Changeset - 40db9e086773
Parent rev.
Child rev.
[Not reviewed]
beta
0 1 0
Shawn K. O'Shea - 14 years ago 2011-11-07 22:06:24
shawn@eth0.net
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.
1 file changed with 3 insertions and 0 deletions:
rhodecode/lib/auth_ldap.py
3
0 comments (0 inline, 0 general)
rhodecode/lib/auth_ldap.py
Show inline comments
 
@@ -66,48 +66,51 @@ class AuthLdap(object):
 

			




	
	
	
		
 
        self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,

			




	
	
	
		
 
                                           self.LDAP_SERVER_ADDRESS,

			




	
	
	
		
 
                                           self.LDAP_SERVER_PORT)

			




	
	
	
		
 

			




	
	
	
		
 
        self.BASE_DN = base_dn

			




	
	
	
		
 
        self.LDAP_FILTER = ldap_filter

			




	
	
	
		
 
        self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

			




	
	
	
		
 
        self.attr_login = attr_login

			




	
	
	
		
 

			




	
	
	
		
 
    def authenticate_ldap(self, username, password):

			




	
	
	
		
 
        """Authenticate a user via LDAP and return his/her LDAP properties.

			




	
	
	
		
 

			




	
	
	
		
 
        Raises AuthenticationError if the credentials are rejected, or

			




	
	
	
		
 
        EnvironmentError if the LDAP server can't be reached.

			




	
	
	
		
 

			




	
	
	
		
 
        :param username: username

			




	
	
	
		
 
        :param password: password

			




	
	
	
		
 
        """

			




	
	
	
		
 

			




	
	
	
		
 
        from rhodecode.lib.helpers import chop_at

			




	
	
	
		
 

			




	
	
	
		
 
        uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

			




	
	
	
		
 

			




	
	
	
		
 
        if not password:

			




	
	
	
		
 
            log.debug("Attempt to authenticate LDAP user with blank password rejected.")

			




	
	
	
		
 
            raise LdapPasswordError()

			




	
	
	
		
 
        if "," in username:

			




	
	
	
		
 
            raise LdapUsernameError("invalid character in username: ,")

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            if hasattr(ldap,'OPT_X_TLS_CACERTDIR'):

			




	
	
	
		
 
                ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, 

			




	
	
	
		
 
                                '/etc/openldap/cacerts')

			




	
	
	
		
 
            ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

			




	
	
	
		
 
            ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

			




	
	
	
		
 
            ldap.set_option(ldap.OPT_TIMEOUT, 20)

			




	
	
	
		
 
            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

			




	
	
	
		
 
            ldap.set_option(ldap.OPT_TIMELIMIT, 15)

			




	
	
	
		
 
            if self.TLS_KIND != 'PLAIN':

			




	
	
	
		
 
                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

			




	
	
	
		
 
            server = ldap.initialize(self.LDAP_SERVER)

			




	
	
	
		
 
            if self.ldap_version == 2:

			




	
	
	
		
 
                server.protocol = ldap.VERSION2

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                server.protocol = ldap.VERSION3

			




	
	
	
		
 

			




	
	
	
		
 
            if self.TLS_KIND == 'START_TLS':

			




	
	
	
		
 
                server.start_tls_s()

			




	
	
	
		
 

			




	
	
	
		
 
            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

			




	
	
	
		
 
                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.