16 # You should have received a copy of the GNU Lesser General Public License along |
16 # You should have received a copy of the GNU Lesser General Public License along |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
18 """cubicweb ldap user source |
18 """cubicweb ldap user source |
19 |
19 |
20 this source is for now limited to a read-only CWUser source |
20 this source is for now limited to a read-only CWUser source |
21 |
|
22 |
|
23 |
21 |
24 Part of the code is coming form Zope's LDAPUserFolder |
22 Part of the code is coming form Zope's LDAPUserFolder |
25 |
23 |
26 Copyright (c) 2004 Jens Vagelpohl. |
24 Copyright (c) 2004 Jens Vagelpohl. |
27 All Rights Reserved. |
25 All Rights Reserved. |
276 |
274 |
277 two queries are needed since passwords are stored crypted, so we have |
275 two queries are needed since passwords are stored crypted, so we have |
278 to fetch the salt first |
276 to fetch the salt first |
279 """ |
277 """ |
280 self.info('ldap authenticate %s', login) |
278 self.info('ldap authenticate %s', login) |
281 if password is None: |
279 if not password: |
|
280 # On Windows + ADAM this would have succeeded (!!!) |
|
281 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
|
282 # we really really don't want that |
282 raise AuthenticationError() |
283 raise AuthenticationError() |
283 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
284 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
284 searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o)) |
285 searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o)) |
285 for o in self.user_classes]) |
286 for o in self.user_classes]) |
286 searchstr = '(&%s)' % ''.join(searchfilter) |
287 searchstr = '(&%s)' % ''.join(searchfilter) |
291 except IndexError: |
292 except IndexError: |
292 # no such user |
293 # no such user |
293 raise AuthenticationError() |
294 raise AuthenticationError() |
294 # check password by establishing a (unused) connection |
295 # check password by establishing a (unused) connection |
295 try: |
296 try: |
296 if password: |
297 self._connect(user, password) |
297 self._connect(user, password) |
298 except ldap.LDAPError, ex: |
298 else: |
299 # Something went wrong, most likely bad credentials |
299 # On Windows + ADAM this would have succeeded (!!!) |
|
300 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
|
301 # we really really don't want that |
|
302 raise Exception('No password provided') |
|
303 except Exception, ex: |
|
304 self.info('while trying to authenticate %s: %s', user, ex) |
300 self.info('while trying to authenticate %s: %s', user, ex) |
305 # Something went wrong, most likely bad credentials |
301 raise AuthenticationError() |
|
302 except Exception: |
|
303 self.error('while trying to authenticate %s', user, exc_info=True) |
306 raise AuthenticationError() |
304 raise AuthenticationError() |
307 return self.extid2eid(user['dn'], 'CWUser', session) |
305 return self.extid2eid(user['dn'], 'CWUser', session) |
308 |
306 |
309 def ldap_name(self, var): |
307 def ldap_name(self, var): |
310 if var.stinfo['relations']: |
308 if var.stinfo['relations']: |