Commit f7e51be5 authored by Daniele Venzano's avatar Daniele Venzano

Fix broken LDAP implementation

parent 06bcfad4
......@@ -20,6 +20,8 @@ import logging
import ldap
import zoe_api.auth.base
import zoe_api.exceptions
from zoe_lib.config import get_conf
log = logging.getLogger(__name__)
......@@ -30,17 +32,18 @@ class LDAPAuthenticator(zoe_api.auth.base.BaseAuthenticator):
def __init__(self):
self.connection = ldap.initialize(get_conf().ldap_server_uri)
self.base_dn = get_conf().ldap_base_dn
self.bind_user = get_conf().ldap_bind_user
self.bind_password = get_conf().ldap_bind_password
def auth(self, username, password):
"""Authenticate the user or raise an exception."""
search_filter = "uid=" + username
uid = None
role = 'guest'
bind_user = 'uid=' + username + "," + self.base_dn
try:
self.connection.bind_s(self.bind_user, self.bind_password)
self.connection.bind_s(bind_user, password)
result = self.connection.search_s(self.base_dn, ldap.SCOPE_SUBTREE, search_filter)
if len(result) == 0:
raise zoe_api.exceptions.ZoeAuthException('Unknown user or wrong password.')
user_dict = result[0][1]
uid = username
gid_numbers = [int(x) for x in user_dict['gidNumber']]
......@@ -53,8 +56,12 @@ class LDAPAuthenticator(zoe_api.auth.base.BaseAuthenticator):
else:
log.warning('User {} has an unknown group ID ({}), using guest role'.format(username, result[0][1]['gidNumber']))
role = 'guest'
except ldap.LDAPError:
log.exception("LDAP exception")
except ldap.LDAPError as ex:
if ex.args[0]['desc'] == 'Invalid credentials':
raise zoe_api.exceptions.ZoeAuthException('Unknown user or wrong password.')
else:
log.exception("LDAP exception")
zoe_api.exceptions.ZoeAuthException('LDAP error.')
finally:
self.connection.unbind_s()
return uid, role
......@@ -74,8 +74,6 @@ def load_configuration(test_conf=None):
argparser.add_argument('--ldap-server-uri', help='LDAP server to use for authentication', default='ldap://localhost')
argparser.add_argument('--ldap-base-dn', help='LDAP base DN for users', default='ou=something,dc=any,dc=local')
argparser.add_argument('--ldap-bind-user', help='LDAP user to bind as for user lookup', default='cn=guest,dc=bigfoot,dc=eurecom,dc=fr')
argparser.add_argument('--ldap-bind-password', help='LDAP user password', default='notsosecret')
argparser.add_argument('--ldap-admin-gid', type=int, help='LDAP group ID for admins', default=5000)
argparser.add_argument('--ldap-user-gid', type=int, help='LDAP group ID for users', default=5001)
argparser.add_argument('--ldap-guest-gid', type=int, help='LDAP group ID for guests', default=5002)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment