None
|
||||||
|
|
||||||
ldap_client.unbind_s()
|
|
||||||
if attrs:
|
if attrs:
|
||||||
dn_entry = r[0]
|
dn_entry = r[0]
|
||||||
else:
|
else:
|
||||||
@ -127,8 +243,8 @@ class Backend(ldapcherry.backend.Backend):
|
|||||||
ldap_client.start_tls_s()
|
ldap_client.start_tls_s()
|
||||||
except ldap.OPERATIONS_ERROR as e:
|
except ldap.OPERATIONS_ERROR as e:
|
||||||
self._logger(
|
self._logger(
|
||||||
logging.ERROR,
|
severity = logging.ERROR,
|
||||||
"cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",
|
msg = "cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",
|
||||||
)
|
)
|
||||||
raise e
|
raise e
|
||||||
#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
|
#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
|
||||||
|
@ -5,6 +5,8 @@
|
|||||||
# LdapCherry
|
# LdapCherry
|
||||||
# Copyright (c) 2014 Carpentier Pierre-Francois
|
# Copyright (c) 2014 Carpentier Pierre-Francois
|
||||||
|
|
||||||
|
import string
|
||||||
|
|
||||||
class MissingParameter(Exception):
|
class MissingParameter(Exception):
|
||||||
def __init__(self, section, key):
|
def __init__(self, section, key):
|
||||||
self.section = section
|
self.section = section
|
||||||
@ -69,6 +71,14 @@ class BackendModuleInitFail(Exception):
|
|||||||
self.module = module
|
self.module = module
|
||||||
self.log = "fail to init module <%(module)s>" % {'module': module}
|
self.log = "fail to init module <%(module)s>" % {'module': module}
|
||||||
|
|
||||||
|
class WrongParamValue(Exception):
|
||||||
|
def __init__(self, param, section, possible_values):
|
||||||
|
self.possible_values = possible_values
|
||||||
|
self.section = section
|
||||||
|
self.param = param
|
||||||
|
possible_values_str = string.join(possible_values, ', ')
|
||||||
|
self.log = "wrong value for param <%(param)s> in section <%(section)s>, possible values are [%(values)s]" % {'param': param, 'section': section, 'values': possible_values_str}
|
||||||
|
|
||||||
class WrongAttributeType(Exception):
|
class WrongAttributeType(Exception):
|
||||||
def __init__(self, key, section, ymlfile):
|
def __init__(self, key, section, ymlfile):
|
||||||
self.key = key
|
self.key = key
|
||||||
|
@ -11,11 +11,12 @@ from ldapcherry.backend.backendLdap import Backend
|
|||||||
from ldapcherry import syslog_error
|
from ldapcherry import syslog_error
|
||||||
from ldapcherry.exceptions import *
|
from ldapcherry.exceptions import *
|
||||||
import cherrypy
|
import cherrypy
|
||||||
|
import logging
|
||||||
from ldap import SERVER_DOWN
|
from ldap import SERVER_DOWN
|
||||||
|
|
||||||
cfg = {
|
cfg = {
|
||||||
'module' : 'ldapcherry.backend.ldap',
|
'module' : 'ldapcherry.backend.ldap',
|
||||||
'groupdn' : 'ou=group,dc=example,dc=org',
|
'groupdn' : 'ou=Groups,dc=example,dc=org',
|
||||||
'userdn' : 'ou=People,dc=example,dc=org',
|
'userdn' : 'ou=People,dc=example,dc=org',
|
||||||
'binddn' : 'cn=dnscherry,dc=example,dc=org',
|
'binddn' : 'cn=dnscherry,dc=example,dc=org',
|
||||||
'password' : 'password',
|
'password' : 'password',
|
||||||
@ -25,10 +26,34 @@ cfg = {
|
|||||||
'checkcert' : 'off',
|
'checkcert' : 'off',
|
||||||
'user_filter_tmpl' : '(uid=%(username)s)',
|
'user_filter_tmpl' : '(uid=%(username)s)',
