This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Created on Nov 17, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

from kallithea.lib import auth_modules

from kallithea.lib.compat import hybrid_property

from kallithea.lib.utils2 import safe_unicode, safe_str

from kallithea.lib.exceptions import (

    LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError

)

from kallithea.model.db import User

log = logging.getLogger(__name__)

try:

    import ldap

except ImportError:

    # means that python-ldap is not installed

    ldap = None

class AuthLdap(object):

    def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',

                 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,

                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

                 search_scope='SUBTREE', attr_login='uid'):

        if ldap is None:

            raise LdapImportError

        self.ldap_version = ldap_version

        self.TLS_KIND = tls_kind

        OPT_X_TLS_DEMAND = 2

        self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,

                                   OPT_X_TLS_DEMAND)

        self.cacertdir = cacertdir

        protocol = 'ldaps' if self.TLS_KIND == 'LDAPS' else 'ldap'

        if not port:

                    ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.cacertdir)

                else:

                    log.debug("OPT_X_TLS_CACERTDIR is not available - can't set %s", self.cacertdir)

            ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

            ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

            ldap.set_option(ldap.OPT_TIMEOUT, 20)

            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

            ldap.set_option(ldap.OPT_TIMELIMIT, 15)

            if self.TLS_KIND != 'PLAIN':

                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

            server = ldap.initialize(self.LDAP_SERVER)

            if self.ldap_version == 2:

                server.protocol = ldap.VERSION2

            else:

                server.protocol = ldap.VERSION3

            if self.TLS_KIND == 'START_TLS':

                server.start_tls_s()

            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

                log.debug('Trying simple_bind with password and given DN: %s',

                          self.LDAP_BIND_DN)

                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

            log.debug("Authenticating %r filter %s at %s", self.BASE_DN,

                      filter_, self.LDAP_SERVER)

            lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,

                                           filter_)

            if not lobjects:

                raise ldap.NO_SUCH_OBJECT()

            for (dn, _attrs) in lobjects:

                if dn is None:

                    continue

                try:

                    log.debug('Trying simple bind with %s', dn)

                    server.simple_bind_s(dn, safe_str(password))

                    results = server.search_ext_s(dn, ldap.SCOPE_BASE,

                                                  '(objectClass=*)')

                    if len(results) == 1:

                        dn_, attrs = results[0]

                        assert dn_ == dn

                        return dn, attrs

                except ldap.INVALID_CREDENTIALS:

                    log.debug("LDAP rejected password for user '%s': %s",