From c0a5c5f0cec1dabee49dd9a8c5897ed1437bde31 Mon Sep 17 00:00:00 2001 From: David Dahl Date: Tue, 24 Oct 2006 19:20:08 +0000 Subject: updated to 2 step process (svc acct binds first) for LDAP auth git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@2455 ce84e21b-d406-0410-9b95-82705330c041 --- src/lib/Server/Hostbase/ldapauth.py | 104 +++++++++++++++++++++++++++++++----- 1 file changed, 91 insertions(+), 13 deletions(-) (limited to 'src/lib/Server/Hostbase') diff --git a/src/lib/Server/Hostbase/ldapauth.py b/src/lib/Server/Hostbase/ldapauth.py index 3d6ccb96e..904e2919e 100644 --- a/src/lib/Server/Hostbase/ldapauth.py +++ b/src/lib/Server/Hostbase/ldapauth.py @@ -1,10 +1,11 @@ -import os -import ldap - """Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user, and returns a subset of the user's profile that is needed by Argonne/CIS to to set user level privleges in Django""" +__revision__ = '$Revision$' + +import os +import ldap class LDAPAUTHError(Exception): """LDAPAUTHError is raised when somehting goes boom.""" @@ -13,7 +14,7 @@ class LDAPAUTHError(Exception): class ldapauth(object): group_test = False check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP'] - samAcctName = None + securitylevel = 0 distinguishedName = None sAMAccountName = None telephoneNumber = None @@ -24,33 +25,43 @@ class ldapauth(object): extensionAttribute1 = None #badgenumber badge_no = None - def __init__(self,login,passwd=None): + def __init__(self,login,passwd): """get username (if using ldap as auth the apache env var REMOTE_USER should be used) from username get user profile from AD/LDAP """ - p = self.user_profile(login,passwd) - if p[0] == 'success': - #parse results - parsed = self.parse_results(p[2]) - self.group_test = self.member_of() - + #p = self.user_profile(login,passwd) + d = self.user_dn(login) #success, distname + print d[1] + if d[0] == 'success': + pass + p = self.user_bind(d[1],passwd) + if p[0] == 'success': + #parse results + parsed = self.parse_results(p[2]) + print self.department + self.group_test = self.member_of() + securitylevel = self.security_level() + print "ACCESS LEVEL: " + str(securitylevel) + else: + raise LDAPAUTHError(p[2]) else: raise LDAPAUTHError(p[2]) def user_profile(self,login,passwd=None): + """NOT USED RIGHT NOW""" ldap_login = "CN=%s" % login svc_acct = os.environ['LDAP_SVC_ACCT_NAME'] svc_pass = os.environ['LDAP_SVC_ACCT_PASS'] #svc_acct = 'CN=%s,DC=anl,DC=gov' % login #svc_pass = passwd - svc_search_pth = os.environ['LDAP_SVC_SEARCH_PTH'] + search_pth = os.environ['LDAP_SEARCH_PTH'] try: conn = ldap.initialize(os.environ['LDAP_URI']) conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE) - result_id = conn.search(svc_search_pth, + result_id = conn.search(search_pth, ldap.SCOPE_SUBTREE, ldap_login,None) result_type,result_data = conn.result(result_id,0) @@ -58,6 +69,43 @@ class ldapauth(object): except ldap.LDAPError,e: #connection failed return ('error','LDAP connect failed',e,) + + def user_bind(self,distinguishedName,passwd): + """Binds to LDAP Server""" + search_pth = os.environ['LDAP_SEARCH_PTH'] + try: + conn = ldap.initialize(os.environ['LDAP_URI']) + conn.bind(distinguishedName,passwd,ldap.AUTH_SIMPLE) + cn = distinguishedName.split(",") + result_id = conn.search(search_pth, + ldap.SCOPE_SUBTREE, + cn[0],None) + result_type,result_data = conn.result(result_id,0) + return ('success','User profile found',result_data,) + except ldap.LDAPError,e: + #connection failed + return ('error','LDAP connect failed',e,) + + def user_dn(self,cn): + """Uses Service Account to get distinguishedName""" + ldap_login = "CN=%s" % cn + svc_acct = os.environ['LDAP_SVC_ACCT_NAME'] + svc_pass = os.environ['LDAP_SVC_ACCT_PASS'] + search_pth = os.environ['LDAP_SEARCH_PTH'] + + try: + conn = ldap.initialize(os.environ['LDAP_URI']) + conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE) + result_id = conn.search(search_pth, + ldap.SCOPE_SUBTREE, + ldap_login,None) + result_type,result_data = conn.result(result_id,0) + raw_obj = result_data[0][1] + distinguishedName = raw_obj['distinguishedName'] + return ('success',distinguishedName[0],) + except ldap.LDAPError,e: + #connection failed + return ('error','LDAP connect failed',e,) def parse_results(self,user_obj): """Clean up the huge ugly object handed to us in the LDAP query""" @@ -85,3 +133,33 @@ class ldapauth(object): return True else: return False + + def security_level(self): + level = self.securitylevel + + user = os.environ['LDAP_GROUP_USER'] + m = [g for g in self.memberOf if g == user] + if len(m) == 1: + if level < 1: + level = 1 + + cspr = os.environ['LDAP_GROUP_SECURITY_LOW'] + m = [g for g in self.memberOf if g == cspr] + if len(m) == 1: + if level < 2: + level = 2 + + cspo = os.environ['LDAP_GROUP_SECURITY_HIGH'] + m = [g for g in self.memberOf if g == cspo] + if len(m) == 1: + if level < 3: + level = 3 + + admin = os.environ['LDAP_GROUP_ADMIN'] + m = [g for g in self.memberOf if g == admin] + if len(m) == 1: + if level < 4: + level = 4 + + return level + -- cgit v1.2.3-1-g7c22