cubicweb: server/ldaputils.py@7a861620f64f (annotated)

8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	1	# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	3	#
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	4	# This file is part of CubicWeb.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	5	#
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	9	# any later version.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	10	#
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	14	# details.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	15	#
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	18	"""cubicweb utilities for ldap sources
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	19
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	20	Part of the code is coming form Zope's LDAPUserFolder
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	21
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	22	Copyright (c) 2004 Jens Vagelpohl.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	23	All Rights Reserved.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	24
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	25	This software is subject to the provisions of the Zope Public License,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	26	Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	27	THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	28	WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	29	WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	30	FOR A PARTICULAR PURPOSE.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	31	"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	32
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	33	from __future__ import division # XXX why?
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	34
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	35	import ldap
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	36	from ldap.ldapobject import ReconnectLDAPObject
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	37	from ldap.filter import filter_format
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	38	from ldapurl import LDAPUrl
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	39
8387 b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	40	from cubicweb import ValidationError, AuthenticationError, Binary
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	41	from cubicweb.server.sources import ConnectionWrapper
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	42
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	43	_ = unicode
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	44
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	45	# search scopes
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	46	BASE = ldap.SCOPE_BASE
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	47	ONELEVEL = ldap.SCOPE_ONELEVEL
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	48	SUBTREE = ldap.SCOPE_SUBTREE
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	49
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	50	# map ldap protocol to their standard port
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	51	PROTO_PORT = {'ldap': 389,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	52	'ldaps': 636,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	53	'ldapi': None,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	54	}
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	55
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	56
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	57	class LDAPSourceMixIn(object):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	58	"""a mix-in for LDAP based source"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	59	options = (
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	60	('auth-mode',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	61	{'type' : 'choice',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	62	'default': 'simple',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	63	'choices': ('simple', 'cram_md5', 'digest_md5', 'gssapi'),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	64	'help': 'authentication mode used to authenticate user to the ldap.',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	65	'group': 'ldap-source', 'level': 3,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	66	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	67	('auth-realm',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	68	{'type' : 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	69	'default': None,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	70	'help': 'realm to use when using gssapi/kerberos authentication.',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	71	'group': 'ldap-source', 'level': 3,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	72	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	73
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	74	('data-cnx-dn',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	75	{'type' : 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	76	'default': '',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	77	'help': 'user dn to use to open data connection to the ldap (eg used \
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	78	to respond to rql queries). Leave empty for anonymous bind',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	79	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	80	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	81	('data-cnx-password',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	82	{'type' : 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	83	'default': '',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	84	'help': 'password to use to open data connection to the ldap (eg used to respond to rql queries). Leave empty for anonymous bind.',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	85	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	86	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	87
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	88	('user-base-dn',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	89	{'type' : 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	90	'default': 'ou=People,dc=logilab,dc=fr',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	91	'help': 'base DN to lookup for users',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	92	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	93	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	94	('user-scope',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	95	{'type' : 'choice',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	96	'default': 'ONELEVEL',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	97	'choices': ('BASE', 'ONELEVEL', 'SUBTREE'),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	98	'help': 'user search scope (valid values: "BASE", "ONELEVEL", "SUBTREE")',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	99	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	100	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	101	('user-classes',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	102	{'type' : 'csv',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	103	'default': ('top', 'posixAccount'),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	104	'help': 'classes of user (with Active Directory, you want to say "user" here)',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	105	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	106	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	107	('user-filter',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	108	{'type': 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	109	'default': '',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	110	'help': 'additional filters to be set in the ldap query to find valid users',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	111	'group': 'ldap-source', 'level': 2,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	112	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	113	('user-login-attr',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	114	{'type' : 'string',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	115	'default': 'uid',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	116	'help': 'attribute used as login on authentication (with Active Directory, you want to use "sAMAccountName" here)',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	117	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	118	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	119	('user-default-group',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	120	{'type' : 'csv',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	121	'default': ('users',),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	122	'help': 'name of a group in which ldap users will be by default. \
