server/sources/ldapuser.py
changeset 5863 4495b9bc49df
parent 5856 a02129508378
child 5972 220856aff85e
equal deleted inserted replaced
5858:384d34e76d6d 5863:4495b9bc49df
    16 # You should have received a copy of the GNU Lesser General Public License along
    16 # You should have received a copy of the GNU Lesser General Public License along
    17 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
    17 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
    18 """cubicweb ldap user source
    18 """cubicweb ldap user source
    19 
    19 
    20 this source is for now limited to a read-only CWUser source
    20 this source is for now limited to a read-only CWUser source
    21 
       
    22 
       
    23 
    21 
    24 Part of the code is coming form Zope's LDAPUserFolder
    22 Part of the code is coming form Zope's LDAPUserFolder
    25 
    23 
    26 Copyright (c) 2004 Jens Vagelpohl.
    24 Copyright (c) 2004 Jens Vagelpohl.
    27 All Rights Reserved.
    25 All Rights Reserved.
   276 
   274 
   277         two queries are needed since passwords are stored crypted, so we have
   275         two queries are needed since passwords are stored crypted, so we have
   278         to fetch the salt first
   276         to fetch the salt first
   279         """
   277         """
   280         self.info('ldap authenticate %s', login)
   278         self.info('ldap authenticate %s', login)
   281         if password is None:
   279         if not password:
       
   280             # On Windows + ADAM this would have succeeded (!!!)
       
   281             # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
       
   282             # we really really don't want that
   282             raise AuthenticationError()
   283             raise AuthenticationError()
   283         searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))]
   284         searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))]
   284         searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o))
   285         searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o))
   285                              for o in self.user_classes])
   286                              for o in self.user_classes])
   286         searchstr = '(&%s)' % ''.join(searchfilter)
   287         searchstr = '(&%s)' % ''.join(searchfilter)
   291         except IndexError:
   292         except IndexError:
   292             # no such user
   293             # no such user
   293             raise AuthenticationError()
   294             raise AuthenticationError()
   294         # check password by establishing a (unused) connection
   295         # check password by establishing a (unused) connection
   295         try:
   296         try:
   296             if password:
   297             self._connect(user, password)
   297                 self._connect(user, password)
   298         except ldap.LDAPError, ex:
   298             else:
   299             # Something went wrong, most likely bad credentials
   299                 # On Windows + ADAM this would have succeeded (!!!)
       
   300                 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
       
   301                 # we really really don't want that
       
   302                 raise Exception('No password provided')
       
   303         except Exception, ex:
       
   304             self.info('while trying to authenticate %s: %s', user, ex)
   300             self.info('while trying to authenticate %s: %s', user, ex)
   305             # Something went wrong, most likely bad credentials
   301             raise AuthenticationError()
       
   302         except Exception:
       
   303             self.error('while trying to authenticate %s', user, exc_info=True)
   306             raise AuthenticationError()
   304             raise AuthenticationError()
   307         return self.extid2eid(user['dn'], 'CWUser', session)
   305         return self.extid2eid(user['dn'], 'CWUser', session)
   308 
   306 
   309     def ldap_name(self, var):
   307     def ldap_name(self, var):
   310         if var.stinfo['relations']:
   308         if var.stinfo['relations']: