kallithea Changeset - 949c843bb535

Changeset - 949c843bb535

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 9 years ago 2016-11-15 22:53:41
madski@unity3d.com

auth: refactor ldap parameter handling - make it clear that port is optional

2 files changed with 32 insertions and 40 deletions:

docs/setup.rst

kallithea/lib/auth_modules/auth_ldap.py

0 comments (0 inline, 0 general)

docs/setup.rst

➞

Show inline comments

@@ @@ -140,116 +140,119 @@ or in the admin panel you can check the @@
 .. _ldap-setup:
 Setting up LDAP support
 -----------------------
 Kallithea supports LDAP authentication. In order
 to use LDAP, you have to install the python-ldap_ package. This package is
 available via PyPI, so you can install it by running::
     pip install python-ldap
 .. note:: ``python-ldap`` requires some libraries to be installed on
           your system, so before installing it check that you have at
           least the ``openldap`` and ``sasl`` libraries.
 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
 and then *Save*, to enable the LDAP plugin and configure its settings.
 Here's a typical LDAP setup::
  Connection settings
  Enable LDAP          = checked
  Host                 = host.example.com
  Port                 = 389
  Account              = <account>
  Password             = <password>
  Connection Security  = LDAPS connection
  Certificate Checks   = DEMAND
  Search settings
  Base DN              = CN=users,DC=host,DC=example,DC=org
  LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))
  LDAP Search Scope    = SUBTREE
  Attribute mappings
  Login Attribute      = uid
  First Name Attribute = firstName
  Last Name Attribute  = lastName
  Email Attribute      = mail
 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
  Search settings
  Base DN              = DC=host,DC=example,DC=org
  LDAP Filter          = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
  LDAP Search Scope    = SUBTREE
 .. _enable_ldap:
 Enable LDAP : required
     Whether to use LDAP for authenticating users.
 .. _ldap_host:
 Host : required
     LDAP server hostname or IP address. Can be also a comma separated
     list of servers to support LDAP fail-over.
 .. _Port:
 Port : required
 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
 Port : optional
     Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
     Defaults to 636 for LDAPS.
 .. _ldap_account:
 Account : optional
     Only required if the LDAP server does not allow anonymous browsing of
     records.  This should be a special account for record browsing.  This
     will require `LDAP Password`_ below.
 .. _LDAP Password:
 Password : optional
     Only required if the LDAP server does not allow anonymous browsing of
     records.
 .. _Enable LDAPS:
 Connection Security : required
     Defines the connection to LDAP server
     No encryption
         Plain non encrypted connection
     PLAIN
         Plain unencrypted LDAP connection.
         This will by default use `Port`_ 389.
     LDAPS connection
         Enable LDAPS connections. It will likely require `Port`_ to be set to
         a different value (standard LDAPS port is 636). When LDAPS is enabled
         then `Certificate Checks`_ is required.
     LDAPS
         Use secure LDAPS connections according to `Certificate
         Checks`_ configuration.
         This will by default use `Port`_ 636.
     START_TLS on LDAP connection
         START TLS connection
     START_TLS
         Use START TLS according to `Certificate Checks`_ configuration on an
         apparently "plain" LDAP connection.
         This will by default use `Port`_ 389.
 .. _Certificate Checks:
 Certificate Checks : optional
     How SSL certificates verification is handled -- this is only useful when
     `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security
     with mandatory certificate validation, while the other options are
     susceptible to man-in-the-middle attacks.
     NEVER
         A serve certificate will never be requested or checked.
     ALLOW
         A server certificate is requested.  Failure to provide a
         certificate or providing a bad certificate will not terminate the
         session.
     TRY
         A server certificate is requested.  Failure to provide a
         certificate does not halt the session; providing a bad certificate
         halts the session.
     DEMAND
         A server certificate is requested and must be provided and