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	123	You can set multiple groups by separating them by a comma.',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	124	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	125	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	126	('user-attrs-map',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	127	{'type' : 'named',
8387 b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	128	'default': {'uid': 'login', 'gecos': 'email', 'userPassword': 'upassword'},
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	129	'help': 'map from ldap user attributes to cubicweb attributes (with Active Directory, you want to use sAMAccountName:login,mail:email,givenName:firstname,sn:surname)',
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	130	'group': 'ldap-source', 'level': 1,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	131	}),
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	132
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	133	)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	134
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	135	_conn = None
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	136
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	137	def _entity_update(self, source_entity):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	138	if self.urls:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	139	if len(self.urls) > 1:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	140	raise ValidationError(source_entity, {'url': _('can only have one url')})
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	141	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	142	protocol, hostport = self.urls[0].split('://')
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	143	except ValueError:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	144	raise ValidationError(source_entity, {'url': _('badly formatted url')})
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	145	if protocol not in PROTO_PORT:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	146	raise ValidationError(source_entity, {'url': _('unsupported protocol')})
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	147
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	148	def update_config(self, source_entity, typedconfig):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	149	"""update configuration from source entity. `typedconfig` is config
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	150	properly typed with defaults set
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	151	"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	152	self.authmode = typedconfig['auth-mode']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	153	self._authenticate = getattr(self, '_auth_%s' % self.authmode)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	154	self.cnx_dn = typedconfig['data-cnx-dn']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	155	self.cnx_pwd = typedconfig['data-cnx-password']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	156	self.user_base_dn = str(typedconfig['user-base-dn'])
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	157	self.user_base_scope = globals()[typedconfig['user-scope']]
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	158	self.user_login_attr = typedconfig['user-login-attr']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	159	self.user_default_groups = typedconfig['user-default-group']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	160	self.user_attrs = typedconfig['user-attrs-map']
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	161	self.user_rev_attrs = {'eid': 'dn'}
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	162	for ldapattr, cwattr in self.user_attrs.items():
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	163	self.user_rev_attrs[cwattr] = ldapattr
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	164	self.base_filters = [filter_format('(%s=%s)', ('objectClass', o))
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	165	for o in typedconfig['user-classes']]
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	166	if typedconfig['user-filter']:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	167	self.base_filters.append(typedconfig['user-filter'])
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	168	self._conn = None
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	169
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	170	def connection_info(self):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	171	assert len(self.urls) == 1, self.urls
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	172	protocol, hostport = self.urls[0].split('://')
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	173	if protocol != 'ldapi' and not ':' in hostport:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	174	hostport = '%s:%s' % (hostport, PROTO_PORT[protocol])
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	175	return protocol, hostport
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	176
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	177	def get_connection(self):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	178	"""open and return a connection to the source"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	179	if self._conn is None:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	180	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	181	self._connect()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	182	except Exception:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	183	self.exception('unable to connect to ldap')
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	184	return ConnectionWrapper(self._conn)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	185
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	186	def authenticate(self, session, login, password=None, **kwargs):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	187	"""return CWUser eid for the given login/password if this account is
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	188	defined in this source, else raise `AuthenticationError`
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	189
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	190	two queries are needed since passwords are stored crypted, so we have
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	191	to fetch the salt first
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	192	"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	193	self.info('ldap authenticate %s', login)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	194	if not password:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	195	# On Windows + ADAM this would have succeeded (!!!)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	196	# You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	197	# we really really don't want that
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	198	raise AuthenticationError()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	199	searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))]
