1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
import os
import ldap
"""Checks with LDAP (ActiveDirectory) to see if the current user is an LDAP(AD) user,
and returns a subset of the user's profile that is needed by Argonne/CIS to
to set user level privleges in Django"""
class LDAPAUTHError(Exception):
"""LDAPAUTHError is raised when somehting goes boom."""
pass
class ldapauth(object):
group_test = False
check_member_of = os.environ['LDAP_CHECK_MBR_OF_GRP']
samAcctName = None
distinguishedName = None
sAMAccountName = None
telephoneNumber = None
title = None
memberOf = None
department = None #this will be a list
mail = None
extensionAttribute1 = None #badgenumber
badge_no = None
def __init__(self,login,passwd=None):
"""get username (if using ldap as auth the
apache env var REMOTE_USER should be used)
from username get user profile from AD/LDAP
"""
p = self.user_profile(login,passwd)
if p[0] == 'success':
#parse results
parsed = self.parse_results(p[2])
self.group_test = self.member_of()
else:
raise LDAPAUTHError(p[2])
def user_profile(self,login,passwd=None):
ldap_login = "CN=%s" % login
svc_acct = os.environ['LDAP_SVC_ACCT_NAME']
svc_pass = os.environ['LDAP_SVC_ACCT_PASS']
#svc_acct = 'CN=%s,DC=anl,DC=gov' % login
#svc_pass = passwd
svc_search_pth = os.environ['LDAP_SVC_SEARCH_PTH']
try:
conn = ldap.initialize(os.environ['LDAP_URI'])
conn.bind(svc_acct,svc_pass,ldap.AUTH_SIMPLE)
result_id = conn.search(svc_search_pth,
ldap.SCOPE_SUBTREE,
ldap_login,None)
result_type,result_data = conn.result(result_id,0)
return ('success','User profile found',result_data,)
except ldap.LDAPError,e:
#connection failed
return ('error','LDAP connect failed',e,)
def parse_results(self,user_obj):
"""Clean up the huge ugly object handed to us in the LDAP query"""
#user_obj is a list formatted like this:
#[('LDAP_DN',{user_dict},),]
try:
raw_obj = user_obj[0][1]
self.memberOf = raw_obj['memberOf']
self.sAMAccountName = raw_obj['sAMAccountName']
self.distinguishedName = raw_obj['distinguishedName']
self.telephoneNumber = raw_obj['telephoneNumber']
self.title = raw_obj['title']
self.department = raw_obj['department']
self.mail = raw_obj['mail']
self.badge_no = raw_obj['extensionAttribute1']
return
except KeyError, e:
raise LDAPAUTHError("Portions of the LDAP User profile not present")
def member_of(self):
"""See if this user is in our group that is allowed to login"""
m = [g for g in self.memberOf if g == self.check_member_of]
#print m
if len(m) == 1:
return True
else:
return False
|