diff options
author | Dominik George <nik@naturalnet.de> | 2014-08-04 22:19:04 +0400 |
---|---|---|
committer | Dominik George <nik@naturalnet.de> | 2014-08-04 22:19:04 +0400 |
commit | d3c41f3137ffdf591ed1b26fd54928717b4bdcf7 (patch) | |
tree | dd9b2a96ba86b1f61144c1d588f72db28625d96b | |
parent | 3fd78445ba8e9dff59919d643d79adab37c87ebd (diff) |
Enable discovering of real user DN to break loose from the uid=%s,%s pattern.
-rw-r--r-- | Authenticators/LDAP/LDAPauth.ini | 2 | ||||
-rw-r--r-- | Authenticators/LDAP/LDAPauth.py | 19 |
2 files changed, 17 insertions, 4 deletions
diff --git a/Authenticators/LDAP/LDAPauth.ini b/Authenticators/LDAP/LDAPauth.ini index 13d065e..efc6cdf 100644 --- a/Authenticators/LDAP/LDAPauth.ini +++ b/Authenticators/LDAP/LDAPauth.ini @@ -22,6 +22,8 @@ watchdog = 30 ; bind_dn = ; bind_pass = users_dn = ou=Users,dc=example,dc=com +; Use discover_dn to find the user DN by searching +discover_dn = false username_attr = uid number_attr = roomNumber display_attr = displayName diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py index f323ac1..c2068dd 100644 --- a/Authenticators/LDAP/LDAPauth.py +++ b/Authenticators/LDAP/LDAPauth.py @@ -137,6 +137,7 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'), ('bind_dn', str, ''), ('bind_pass', str, ''), ('users_dn', str, 'ou=Users,dc=example,dc=org'), + ('discover_dn', x2bool, True), ('username_attr', str, 'uid'), ('number_attr', str, 'RoomNumber'), ('display_attr', str, 'displayName'), @@ -452,6 +453,15 @@ def do_main_program(): ldap_conn.unbind() warning('Invalid credentials for bind_dn=' + bind_dn) return (AUTH_REFUSED, None, None) + elif cfg.ldap.discover_dn: + # Use anonymous bind to discover the DN + try: + ldap_conn.bind_s() + except ldap.INVALID_CREDENTIALS: + ldap_conn.unbind() + warning('Failed anomymous bind for discovering DN') + return (AUTH_REFUSED, None, None) + else: # Prevent anonymous authentication. if not pw: @@ -481,6 +491,7 @@ def do_main_program(): # Parse the user information. uid = int(match[1][cfg.ldap.number_attr][0]) displayName = match[1][cfg.ldap.display_attr][0] + user_dn = match[0] debug('User match found, display "' + displayName + '" with UID ' + repr(uid)) # Optionally check groups. @@ -488,21 +499,21 @@ def do_main_program(): debug('Checking group membership for ' + name) #Search for user in group - res = ldap_conn.search_s(cfg.ldap.group_cn, ldap.SCOPE_SUBTREE, '(%s=%s=%s,%s)' % (cfg.ldap.group_attr, cfg.ldap.username_attr, name, cfg.ldap.users_dn), [cfg.ldap.number_attr, cfg.ldap.display_attr]) + res = ldap_conn.search_s(cfg.ldap.group_cn, ldap.SCOPE_SUBTREE, user_dn, [cfg.ldap.number_attr, cfg.ldap.display_attr]) # Check if the user is a member of the group if len(res) < 1: debug('User ' + name + ' failed with no group membership') return (AUTH_REFUSED, None, None) - # Second bind to test user credentials if using bind_dn. - if cfg.ldap.bind_dn: + # Second bind to test user credentials if using bind_dn or discover_dn. + if cfg.ldap.bind_dn or cfg.ldap.discover_dn: # Prevent anonymous authentication. if not pw: warning("No password supplied for user " + name) return (AUTH_REFUSED, None, None) - bind_dn = "%s=%s,%s" % (cfg.ldap.username_attr, name, cfg.ldap.users_dn) + bind_dn = user_dn bind_pass = pw try: ldap_conn.bind_s(bind_dn, bind_pass) |