From 17a0c03bf6cdf6afcb941c182d8ca56eb32f6032 Mon Sep 17 00:00:00 2001 From: David Dahl Date: Tue, 17 Oct 2006 19:55:59 +0000 Subject: initial check in of AD/LDAP module to use as a part of alt authbackend git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@2441 ce84e21b-d406-0410-9b95-82705330c041 --- src/lib/Server/Hostbase/ldapauth.py | 87 +++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 src/lib/Server/Hostbase/ldapauth.py (limited to 'src') diff --git a/src/lib/Server/Hostbase/ldapauth.py b/src/lib/Server/Hostbase/ldapauth.py new file mode 100644 index 000000000..3d6ccb96e --- /dev/null +++ b/src/lib/Server/Hostbase/ldapauth.py @@ -0,0 +1,87 @@ +import os +import ldap + +"""Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user, +and returns a subset of the user's profile that is needed by Argonne/CIS to +to set user level privleges in Django""" + + +class LDAPAUTHError(Exception): + """LDAPAUTHError is raised when somehting goes boom.""" + pass + +class ldapauth(object): + group_test = False + check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP'] + samAcctName = None + distinguishedName = None + sAMAccountName = None + telephoneNumber = None + title = None + memberOf = None + department = None #this will be a list + mail = None + extensionAttribute1 = None #badgenumber + badge_no = None + + def __init__(self,login,passwd=None): + """get username (if using ldap as auth the + apache env var REMOTE_USER should be used) + from username get user profile from AD/LDAP + """ + p = self.user_profile(login,passwd) + if p[0] == 'success': + #parse results + parsed = self.parse_results(p[2]) + self.group_test = self.member_of() + + else: + raise LDAPAUTHError(p[2]) + + def user_profile(self,login,passwd=None): + ldap_login = "CN=%s" % login + svc_acct = os.environ['LDAP_SVC_ACCT_NAME'] + svc_pass = os.environ['LDAP_SVC_ACCT_PASS'] + #svc_acct = 'CN=%s,DC=anl,DC=gov' % login + #svc_pass = passwd + + svc_search_pth = os.environ['LDAP_SVC_SEARCH_PTH'] + + try: + conn = ldap.initialize(os.environ['LDAP_URI']) + conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE) + result_id = conn.search(svc_search_pth, + ldap.SCOPE_SUBTREE, + ldap_login,None) + result_type,result_data = conn.result(result_id,0) + return ('success','User profile found',result_data,) + except ldap.LDAPError,e: + #connection failed + return ('error','LDAP connect failed',e,) + + def parse_results(self,user_obj): + """Clean up the huge ugly object handed to us in the LDAP query""" + #user_obj is a list formatted like this: + #[('LDAP_DN',{user_dict},),] + try: + raw_obj = user_obj[0][1] + self.memberOf = raw_obj['memberOf'] + self.sAMAccountName = raw_obj['sAMAccountName'] + self.distinguishedName = raw_obj['distinguishedName'] + self.telephoneNumber = raw_obj['telephoneNumber'] + self.title = raw_obj['title'] + self.department = raw_obj['department'] + self.mail = raw_obj['mail'] + self.badge_no = raw_obj['extensionAttribute1'] + return + except KeyError, e: + raise LDAPAUTHError("Portions of the LDAP User profile not present") + + def member_of(self): + """See if this user is in our group that is allowed to login""" + m = [g for g in self.memberOf if g == self.check_member_of] + #print m + if len(m) == 1: + return True + else: + return False -- cgit v1.2.3-1-g7c22