|
||||||
'group_filter_tmpl' : '(member=%(userdn)s)',
|
'group_filter_tmpl' : '(member=%(userdn)s)',
|
||||||
|
'search_filter_tmpl' : '(|(uid=%(searchstring)s*)(sn=%(searchstring)s*))',
|
||||||
|
'objectclasses' : 'top, person, organizationalPerson, simpleSecurityObject, posixAccount',
|
||||||
|
'dn_user_attr' : 'uid',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def syslog_error(msg='', context='',
|
||||||
|
severity=logging.INFO, traceback=False):
|
||||||
|
pass
|
||||||
|
|
||||||
cherrypy.log.error = syslog_error
|
cherrypy.log.error = syslog_error
|
||||||
attr = ['shéll', 'cn', 'uid', 'uidNumber', 'gidNumber', 'home', 'userPassword', 'givenName', 'email', 'sn']
|
attr = ['shéll', 'cn', 'uid', 'uidNumber', 'gidNumber', 'home', 'userPassword', 'givenName', 'email', 'sn']
|
||||||
|
|
||||||
|
cherrypy.log.error = syslog_error
|
||||||
|
|
||||||
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
print inv.get_user('jwatson')
|
print inv.get_user('jwatson')
|
||||||
|
print inv.get_groups('jwatson')
|
||||||
|
print inv.search('smit')
|
||||||
|
user = {
|
||||||
|
'uid': 'test',
|
||||||
|
'sn': 'test',
|
||||||
|
'cn': 'test',
|
||||||
|
'userPassword': 'test',
|
||||||
|
'uidNumber': '42',
|
||||||
|
'gidNumber': '42',
|
||||||
|
'homeDirectory': '/home/test/'
|
||||||
|
}
|
||||||
|
inv.add_user(user)
|
||||||
|
print inv.get_user('test')
|
||||||
|
print inv.get_groups('test')
|
||||||
|
inv.del_user('test')
|
||||||
|
5
setup.py
5
setup.py
@ -73,9 +73,12 @@ def get_list_files(basedir, targetdir):
|
|||||||
return_list.append((os.path.join(targetdir, subpath), files_list))
|
return_list.append((os.path.join(targetdir, subpath), files_list))
|
||||||
return return_list
|
return return_list
|
||||||
|
|
||||||
|
# add static files and templates in the list of thing to deploy
|
||||||
resources_files = get_list_files('resources',
|
resources_files = get_list_files('resources',
|
||||||
os.path.join(datarootdir, 'share', 'ldapcherry'))
|
os.path.join(datarootdir, 'share', 'ldapcherry'))
|
||||||
|
|
||||||
|
# add the configuration files if they don't exist
|
||||||
|
if not os.path.exists(os.path.join(sysconfdir, 'ldapcherry')):
|
||||||
resources_files.append((
|
resources_files.append((
|
||||||
os.path.join(sysconfdir, 'ldapcherry'),
|
os.path.join(sysconfdir, 'ldapcherry'),
|
||||||
[ 'conf/ldapcherry.ini', 'conf/attributes.yml', 'conf/roles.yml']
|
[ 'conf/ldapcherry.ini', 'conf/attributes.yml', 'conf/roles.yml']
|
||||||
@ -87,7 +90,7 @@ setup(
|
|||||||
version = '0.0.1',
|
version = '0.0.1',
|
||||||
author = 'Pierre-Francois Carpentier',
|
author = 'Pierre-Francois Carpentier',
|
||||||
author_email = 'carpentier.pf@gmail.com',
|
author_email = 'carpentier.pf@gmail.com',
|
||||||
packages = ['ldapcherry'],
|
packages = ['ldapcherry', 'ldapcherry.backend'],
|
||||||
data_files = resources_files,
|
data_files = resources_files,
|
||||||
scripts = ['scripts/ldapcherryd'],
|
scripts = ['scripts/ldapcherryd'],
|
||||||
url = 'https://github.com/kakwa/ldapcherry',
|
url = 'https://github.com/kakwa/ldapcherry',
|
||||||
|
@ -67,8 +67,8 @@ roles.file = './tests/cfg/roles.yml'
|
|||||||
[backends]
|
[backends]
|
||||||
|
|
||||||
