124 {'type' : 'csv', |
124 {'type' : 'csv', |
125 'default': ('top', 'posixAccount'), |
125 'default': ('top', 'posixAccount'), |
126 'help': 'classes of user', |
126 'help': 'classes of user', |
127 'group': 'ldap-source', 'level': 1, |
127 'group': 'ldap-source', 'level': 1, |
128 }), |
128 }), |
|
129 ('user-filter', |
|
130 {'type': 'string', |
|
131 'default': '', |
|
132 'help': 'additional filters to be set in the ldap query to find valid users', |
|
133 'group': 'ldap-source', 'level': 2, |
|
134 }), |
129 ('user-login-attr', |
135 ('user-login-attr', |
130 {'type' : 'string', |
136 {'type' : 'string', |
131 'default': 'uid', |
137 'default': 'uid', |
132 'help': 'attribute used as login on authentication', |
138 'help': 'attribute used as login on authentication', |
133 'group': 'ldap-source', 'level': 1, |
139 'group': 'ldap-source', 'level': 1, |
175 self.user_base_scope = globals()[source_config['user-scope']] |
181 self.user_base_scope = globals()[source_config['user-scope']] |
176 self.user_classes = splitstrip(source_config['user-classes']) |
182 self.user_classes = splitstrip(source_config['user-classes']) |
177 self.user_login_attr = source_config['user-login-attr'] |
183 self.user_login_attr = source_config['user-login-attr'] |
178 self.user_default_groups = splitstrip(source_config['user-default-group']) |
184 self.user_default_groups = splitstrip(source_config['user-default-group']) |
179 self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map'])) |
185 self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map'])) |
|
186 self.user_filter = source_config.get('user-filter') |
180 self.user_rev_attrs = {'eid': 'dn'} |
187 self.user_rev_attrs = {'eid': 'dn'} |
181 for ldapattr, cwattr in self.user_attrs.items(): |
188 for ldapattr, cwattr in self.user_attrs.items(): |
182 self.user_rev_attrs[cwattr] = ldapattr |
189 self.user_rev_attrs[cwattr] = ldapattr |
183 self.base_filters = [filter_format('(%s=%s)', ('objectClass', o)) |
190 self.base_filters = self._make_base_filters() |
184 for o in self.user_classes] |
|
185 self._conn = None |
191 self._conn = None |
186 self._cache = {} |
192 self._cache = {} |
187 # ttlm is in minutes! |
193 # ttlm is in minutes! |
188 self._cache_ttl = time_validator(None, None, |
194 self._cache_ttl = time_validator(None, None, |
189 source_config.get('cache-life-time', 2*60*60)) |
195 source_config.get('cache-life-time', 2*60*60)) |
191 self._query_cache = TimedCache(self._cache_ttl) |
197 self._query_cache = TimedCache(self._cache_ttl) |
192 # interval is in seconds ! |
198 # interval is in seconds ! |
193 self._interval = time_validator(None, None, |
199 self._interval = time_validator(None, None, |
194 source_config.get('synchronization-interval', |
200 source_config.get('synchronization-interval', |
195 24*60*60)) |
201 24*60*60)) |
|
202 |
|
203 def _make_base_filters(self): |
|
204 filters = [filter_format('(%s=%s)', ('objectClass', o)) |
|
205 for o in self.user_classes] |
|
206 if self.user_filter: |
|
207 filters += [self.user_filter] |
|
208 return filters |
196 |
209 |
197 def reset_caches(self): |
210 def reset_caches(self): |
198 """method called during test to reset potential source caches""" |
211 """method called during test to reset potential source caches""" |
199 self._cache = {} |
212 self._cache = {} |
200 self._query_cache = TimedCache(self._cache_ttl) |
213 self._query_cache = TimedCache(self._cache_ttl) |
285 # On Windows + ADAM this would have succeeded (!!!) |
298 # On Windows + ADAM this would have succeeded (!!!) |
286 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
299 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
287 # we really really don't want that |
300 # we really really don't want that |
288 raise AuthenticationError() |
301 raise AuthenticationError() |
289 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
302 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
290 searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o)) |
303 searchfilter.extend(self._make_base_filters()) |
291 for o in self.user_classes]) |
|
292 searchstr = '(&%s)' % ''.join(searchfilter) |
304 searchstr = '(&%s)' % ''.join(searchfilter) |
293 # first search the user |
305 # first search the user |
294 try: |
306 try: |
295 user = self._search(session, self.user_base_dn, |
307 user = self._search(session, self.user_base_dn, |
296 self.user_base_scope, searchstr)[0] |
308 self.user_base_scope, searchstr)[0] |