@@ -78,49 +78,53 @@ class AuthLdap(object):
uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
if "," in username:
raise LdapUsernameError("invalid character in username: ,")
try:
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
ldap.set_option(ldap.OPT_TIMEOUT, 20)
ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
ldap.set_option(ldap.OPT_TIMELIMIT, 15)
if self.LDAP_USE_LDAPS:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
server = ldap.initialize(self.LDAP_SERVER)
if self.ldap_version == 2:
server.protocol = ldap.VERSION2
else:
server.protocol = ldap.VERSION3
if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username)
log.debug("Authenticating %r filt %s at %s", self.BASE_DN, filt, self.LDAP_SERVER)
lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE, filt)
log.debug("Authenticating %r filt %s at %s", self.BASE_DN,
filt, self.LDAP_SERVER)
lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
filt)
if not lobjects:
raise ldap.NO_SUCH_OBJECT()
for (dn, attrs) in lobjects:
server.simple_bind_s(dn, password)
break
except ldap.INVALID_CREDENTIALS, e:
log.debug("LDAP rejected password for user '%s' (%s): %s", uid, username, dn)
log.debug("LDAP rejected password for user '%s' (%s): %s",
uid, username, dn)
log.debug("No matching LDAP objecs for authentication of '%s' (%s)", uid, username)
log.debug("No matching LDAP objects for authentication "
"of '%s' (%s)", uid, username)
raise LdapPasswordError()
except ldap.NO_SUCH_OBJECT, e:
log.debug("LDAP says no such user '%s' (%s)", uid, username)
raise LdapUsernameError()
except ldap.SERVER_DOWN, e:
raise LdapConnectionError("LDAP can't access authentication server")
return (dn, attrs)
Status change: