Changeset View
Changeset View
Standalone View
Standalone View
pykolab/auth/ldap/__init__.py
Show First 20 Lines • Show All 1,499 Lines • ▼ Show 20 Lines | def _bind(self, bind_dn=None, bind_pw=None): | ||||
_l("Invalid DN, username and/or password for '%s'.") % ( | _l("Invalid DN, username and/or password for '%s'.") % ( | ||||
bind_dn | bind_dn | ||||
) | ) | ||||
) | ) | ||||
return False | return False | ||||
except ldap.INVALID_CREDENTIALS: | except ldap.INVALID_CREDENTIALS: | ||||
if self._bind_sso(bind_dn, bind_pw): | |||||
return True | |||||
log.error( | log.error( | ||||
_l("Invalid DN, username and/or password for '%s'.") % ( | _l("Invalid DN, username and/or password for '%s'.") % ( | ||||
bind_dn | bind_dn | ||||
) | ) | ||||
) | ) | ||||
return False | return False | ||||
else: | else: | ||||
log.debug(_l("bind() called but already bound"), level=8) | log.debug(_l("bind() called but already bound"), level=8) | ||||
return True | return True | ||||
def _bind_sso(self, bind_dn=None, bind_pw=None): | |||||
sso_uri = self.config_get('ldap','sso_uri') | |||||
if sso_uri is None: | |||||
return False | |||||
sso_bind_dn = self.config_get('ldap','sso_bind_dn') | |||||
sso_bind_pw = self.config_get('ldap','sso_bind_pw') | |||||
sso_base_dn = self.config_get('ldap','sso_base_dn') | |||||
sso_kolab_uid_attr = self.config_get('ldap','sso_kolab_uid_attr') | |||||
sso_ext_uid_attr = self.config_get('ldap','sso_ext_uid_attr') | |||||
sso_sync_password = self.config_get('ldap','sso_sync_password') | |||||
if sso_bind_dn is None: | |||||
log.error("sso_bind_dn in kolab.conf is missing") | |||||
return False | |||||
if sso_bind_pw is None: | |||||
log.error("sso_bind_pw in kolab.conf is missing") | |||||
return False | |||||
if sso_base_dn is None: | |||||
log.error("sso_base_dn in kolab.conf is missing") | |||||
return False | |||||
if sso_kolab_uid_attr is None: | |||||
log.error("sso_kolab_uid_attr in kolab.conf is missing") | |||||
return False | |||||
if sso_ext_uid_attr is None: | |||||
log.error("sso_ext_uid_attr in kolab.conf is missing") | |||||
return False | |||||
if sso_sync_password is None: | |||||
log.error("sso_sync_password in kolab.conf is missing") | |||||
return False | |||||
timeout = float(self.config_get('ldap', 'timeout', default=10)) | |||||
base_dn = auth_cache.get_entry(self.domain) | |||||
self._bind() | |||||
try: | |||||
# find kolab uid attr of current user on local ldap server | |||||
_search = self.ldap.search_st( | |||||
bind_dn, | |||||
ldap.SCOPE_SUBTREE, | |||||
filterstr=None, | |||||
attrlist=[sso_kolab_uid_attr], | |||||
timeout=timeout | |||||
) | |||||
except Exception, errmsg: | |||||
log.error(errmsg) | |||||
uid = _search[0][1][sso_kolab_uid_attr][0] | |||||
log.warning("Cannot authenticate against local password. Using SSO LDAP Server: %r" % (sso_uri)) | |||||
try: | |||||
sso_conn = ldap.ldapobject.ReconnectLDAPObject( sso_uri ) | |||||
sso_conn.simple_bind_s( sso_bind_dn, sso_bind_pw ) | |||||
except Exception, errmsg: | |||||
log.error("Could not bind SSO LDAP Server %r: %r" % (sso_uri,errmsg)) | |||||
return False | |||||
try: | |||||
# find dn of corresponding user on external ldap server | |||||
_search = sso_conn.search_st( | |||||
sso_base_dn, | |||||
ldap.SCOPE_SUBTREE, | |||||
sso_ext_uid_attr+"="+uid, | |||||
['dn'], | |||||
attrsonly=True, | |||||
timeout=timeout | |||||
) | |||||
sso_ldap_user_dn = _search[0][0] | |||||
log.info("External DN: %r" % (sso_ldap_user_dn)) | |||||
sso_conn.simple_bind_s( sso_ldap_user_dn, bind_pw ) | |||||
retval = True | |||||
if sso_sync_password == 'True': | |||||
try: | |||||
log.info("Writing password to local LDAP entry: %r" % (bind_dn)) | |||||
self._bind_priv() | |||||
self.ldap_priv.passwd_s(bind_dn, '', bind_pw) | |||||
except Exception, errmsg: | |||||
log.error(("Password coult not be written: %r") % (errmsg)) | |||||
pass | |||||
else: | |||||
log.warning("Password will not be synced to local LDAP entry: %r" % (bind_dn)) | |||||
except Exception, errmsg: | |||||
log.error(("External authentication failed: %r") % (errmsg)) | |||||
return False | |||||
return retval | |||||
def _bind_priv(self): | def _bind_priv(self): | ||||
if self.ldap_priv is None: | if self.ldap_priv is None: | ||||
self.connect(True) | self.connect(True) | ||||
bind_dn = self.config_get('bind_dn') | bind_dn = self.config_get('bind_dn') | ||||
bind_pw = self.config_get('bind_pw') | bind_pw = self.config_get('bind_pw') | ||||
try: | try: | ||||
▲ Show 20 Lines • Show All 1,744 Lines • Show Last 20 Lines |