summaryrefslogtreecommitdiffstats
path: root/src/lib/Server
diff options
context:
space:
mode:
authorDavid Dahl <dahl@mcs.anl.gov>2006-10-17 19:55:59 +0000
committerDavid Dahl <dahl@mcs.anl.gov>2006-10-17 19:55:59 +0000
commit17a0c03bf6cdf6afcb941c182d8ca56eb32f6032 (patch)
tree339cf7911d850b04608c6af3ec4bd6f7acc8eaf5 /src/lib/Server
parent0dc8322aa194f791e056276d35e783bd0d88ab50 (diff)
downloadbcfg2-17a0c03bf6cdf6afcb941c182d8ca56eb32f6032.tar.gz
bcfg2-17a0c03bf6cdf6afcb941c182d8ca56eb32f6032.tar.bz2
bcfg2-17a0c03bf6cdf6afcb941c182d8ca56eb32f6032.zip
initial check in of AD/LDAP module to use as a part of alt authbackend
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@2441 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'src/lib/Server')
-rw-r--r--src/lib/Server/Hostbase/ldapauth.py87
1 files changed, 87 insertions, 0 deletions
diff --git a/src/lib/Server/Hostbase/ldapauth.py b/src/lib/Server/Hostbase/ldapauth.py
new file mode 100644
index 000000000..3d6ccb96e
--- /dev/null
+++ b/src/lib/Server/Hostbase/ldapauth.py
@@ -0,0 +1,87 @@
+import os
+import ldap
+
+"""Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user,
+and returns a subset of the user's profile that is needed by Argonne/CIS to
+to set user level privleges in Django"""
+
+
+class LDAPAUTHError(Exception):
+ """LDAPAUTHError is raised when somehting goes boom."""
+ pass
+
+class ldapauth(object):
+ group_test = False
+ check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP']
+ samAcctName = None
+ distinguishedName = None
+ sAMAccountName = None
+ telephoneNumber = None
+ title = None
+ memberOf = None
+ department = None #this will be a list
+ mail = None
+ extensionAttribute1 = None #badgenumber
+ badge_no = None
+
+ def __init__(self,login,passwd=None):
+ """get username (if using ldap as auth the
+ apache env var REMOTE_USER should be used)
+ from username get user profile from AD/LDAP
+ """
+ p = self.user_profile(login,passwd)
+ if p[0] == 'success':
+ #parse results
+ parsed = self.parse_results(p[2])
+ self.group_test = self.member_of()
+
+ else:
+ raise LDAPAUTHError(p[2])
+
+ def user_profile(self,login,passwd=None):
+ ldap_login = "CN=%s" % login
+ svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
+ svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
+ #svc_acct = 'CN=%s,DC=anl,DC=gov' % login
+ #svc_pass = passwd
+
+ svc_search_pth = os.environ['LDAP_SVC_SEARCH_PTH']
+
+ try:
+ conn = ldap.initialize(os.environ['LDAP_URI'])
+ conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
+ result_id = conn.search(svc_search_pth,
+ ldap.SCOPE_SUBTREE,
+ ldap_login,None)
+ result_type,result_data = conn.result(result_id,0)
+ return ('success','User profile found',result_data,)
+ except ldap.LDAPError,e:
+ #connection failed
+ return ('error','LDAP connect failed',e,)
+
+ def parse_results(self,user_obj):
+ """Clean up the huge ugly object handed to us in the LDAP query"""
+ #user_obj is a list formatted like this:
+ #[('LDAP_DN',{user_dict},),]
+ try:
+ raw_obj = user_obj[0][1]
+ self.memberOf = raw_obj['memberOf']
+ self.sAMAccountName = raw_obj['sAMAccountName']
+ self.distinguishedName = raw_obj['distinguishedName']
+ self.telephoneNumber = raw_obj['telephoneNumber']
+ self.title = raw_obj['title']
+ self.department = raw_obj['department']
+ self.mail = raw_obj['mail']
+ self.badge_no = raw_obj['extensionAttribute1']
+ return
+ except KeyError, e:
+ raise LDAPAUTHError("Portions of the LDAP User profile not present")
+
+ def member_of(self):
+ """See if this user is in our group that is allowed to login"""
+ m = [g for g in self.memberOf if g == self.check_member_of]
+ #print m
+ if len(m) == 1:
+ return True
+ else:
+ return False