summaryrefslogtreecommitdiffstats
path: root/src/lib/Server/Hostbase/ldapauth.py
blob: 1dc56336817ae16d6af9b3d4af9069113029eeac (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
"""Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user,
and returns a subset of the user's profile that is needed by Argonne/CIS to
to set user level privleges in Django"""

__revision__ = '$Revision$'

import os
import ldap

class LDAPAUTHError(Exception):
    """LDAPAUTHError is raised when somehting goes boom."""
    pass

class ldapauth(object):
    group_test = False
    check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP']
    securitylevel = 0
    distinguishedName = None
    sAMAccountName = None
    telephoneNumber = None
    title = None
    memberOf = None
    department = None #this will be a list
    mail = None
    extensionAttribute1 = None #badgenumber
    badge_no = None

    def __init__(self,login,passwd):
        """get username (if using ldap as auth the
        apache env var REMOTE_USER should be used)
        from username get user profile from AD/LDAP
        """
        #p = self.user_profile(login,passwd)
        d = self.user_dn(login) #success, distname
        print d[1]
        if d[0] == 'success':
            pass
            p = self.user_bind(d[1],passwd)
            if p[0] == 'success':
                #parse results
                parsed = self.parse_results(p[2])
                print self.department
                self.group_test = self.member_of()
                securitylevel = self.security_level()
                print "ACCESS LEVEL: " + str(securitylevel)
            else:
                raise LDAPAUTHError(p[2])
        else:
            raise LDAPAUTHError(p[2])

    def user_profile(self,login,passwd=None):
        """NOT USED RIGHT NOW"""
        ldap_login = "CN=%s" % login
        svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
        svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
        #svc_acct = 'CN=%s,DC=anl,DC=gov' % login
        #svc_pass = passwd

        search_pth = os.environ['LDAP_SEARCH_PTH']
        
        try:
            conn = ldap.initialize(os.environ['LDAP_URI'])
            conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
            result_id = conn.search(search_pth,
                                      ldap.SCOPE_SUBTREE,
                                      ldap_login,None)
            result_type,result_data = conn.result(result_id,0)
            return ('success','User profile found',result_data,)
        except ldap.LDAPError,e:
            #connection failed
            return ('error','LDAP connect failed',e,)
    
    def user_bind(self,distinguishedName,passwd):
        """Binds to LDAP Server"""
        search_pth = os.environ['LDAP_SEARCH_PTH']
        try:
            conn = ldap.initialize(os.environ['LDAP_URI'])
            conn.bind(distinguishedName,passwd,ldap.AUTH_SIMPLE)
            cn = distinguishedName.split(",")
            result_id = conn.search(search_pth,
                                      ldap.SCOPE_SUBTREE,
                                      cn[0],None)
            result_type,result_data = conn.result(result_id,0)
            return ('success','User profile found',result_data,)
        except ldap.LDAPError,e:
            #connection failed
            return ('error','LDAP connect failed',e,)

    def user_dn(self,cn):
        """Uses Service Account to get distinguishedName"""
        ldap_login = "CN=%s" % cn
        svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
        svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
        search_pth = os.environ['LDAP_SEARCH_PTH']

        try:
            conn = ldap.initialize(os.environ['LDAP_URI'])
            conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
            result_id = conn.search(search_pth,
                                      ldap.SCOPE_SUBTREE,
                                      ldap_login,None)
            result_type,result_data = conn.result(result_id,0)
            raw_obj = result_data[0][1]
            distinguishedName = raw_obj['distinguishedName']
            return ('success',distinguishedName[0],)
        except ldap.LDAPError,e:
            #connection failed
            return ('error','LDAP connect failed',e,)

    def parse_results(self,user_obj):
        """Clean up the huge ugly object handed to us in the LDAP query"""
        #user_obj is a list formatted like this:
        #[('LDAP_DN',{user_dict},),]
        try:
            raw_obj = user_obj[0][1]
            self.memberOf = raw_obj['memberOf']
            self.sAMAccountName = raw_obj['sAMAccountName'][0]
            self.distinguishedName = raw_obj['distinguishedName'][0]
            self.telephoneNumber = raw_obj['telephoneNumber'][0]
            self.title = raw_obj['title'][0]
            self.department = raw_obj['department'][0]
            self.mail = raw_obj['mail'][0]
            self.badge_no = raw_obj['extensionAttribute1'][0]
            self.email = raw_obj['extensionAttribute2'][0]
            display_name = raw_obj['displayName'][0].split(",")
            self.name_f = raw_obj['givenName'][0]
            self.name_l = display_name[0]
            self.is_staff = False
            self.is_superuser = False
            
            return
        except KeyError, e:
            raise LDAPAUTHError("Portions of the LDAP User profile not present")
        
    def member_of(self):
        """See if this user is in our group that is allowed to login"""
        m = [g for g in self.memberOf if g == self.check_member_of]
        #print m
        if len(m) == 1:
            return True
        else:
            return False

    def security_level(self):
        level = self.securitylevel

        user = os.environ['LDAP_GROUP_USER']
        m = [g for g in self.memberOf if g == user]
        if len(m) == 1:
            if level < 1:                       
                level = 1

        cspr = os.environ['LDAP_GROUP_SECURITY_LOW']
        m = [g for g in self.memberOf if g == cspr]
        if len(m) == 1:
            if level < 2:                       
                level = 2

        cspo = os.environ['LDAP_GROUP_SECURITY_HIGH']
        m = [g for g in self.memberOf if g == cspo]
        if len(m) == 1:
            if level < 3:                       
                level = 3

        admin = os.environ['LDAP_GROUP_ADMIN']
        m = [g for g in self.memberOf if g == admin]
        if len(m) == 1:
            if level < 4:                       
                level = 4

        return level