ldap.module = 'ldapcherry.backend.backendLdap'
|
ldap.module = 'ldapcherry.backend.backendLdap'
|
||||||
ldap.groupdn = 'ou=group,dc=example,dc=com'
|
ldap.groupdn = 'ou=groups,dc=example,dc=com'
|
||||||
ldap.userdn = 'ou=group,dc=example,dc=com'
|
ldap.userdn = 'ou=people,dc=example,dc=com'
|
||||||
ldap.binddn = 'cn=dnscherry,dc=example,dc=org'
|
ldap.binddn = 'cn=dnscherry,dc=example,dc=org'
|
||||||
ldap.password = 'password'
|
ldap.password = 'password'
|
||||||
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
||||||
@ -77,6 +77,9 @@ ldap.starttls = 'on'
|
|||||||
ldap.checkcert = 'off'
|
ldap.checkcert = 'off'
|
||||||
ldap.user_filter_tmpl = '(uid=%(username)s)'
|
ldap.user_filter_tmpl = '(uid=%(username)s)'
|
||||||
ldap.group_filter_tmpl = '(member=%(userdn)s)'
|
ldap.group_filter_tmpl = '(member=%(userdn)s)'
|
||||||
|
ldap.search_filter_tmpl = '(|(uid=%(searchstring)s*)(sn=%(searchstring)s*))'
|
||||||
|
ldap.objectclasses = 'top, person, organizationalPerson, user'
|
||||||
|
ldap.dn_user_attr = 'uid'
|
||||||
ldap.timeout = 1
|
ldap.timeout = 1
|
||||||
|
|
||||||
ad.module = 'ldapcherry.backend.backendSamba4'
|
ad.module = 'ldapcherry.backend.backendSamba4'
|
||||||
|
@ -8,14 +8,14 @@ import pytest
|
|||||||
import sys
|
import sys
|
||||||
from sets import Set
|
from sets import Set
|
||||||
from ldapcherry.backend.backendLdap import Backend
|
from ldapcherry.backend.backendLdap import Backend
|
||||||
from ldapcherry import syslog_error
|
|
||||||
from ldapcherry.exceptions import *
|
from ldapcherry.exceptions import *
|
||||||
import cherrypy
|
import cherrypy
|
||||||
from ldap import SERVER_DOWN
|
import logging
|
||||||
|
import ldap
|
||||||
|
|
||||||
cfg = {
|
cfg = {
|
||||||
'module' : 'ldapcherry.backend.ldap',
|
'module' : 'ldapcherry.backend.ldap',
|
||||||
'groupdn' : 'ou=group,dc=example,dc=org',
|
'groupdn' : 'ou=groups,dc=example,dc=org',
|
||||||
'userdn' : 'ou=People,dc=example,dc=org',
|
'userdn' : 'ou=People,dc=example,dc=org',
|
||||||
'binddn' : 'cn=dnscherry,dc=example,dc=org',
|
'binddn' : 'cn=dnscherry,dc=example,dc=org',
|
||||||
'password' : 'password',
|
'password' : 'password',
|
||||||
@ -25,8 +25,15 @@ cfg = {
|
|||||||
'checkcert' : 'off',
|
'checkcert' : 'off',
|
||||||
'user_filter_tmpl' : '(uid=%(username)s)',
|
'user_filter_tmpl' : '(uid=%(username)s)',
|
||||||
'group_filter_tmpl' : '(member=%(userdn)s)',
|
'group_filter_tmpl' : '(member=%(userdn)s)',
|
||||||
|
'search_filter_tmpl' : '(|(uid=%(searchstring)s*)(sn=%(searchstring)s*))',
|
||||||
|
'objectclasses' : 'top, person, organizationalPerson, simpleSecurityObject, posixAccount',
|
||||||
|
'dn_user_attr' : 'uid',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def syslog_error(msg='', context='',
|
||||||
|
severity=logging.INFO, traceback=False):
|
||||||
|
pass
|
||||||
|
|
||||||
cherrypy.log.error = syslog_error
|
cherrypy.log.error = syslog_error
|
||||||
attr = ['shéll', 'shell', 'cn', 'uid', 'uidNumber', 'gidNumber', 'home', 'userPassword', 'givenName', 'email', 'sn']
|
attr = ['shéll', 'shell', 'cn', 'uid', 'uidNumber', 'gidNumber', 'home', 'userPassword', 'givenName', 'email', 'sn']
|
||||||
|
|
||||||
@ -59,7 +66,7 @@ class TestError(object):
|
|||||||
