Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable LDAP module #1204

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable LDAP module #1204

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Dockerfile.nipapd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ MAINTAINER Kristian Larsson <[email protected]>

ENV DEBIAN_FRONTEND=noninteractive

ARG myrootcert

# apt update, upgrade & install packages
RUN apt-get update -qy && apt-get upgrade -qy \
&& apt-get install -qy devscripts \
Expand All @@ -49,9 +51,16 @@ RUN apt-get update -qy && apt-get upgrade -qy \
python-docutils \
python-pip \
python-dev \
libldap2-dev \
libsasl2-dev \
libssl-dev \
ca-certificates \
&& pip --no-input install envtpl \
&& rm -rf /var/lib/apt/lists/*

# install cert
COPY $myrootcert /usr/local/share/ca-certificates
RUN update-ca-certificates

COPY nipap /nipap
WORKDIR /nipap
Expand Down
10 changes: 10 additions & 0 deletions Dockerfile.www
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ MAINTAINER Lukas Garberg <[email protected]>

ENV NIPAPD_HOST=nipapd NIPAPD_PORT=1337 WWW_USERNAME=guest WWW_PASSWORD=guest

ARG myrootcert

# apt update, upgrade & install packages
RUN apt-get update -qy && apt-get upgrade -qy \
&& apt-get install -qy apache2 \
Expand All @@ -43,9 +45,17 @@ RUN apt-get update -qy && apt-get upgrade -qy \
python-docutils \
python-pip \
python-dev \
libldap2-dev \
libsasl2-dev \
libssl-dev \
ca-certificates \
&& pip --no-input install envtpl \
&& rm -rf /var/lib/apt/lists/*

# install cert
COPY $myrootcert /usr/local/share/ca-certificates
RUN update-ca-certificates

# Install pynipap, nipap and nipap-www
COPY pynipap /pynipap
COPY nipap /nipap
Expand Down
4 changes: 4 additions & 0 deletions nipap-www/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ chmod -R u=rwX /var/cache/nipap-www

# Configure apache
cat << EOF > /etc/apache2/sites-available/000-default.conf

# increase logging for wsgi apps
LogLevel info wsgi:trace5

<VirtualHost *:80>
WSGIScriptAlias / /etc/nipap/www/nipap-www.wsgi
ErrorLog \${APACHE_LOG_DIR}/error.log
Expand Down
9 changes: 6 additions & 3 deletions nipap-www/nipap-www.wsgi
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
#
# Set up a wsgi environment for mod_wsgi
#
import os, sys, logging.config

APP_CONFIG="/etc/nipap/nipap-www.ini"

logging.config.fileConfig(APP_CONFIG)

import os, sys
os.environ['PYTHON_EGG_CACHE'] = '/var/cache/nipap-www/eggs'

from paste.deploy import loadapp

application = loadapp('config:/etc/nipap/nipap-www.ini')
application = loadapp('config:%s' % APP_CONFIG)
3 changes: 2 additions & 1 deletion nipap/nipap.conf.dist
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ db_sslmode = {{DB_SSLMODE}} ; database SSL mode
#
[auth]
default_backend = local ; which backend to use by default
secondary_backend = ldap1 ; define fallback backend in case username doesn't contain @
auth_cache_timeout = 3600 ; seconds cached auth entries are stored

# example backend with SQLite
Expand All @@ -110,7 +111,7 @@ db_path = /etc/nipap/local_auth.db ; path to SQLite database used
#
#basedn = ou=Users,dc=example,dc=com ; base DN
#uri = ldaps://ldap.example.com ; LDAP server URI
#tls = False ; initiate TLS, use ldap://
#tls = False ; initiate TLS, use ldap://
#
# LDAP style
#binddn_fmt = uid={},ou=Users,dc=example,dc=com
Expand Down
29 changes: 20 additions & 9 deletions nipap/nipap/authlib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,17 +161,22 @@ def get_auth(self, username, password, authoritative_source, auth_options=None):
for key in rem:
del(self._auth_cache[key])

self._logger.debug("Received username %s" % str(username))

user_authbackend = username.rsplit('@', 1)

# Find out what auth backend to use.
# If no auth backend was specified in username, use default
# Do not use default backend unless you login as localadmin.
backend = ""
if len(user_authbackend) == 1:
if str(username) == "localadmin":
backend = self._config.get('auth', 'default_backend')
self._logger.debug("Using default auth backend %s" % backend)
else:
backend = user_authbackend[1]

if len(user_authbackend) == 1:
backend = self._config.get('auth', 'secondary_backend')
else:
backend = user_authbackend[1]

self._logger.debug("Using auth backend %s" % backend)

# do we have a cached instance?
auth_str = ( str(username) + str(password) + str(authoritative_source)
+ str(auth_options) )
Expand Down Expand Up @@ -368,13 +373,16 @@ def authenticate(self):
return self._authenticated

try:
self._logger.debug('username %s formatted _ldap_binddn_fmt username %s' % (self.username, self._ldap_binddn_fmt.format(ldap.dn.escape_dn_chars(self.username))))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line too long (172 > 79 characters)

self._ldap_conn.simple_bind_s(self._ldap_binddn_fmt.format(ldap.dn.escape_dn_chars(self.username)), self.password)
except ldap.SERVER_DOWN as exc:
raise AuthError('Could not connect to LDAP server')
self._logger.debug('Could not connect to LDAP server: %s' % exc)
raise AuthError('Could not connect to LDAP server: '+str(exc))
except (ldap.INVALID_CREDENTIALS, ldap.INVALID_DN_SYNTAX,
ldap.UNWILLING_TO_PERFORM) as exc:
# Auth failed
self._logger.debug('erroneous password for user %s' % self.username)
self._logger.debug(exc)
self._authenticated = False
return self._authenticated

Expand All @@ -387,11 +395,13 @@ def authenticate(self):
try:
# Create separate connection for search?
if self._ldap_search_conn is not None:
self._ldap_search_conn.simple_bind(self._ldap_search_binddn, self._ldap_search_password)
self._ldap_search_conn.simple_bind_s(self._ldap_search_binddn, self._ldap_search_password)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line too long (106 > 79 characters)

search_conn = self._ldap_search_conn
else:
search_conn = self._ldap_conn

self._logger.debug('username %s formatted _ldap_search username %s' % (self.username, self._ldap_search.format(ldap.dn.escape_dn_chars(self.username))))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line too long (164 > 79 characters)


res = search_conn.search_s(self._ldap_basedn, ldap.SCOPE_SUBTREE, self._ldap_search.format(ldap.dn.escape_dn_chars(self.username)), ['cn','memberOf'])
if res[0][1]['cn'][0] is not None:
self.full_name = res[0][1]['cn'][0].decode('utf-8')
Expand All @@ -417,10 +427,11 @@ def authenticate(self):
raise AuthError(exc)
except KeyError:
raise AuthError('LDAP attribute missing')
except IndexError:
except IndexError as exc:
self.full_name = ''
# authentication fails if either ro_group or rw_group are configured
# and the user is not found.
self._logger.debug(exc)
if self._ldap_rw_group or self._ldap_ro_group:
self._authenticated = False
return self._authenticated
Expand Down