summaryrefslogtreecommitdiffstats
path: root/src/lib/Server/Hostbase
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/Server/Hostbase')
-rw-r--r--src/lib/Server/Hostbase/ldapauth.py104
1 files changed, 91 insertions, 13 deletions
diff --git a/src/lib/Server/Hostbase/ldapauth.py b/src/lib/Server/Hostbase/ldapauth.py
index 3d6ccb96e..904e2919e 100644
--- a/src/lib/Server/Hostbase/ldapauth.py
+++ b/src/lib/Server/Hostbase/ldapauth.py
@@ -1,10 +1,11 @@
-import os
-import ldap
-
"""Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user,
and returns a subset of the user's profile that is needed by Argonne/CIS to
to set user level privleges in Django"""
+__revision__ = '$Revision$'
+
+import os
+import ldap
class LDAPAUTHError(Exception):
"""LDAPAUTHError is raised when somehting goes boom."""
@@ -13,7 +14,7 @@ class LDAPAUTHError(Exception):
class ldapauth(object):
group_test = False
check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP']
- samAcctName = None
+ securitylevel = 0
distinguishedName = None
sAMAccountName = None
telephoneNumber = None
@@ -24,33 +25,43 @@ class ldapauth(object):
extensionAttribute1 = None #badgenumber
badge_no = None
- def __init__(self,login,passwd=None):
+ def __init__(self,login,passwd):
"""get username (if using ldap as auth the
apache env var REMOTE_USER should be used)
from username get user profile from AD/LDAP
"""
- p = self.user_profile(login,passwd)
- if p[0] == 'success':
- #parse results
- parsed = self.parse_results(p[2])
- self.group_test = self.member_of()
-
+ #p = self.user_profile(login,passwd)
+ d = self.user_dn(login) #success, distname
+ print d[1]
+ if d[0] == 'success':
+ pass
+ p = self.user_bind(d[1],passwd)
+ if p[0] == 'success':
+ #parse results
+ parsed = self.parse_results(p[2])
+ print self.department
+ self.group_test = self.member_of()
+ securitylevel = self.security_level()
+ print "ACCESS LEVEL: " + str(securitylevel)
+ else:
+ raise LDAPAUTHError(p[2])
else:
raise LDAPAUTHError(p[2])
def user_profile(self,login,passwd=None):
+ """NOT USED RIGHT NOW"""
ldap_login = "CN=%s" % login
svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
#svc_acct = 'CN=%s,DC=anl,DC=gov' % login
#svc_pass = passwd
- svc_search_pth = os.environ['LDAP_SVC_SEARCH_PTH']
+ search_pth = os.environ['LDAP_SEARCH_PTH']
try:
conn = ldap.initialize(os.environ['LDAP_URI'])
conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
- result_id = conn.search(svc_search_pth,
+ result_id = conn.search(search_pth,
ldap.SCOPE_SUBTREE,
ldap_login,None)
result_type,result_data = conn.result(result_id,0)
@@ -58,6 +69,43 @@ class ldapauth(object):
except ldap.LDAPError,e:
#connection failed
return ('error','LDAP connect failed',e,)
+
+ def user_bind(self,distinguishedName,passwd):
+ """Binds to LDAP Server"""
+ search_pth = os.environ['LDAP_SEARCH_PTH']
+ try:
+ conn = ldap.initialize(os.environ['LDAP_URI'])
+ conn.bind(distinguishedName,passwd,ldap.AUTH_SIMPLE)
+ cn = distinguishedName.split(",")
+ result_id = conn.search(search_pth,
+ ldap.SCOPE_SUBTREE,
+ cn[0],None)
+ result_type,result_data = conn.result(result_id,0)
+ return ('success','User profile found',result_data,)
+ except ldap.LDAPError,e:
+ #connection failed
+ return ('error','LDAP connect failed',e,)
+
+ def user_dn(self,cn):
+ """Uses Service Account to get distinguishedName"""
+ ldap_login = "CN=%s" % cn
+ svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
+ svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
+ search_pth = os.environ['LDAP_SEARCH_PTH']
+
+ try:
+ conn = ldap.initialize(os.environ['LDAP_URI'])
+ conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
+ result_id = conn.search(search_pth,
+ ldap.SCOPE_SUBTREE,
+ ldap_login,None)
+ result_type,result_data = conn.result(result_id,0)
+ raw_obj = result_data[0][1]
+ distinguishedName = raw_obj['distinguishedName']
+ return ('success',distinguishedName[0],)
+ except ldap.LDAPError,e:
+ #connection failed
+ return ('error','LDAP connect failed',e,)
def parse_results(self,user_obj):
"""Clean up the huge ugly object handed to us in the LDAP query"""
@@ -85,3 +133,33 @@ class ldapauth(object):
return True
else:
return False
+
+ def security_level(self):
+ level = self.securitylevel
+
+ user = os.environ['LDAP_GROUP_USER']
+ m = [g for g in self.memberOf if g == user]
+ if len(m) == 1:
+ if level < 1:
+ level = 1
+
+ cspr = os.environ['LDAP_GROUP_SECURITY_LOW']
+ m = [g for g in self.memberOf if g == cspr]
+ if len(m) == 1:
+ if level < 2:
+ level = 2
+
+ cspo = os.environ['LDAP_GROUP_SECURITY_HIGH']
+ m = [g for g in self.memberOf if g == cspo]
+ if len(m) == 1:
+ if level < 3:
+ level = 3
+
+ admin = os.environ['LDAP_GROUP_ADMIN']
+ m = [g for g in self.memberOf if g == admin]
+ if len(m) == 1:
+ if level < 4:
+ level = 4
+
+ return level
+