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -27,102 +27,91 @@ Original author and date, and relevant c @@
 import logging
 import traceback
 from kallithea.lib import auth_modules
 from kallithea.lib.compat import hybrid_property
 from kallithea.lib.utils2 import safe_unicode, safe_str
 from kallithea.lib.exceptions import (
     LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
+)
 from kallithea.model.db import User
 log = logging.getLogger(__name__)
 try:
     import ldap
 except ImportError:
     # means that python-ldap is not installed
     ldap = None
 class AuthLdap(object):
-    def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
+    def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',
                  tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE', attr_login='uid'):
         if ldap is None:
             raise LdapImportError
         self.ldap_version = ldap_version
         ldap_server_type = 'ldap'
         self.TLS_KIND = tls_kind
         if self.TLS_KIND == 'LDAPS':
             port = port or 689
             ldap_server_type = ldap_server_type + 's'
         OPT_X_TLS_DEMAND = 2
         self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
                                    OPT_X_TLS_DEMAND)
         self.cacertdir = cacertdir
         # split server into list
         self.LDAP_SERVER_ADDRESS = server.split(',')
         self.LDAP_SERVER_PORT = port
         protocol = 'ldaps' if self.TLS_KIND == 'LDAPS' else 'ldap'
         if not port:
             port = 636 if self.TLS_KIND == 'LDAPS' else 389
         self.LDAP_SERVER = str(', '.join(
             "%s://%s:%s" % (protocol,
                             host.strip(),
                             port)
             for host in server.split(',')))
         # USE FOR READ ONLY BIND TO LDAP SERVER
         self.LDAP_BIND_DN = safe_str(bind_dn)
         self.LDAP_BIND_PASS = safe_str(bind_pass)
         _LDAP_SERVERS = []
         for host in self.LDAP_SERVER_ADDRESS:
             _LDAP_SERVERS.append("%s://%s:%s" % (ldap_server_type,
                                                      host.replace(' ', ''),
                                                      self.LDAP_SERVER_PORT))
         self.LDAP_SERVER = str(', '.join(s for s in _LDAP_SERVERS))
         self.BASE_DN = safe_str(base_dn)
         self.LDAP_FILTER = safe_str(ldap_filter)
         self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
         self.attr_login = attr_login
     def authenticate_ldap(self, username, password):
         """
         Authenticate a user via LDAP and return his/her LDAP properties.
         Raises AuthenticationError if the credentials are rejected, or
         EnvironmentError if the LDAP server can't be reached.
         :param username: username
         :param password: password
         """
         from kallithea.lib.helpers import chop_at
         uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
         if not password:
             log.debug("Attempt to authenticate LDAP user "
                       "with blank password rejected.")
             raise LdapPasswordError()
         if "," in username:
             raise LdapUsernameError("invalid character in username: ,")
         try:
             if self.cacertdir:
                 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
                     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.cacertdir)
                 else:
                     log.debug("OPT_X_TLS_CACERTDIR is not available - can't set %s", self.cacertdir)
             ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
             ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
             ldap.set_option(ldap.OPT_TIMEOUT, 20)
             ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
             ldap.set_option(ldap.OPT_TIMELIMIT, 15)
             if self.TLS_KIND != 'PLAIN':
                 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
             server = ldap.initialize(self.LDAP_SERVER)
             if self.ldap_version == 2:
                 server.protocol = ldap.VERSION2
             else:
                 server.protocol = ldap.VERSION3
@@ @@ -139,91 +128,91 @@ class AuthLdap(object): @@
                                         username)
             log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
                       filter_, self.LDAP_SERVER)
             lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
                                            filter_)
             if not lobjects:
                 raise ldap.NO_SUCH_OBJECT()
             for (dn, _attrs) in lobjects:
                 if dn is None:
                     continue
                 try:
                     log.debug('Trying simple bind with %s', dn)
                     server.simple_bind_s(dn, safe_str(password))
                     results = server.search_ext_s(dn, ldap.SCOPE_BASE,
                                                   '(objectClass=*)')
                     if len(results) == 1:
                         dn_, attrs = results[0]
                         assert dn_ == dn
                         return dn, attrs
                 except ldap.INVALID_CREDENTIALS:
                     log.debug("LDAP rejected password for user '%s' (%s): %s",
                               uid, username, dn)
                     log.debug("LDAP rejected password for user '%s': %s",
                               username, dn)
                     continue # accept authentication as another ldap user with same username
             log.debug("No matching LDAP objects for authentication "
-                      "of '%s' (%s)", uid, username)
                       "of '%s'", username)
             raise LdapPasswordError()
         except ldap.NO_SUCH_OBJECT:
-            log.debug("LDAP says no such user '%s' (%s)", uid, username)
             log.debug("LDAP says no such user '%s'", username)
             raise LdapUsernameError()
         except ldap.SERVER_DOWN:
             # [0] might be {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't contact LDAP server"}
             raise LdapConnectionError("LDAP can't connect to authentication server")
 class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):
     def __init__(self):
         self._logger = logging.getLogger(__name__)
         self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]
         self._tls_reqcert_values = ["NEVER", "ALLOW", "TRY", "DEMAND", "HARD"]
         self._search_scopes = ["BASE", "ONELEVEL", "SUBTREE"]
     @hybrid_property
     def name(self):
         return "ldap"
     def settings(self):
         settings = [
+            {
                 "name": "host",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "string",
                 "description": "Host of the LDAP Server",
                 "formname": "LDAP Host"
             },
+            {
                 "name": "port",
-                "validator": self.validators.Number(strip=True, not_empty=True),
                 "validator": self.validators.Number(strip=True),
                 "type": "string",
                 "description": "Port that the LDAP server is listening on",
                 "default": 389,
                 "formname": "Port"
                 "description": "Port that the LDAP server is listening on. Defaults to 389 for PLAIN/START_TLS and 636 for LDAPS.",
                 "default": "",
                 "formname": "Custom LDAP Port"
             },
+            {
                 "name": "dn_user",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "string",
                 "description": "User to connect to LDAP",
                 "formname": "Account"
             },
+            {
                 "name": "dn_pass",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "password",
                 "description": "Password to connect to LDAP",
                 "formname": "Password"
             },
+            {
                 "name": "tls_kind",
                 "validator": self.validators.OneOf(self._tls_kind_values),
                 "type": "select",
                 "values": self._tls_kind_values,
                 "description": "TLS Type",
                 "default": 'PLAIN',
                 "formname": "Connection Security"
             },

0 comments (0 inline, 0 general)