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	200	searchfilter.extend(self.base_filters)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	201	searchstr = '(&%s)' % ''.join(searchfilter)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	202	# first search the user
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	203	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	204	user = self._search(session, self.user_base_dn,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	205	self.user_base_scope, searchstr)[0]
8329 ac2b17bd7311 [server/ldaputils] do not allow ldap.server_down to crash on us Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8250 diff changeset	206	except (IndexError, ldap.SERVER_DOWN):
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	207	# no such user
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	208	raise AuthenticationError()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	209	# check password by establishing a (unused) connection
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	210	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	211	self._connect(user, password)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	212	except ldap.LDAPError, ex:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	213	# Something went wrong, most likely bad credentials
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	214	self.info('while trying to authenticate %s: %s', user, ex)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	215	raise AuthenticationError()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	216	except Exception:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	217	self.error('while trying to authenticate %s', user, exc_info=True)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	218	raise AuthenticationError()
8384 98782f17dd84 [datafeed] give a dictionary as sourceparams to avoid crash if attempt to import the user is done Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8329 diff changeset	219	eid = self.repo.extid2eid(self, user['dn'], 'CWUser', session, {})
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	220	if eid < 0:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	221	# user has been moved away from this source
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	222	raise AuthenticationError()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	223	return eid
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	224
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	225	def object_exists_in_ldap(self, dn):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	226	cnx = self.get_connection().cnx #session.cnxset.connection(self.uri).cnx
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	227	if cnx is None:
8430 5bee87a14bb1 fix ldap removal handling in ldapfeed (closes #2376625 and #2385133) Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8387 diff changeset	228	self.warning('Could not establish connexion with LDAP server, assuming dn %s exists', dn)
5bee87a14bb1 fix ldap removal handling in ldapfeed (closes #2376625 and #2385133) Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8387 diff changeset	229	return True # ldap unreachable, let's not touch it
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	230	try:
8250 171a9d6bff8f [ldapfeed] fix synchronisation crash: ldap attributes are given while we want cw attributes Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8244 diff changeset	231	cnx.search_s(dn, self.user_base_scope)
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	232	except ldap.PARTIAL_RESULTS:
8430 5bee87a14bb1 fix ldap removal handling in ldapfeed (closes #2376625 and #2385133) Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8387 diff changeset	233	self.warning('PARTIAL RESULTS for dn %s', dn)
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	234	except ldap.NO_SUCH_OBJECT:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	235	return False
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	236	return True
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	237
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	238	def _connect(self, user=None, userpwd=None):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	239	protocol, hostport = self.connection_info()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	240	self.info('connecting %s://%s as %s', protocol, hostport,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	241	user and user['dn'] or 'anonymous')
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	242	# don't require server certificate when using ldaps (will
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	243	# enable self signed certs)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	244	ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	245	url = LDAPUrl(urlscheme=protocol, hostport=hostport)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	246	conn = ReconnectLDAPObject(url.initializeUrl())
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	247	# Set the protocol version - version 3 is preferred
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	248	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	249	conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	250	except ldap.LDAPError: # Invalid protocol version, fall back safely
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	251	conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION2)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	252	# Deny auto-chasing of referrals to be safe, we handle them instead
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	253	#try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	254	# connection.set_option(ldap.OPT_REFERRALS, 0)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	255	#except ldap.LDAPError: # Cannot set referrals, so do nothing
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	256	# pass
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	257	#conn.set_option(ldap.OPT_NETWORK_TIMEOUT, conn_timeout)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	258	#conn.timeout = op_timeout
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	259	# Now bind with the credentials given. Let exceptions propagate out.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	260	if user is None:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	261	# no user specified, we want to initialize the 'data' connection,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	262	assert self._conn is None
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	263	self._conn = conn
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	264	# XXX always use simple bind for data connection
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	265	if not self.cnx_dn:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	266	conn.simple_bind_s(self.cnx_dn, self.cnx_pwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	267	else:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	268	self._authenticate(conn, {'dn': self.cnx_dn}, self.cnx_pwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	269	else:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	270	# user specified, we want to check user/password, no need to return
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	271	# the connection which will be thrown out
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	272	self._authenticate(conn, user, userpwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	273	return conn
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	274
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	275	def _auth_simple(self, conn, user, userpwd):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	276	conn.simple_bind_s(user['dn'], userpwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	277
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	278	def _auth_cram_md5(self, conn, user, userpwd):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	279	from ldap import sasl