ldapc = inv._connect()
|
ldapc = inv._connect()
|
||||||
try:
|
try:
|
||||||
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
|
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||||
except SERVER_DOWN as e:
|
except ldap.SERVER_DOWN as e:
|
||||||
return
|
return
|
||||||
else:
|
else:
|
||||||
raise AssertionError("expected an exception")
|
raise AssertionError("expected an exception")
|
||||||
@ -73,7 +80,7 @@ class TestError(object):
|
|||||||
ldapc = inv._connect()
|
ldapc = inv._connect()
|
||||||
try:
|
try:
|
||||||
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
|
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||||
except SERVER_DOWN as e:
|
except ldap.SERVER_DOWN as e:
|
||||||
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
|
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
|
||||||
|
|
||||||
# def testConnectSSLNoCheck(self):
|
# def testConnectSSLNoCheck(self):
|
||||||
@ -111,5 +118,70 @@ class TestError(object):
|
|||||||
def testGetUser(self):
|
def testGetUser(self):
|
||||||
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
ret = inv.get_user('jwatson')
|
ret = inv.get_user('jwatson')
|
||||||
expected = ('cn=John Watson,ou=People,dc=example,dc=org', {'uid': ['jwatson'], 'cn': ['John Watson'], 'sn': ['watson']})
|
expected = {'uid': 'jwatson', 'cn': 'John Watson', 'sn': 'watson'}
|
||||||
assert ret == expected
|
assert ret == expected
|
||||||
|
|
||||||
|
def testGetUser(self):
|
||||||
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
|
ret = inv.get_groups('jwatson')
|
||||||
|
expected = ['cn=itpeople,ou=Groups,dc=example,dc=org']
|
||||||
|
assert ret == expected
|
||||||
|
|
||||||
|
def testSearchUser(self):
|
||||||
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
|
ret = inv.search('smith')
|
||||||
|
expected = [('cn=Sheri Smith,ou=People,dc=example,dc=org', {'uid': ['ssmith'], 'objectClass': ['inetOrgPerson'], 'carLicense': ['HERCAR 125'], 'sn': ['smith'], 'mail': ['s.smith@example.com', 'ssmith@example.com', 'sheri.smith@example.com'], 'homePhone': ['555-111-2225'], 'cn': ['Sheri Smith']}), ('cn=John Smith,ou=People,dc=example,dc=org', {'uid': ['jsmith'], 'objectClass': ['inetOrgPerson'], 'carLicense': ['HISCAR 125'], 'sn': ['Smith'], 'mail': ['j.smith@example.com', 'jsmith@example.com', 'jsmith.smith@example.com'], 'homePhone': ['555-111-2225'], 'cn': ['John Smith']})]
|
||||||
|
assert ret == expected
|
||||||
|
|
||||||
|
def testAddUser(self):
|
||||||
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
|
user = {
|
||||||
|
'uid': 'test',
|
||||||
|
'sn': 'test',
|
||||||
|
'cn': 'test',
|
||||||
|
'userPassword': 'test',
|
||||||
|
'uidNumber': '42',
|
||||||
|
'gidNumber': '42',
|
||||||
|
'homeDirectory': '/home/test/'
|
||||||
|
}
|
||||||
|
inv.add_user(user)
|
||||||
|
inv.del_user('test')
|
||||||
|
|
||||||
|
def testAddUserDuplicate(self):
|
||||||
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
|
user = {
|
||||||
|
'uid': 'test',
|
||||||
|
'sn': 'test',
|
||||||
|
'cn': 'test',
|
||||||
|
'uidNumber': '42',
|
||||||
|
'userPassword': 'test',
|
||||||
|
'gidNumber': '42',
|
||||||
|
'homeDirectory': '/home/test/'
|
||||||
|
}
|
||||||
|
try:
|
||||||
|