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	280	auth_token = sasl.cram_md5(user['dn'], userpwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	281	conn.sasl_interactive_bind_s('', auth_token)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	282
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	283	def _auth_digest_md5(self, conn, user, userpwd):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	284	from ldap import sasl
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	285	auth_token = sasl.digest_md5(user['dn'], userpwd)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	286	conn.sasl_interactive_bind_s('', auth_token)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	287
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	288	def _auth_gssapi(self, conn, user, userpwd):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	289	# print XXX not proper sasl/gssapi
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	290	import kerberos
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	291	if not kerberos.checkPassword(user[self.user_login_attr], userpwd):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	292	raise Exception('BAD login / mdp')
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	293	#from ldap import sasl
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	294	#conn.sasl_interactive_bind_s('', sasl.gssapi())
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	295
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	296	def _search(self, session, base, scope,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	297	searchstr='(objectClass=*)', attrs=()):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	298	"""make an ldap query"""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	299	self.debug('ldap search %s %s %s %s %s', self.uri, base, scope,
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	300	searchstr, list(attrs))
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	301	# XXX for now, we do not have connections set support for LDAP, so
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	302	# this is always self._conn
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	303	cnx = self.get_connection().cnx #session.cnxset.connection(self.uri).cnx
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	304	if cnx is None:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	305	# cant connect to server
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	306	msg = session._("can't connect to source %s, some data may be missing")
8244 c7d89541e3c5 [web-repo] use transaction data, not session data to inform ui about sources error. Closes #2192577 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8188 diff changeset	307	session.set_shared_data('sources_error', msg % self.uri, txdata=True)
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	308	return []
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	309	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	310	res = cnx.search_s(base, scope, searchstr, attrs)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	311	except ldap.PARTIAL_RESULTS:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	312	res = cnx.result(all=0)[1]
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	313	except ldap.NO_SUCH_OBJECT:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	314	self.info('ldap NO SUCH OBJECT %s %s %s', base, scope, searchstr)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	315	self._process_no_such_object(session, base)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	316	return []
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	317	# except ldap.REFERRAL, e:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	318	# cnx = self.handle_referral(e)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	319	# try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	320	# res = cnx.search_s(base, scope, searchstr, attrs)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	321	# except ldap.PARTIAL_RESULTS:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	322	# res_type, res = cnx.result(all=0)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	323	result = []
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	324	for rec_dn, rec_dict in res:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	325	# When used against Active Directory, "rec_dict" may not be
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	326	# be a dictionary in some cases (instead, it can be a list)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	327	#
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	328	# An example of a useless "res" entry that can be ignored
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	329	# from AD is
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	330	# (None, ['ldap://ForestDnsZones.PORTAL.LOCAL/DC=ForestDnsZones,DC=PORTAL,DC=LOCAL'])
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	331	# This appears to be some sort of internal referral, but
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	332	# we can't handle it, so we need to skip over it.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	333	try:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	334	items = rec_dict.iteritems()
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	335	except AttributeError:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	336	continue
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	337	else:
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	338	itemdict = self._process_ldap_item(rec_dn, items)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	339	result.append(itemdict)
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	340	#print '--->', result
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	341	self.debug('ldap built results %s', len(result))
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	342	return result
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	343
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	344	def _process_ldap_item(self, dn, iterator):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	345	"""Turn an ldap received item into a proper dict."""
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	346	itemdict = {'dn': dn}
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	347	for key, value in iterator:
8387 b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	348	if self.user_attrs.get(key) == 'upassword': # XXx better password detection
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	349	itemdict[key] = Binary(value[0].encode('utf-8'))
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	350	else:
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	351	for i, val in enumerate(value):
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	352	value[i] = unicode(val, 'utf-8', 'replace')
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	353	if isinstance(value, list) and len(value) == 1:
b59af20a868d [ldap] we may actually get back password from ldap Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8384 diff changeset	354	itemdict[key] = value = value[0]
8188 1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	355	return itemdict
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	356
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	357	def _process_no_such_object(self, session, dn):
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	358	"""Some search return NO_SUCH_OBJECT error, handle this (usually because
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	359	an object whose dn is no more existent in ldap as been encountered).
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	360
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	361	Do nothing by default, let sub-classes handle that.
1867e252e487 [repository] ldap-feed source. Closes #2086984 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: diff changeset	362	"""

author	Pierre-Yves David <pierre-yves.david@logilab.fr>
	Thu, 14 Jun 2012 15:21:12 +0200
changeset 8444	7a861620f64f
parent 8430	5bee87a14bb1
child 8473	2646a8e99b0d
permissions	-rw-r--r--