inv.add_user(user)
|
||||||
|
inv.add_user(user)
|
||||||
|
except ldap.ALREADY_EXISTS:
|
||||||
|
inv.del_user('test')
|
||||||
|
return
|
||||||
|
else:
|
||||||
|
inv.del_user('test')
|
||||||
|
raise AssertionError("expected an exception")
|
||||||
|
|
||||||
|
def testAddUserMissingMustAttribute(self):
|
||||||
|
inv = Backend(cfg, cherrypy.log, 'ldap', attr)
|
||||||
|
user = {
|
||||||
|
'uid': 'test',
|
||||||
|
'sn': 'test',
|
||||||
|
'cn': 'test',
|
||||||
|
'userPassword': 'test',
|
||||||
|
'gidNumber': '42',
|
||||||
|
'homeDirectory': '/home/test/'
|
||||||
|
}
|
||||||
|
try:
|
||||||
|
inv.add_user(user)
|
||||||
|
except ldap.OBJECT_CLASS_VIOLATION:
|
||||||
|
return
|
||||||
|
else:
|
||||||
|
inv.del_user('test')
|
||||||
|
raise AssertionError("expected an exception")
|
||||||
|
@ -32,7 +32,7 @@ sudo sed -i "s%tools.staticdir.dir.*%tools.staticdir.dir = '`pwd`/resources/stat
|
|||||||
chown -R openldap:openldap /etc/ldap/
|
chown -R openldap:openldap /etc/ldap/
|
||||||
rm /etc/ldap/slapd.d/cn\=config/*mdb*
|
rm /etc/ldap/slapd.d/cn\=config/*mdb*
|
||||||
/etc/init.d/slapd restart
|
/etc/init.d/slapd restart
|
||||||
ldapadd -H ldap://localhost:390 -x -D "cn=admin,dc=example,dc=org" -f /etc/ldap/content.ldif -w password
|
ldapadd -c -H ldap://localhost:390 -x -D "cn=admin,dc=example,dc=org" -f /etc/ldap/content.ldif -w password
|
||||||
sed -i "s/\(127.0.0.1.*\)/\1 ldap.ldapcherry.org ad.ldapcherry.org/" /etc/hosts
|
sed -i "s/\(127.0.0.1.*\)/\1 ldap.ldapcherry.org ad.ldapcherry.org/" /etc/hosts
|
||||||
|
|
||||||
df -h
|
df -h
|
||||||
|
@ -32,6 +32,18 @@ mail: s.smith@example.com
|
|||||||
mail: ssmith@example.com
|
mail: ssmith@example.com
|
||||||
mail: sheri.smith@example.com
|
mail: sheri.smith@example.com
|
||||||
|
|
||||||
|
dn: cn=John Smith,ou=people,dc=example,dc=org
|
||||||
|
objectclass: inetOrgPerson
|
||||||
|
cn: John Smith
|
||||||
|
sn: Smith
|
||||||
|
uid: jsmith
|
||||||
|
userpassword: passwordsmith
|
||||||
|
carlicense: HISCAR 125
|
||||||
|
homephone: 555-111-2225
|
||||||
|
mail: j.smith@example.com
|
||||||
|
mail: jsmith@example.com
|
||||||
|
mail: jsmith.smith@example.com
|
||||||
|
|
||||||
dn: cn=John Watson,ou=people,dc=example,dc=org
|
dn: cn=John Watson,ou=people,dc=example,dc=org
|
||||||
objectclass: inetOrgPerson
|
objectclass: inetOrgPerson
|
||||||
cn: John Watson
|
cn: John Watson
|
||||||
|
@ -7,7 +7,7 @@ olcSuffix: dc=example,dc=org
|
|||||||
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
|
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
|
||||||
s auth by dn="cn=admin,dc=example,dc=org" write by * none
|
s auth by dn="cn=admin,dc=example,dc=org" write by * none
|
||||||
olcAccess: {1}to dn.base="" by * read
|
olcAccess: {1}to dn.base="" by * read
|
||||||
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * read
|
olcAccess: {2}to * by self write by dn="cn=dnscherry,dc=example,dc=org" write by * read
|
||||||
olcLastMod: TRUE
|
olcLastMod: TRUE
|
||||||
olcRootDN: cn=admin,dc=example,dc=org
|
olcRootDN: cn=admin,dc=example,dc=org
|
||||||
olcRootPW: {SSHA}Fp+rSxe5eFsj0DGITJts4DwdSDFDZG9P
|
olcRootPW: {SSHA}Fp+rSxe5eFsj0DGITJts4DwdSDFDZG9P
|
||||||
|
Loading…
Reference in New Issue
Block a user