cubicweb: comparison cubicweb/server/sources/ldapfeed.py

equal deleted inserted replaced

-:ba528f08ddfa
+:5a9d1e64f505
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
 """cubicweb ldap feed source"""
-from datetime import datetime
 import ldap3
 from logilab.common.configuration import merge_options
 from cubicweb import ValidationError, AuthenticationError, Binary
 from cubicweb.server.sources import datafeed
 from cubicweb import _
 # search scopes
-LDAP_SCOPES = {'BASE': ldap3.SEARCH_SCOPE_BASE_OBJECT,
+LDAP_SCOPES = {
-'ONELEVEL': ldap3.SEARCH_SCOPE_SINGLE_LEVEL,
+'BASE': ldap3.BASE,
-'SUBTREE': ldap3.SEARCH_SCOPE_WHOLE_SUBTREE}
+'ONELEVEL': ldap3.LEVEL,
+'SUBTREE': ldap3.SUBTREE,
+}
 # map ldap protocol to their standard port
 PROTO_PORT = {'ldap': 389,
 'ldaps': 636,
 'ldapi': None,
 # no such user
 raise AuthenticationError()
 # check password by establishing a (unused) connection
 try:
 self._connect(user, password)
-except ldap3.LDAPException as ex:
+except ldap3.core.exceptions.LDAPException as ex:
 # Something went wrong, most likely bad credentials
 self.info('while trying to authenticate %s: %s', user, ex)
 raise AuthenticationError()
 except Exception:
 self.error('while trying to authenticate %s', user, exc_info=True)
 raise AuthenticationError()
 return rset[0][0]
 def _connect(self, user=None, userpwd=None):
 protocol, host, port = self.connection_info()
+kwargs = {}
+if user:
+kwargs['user'] = user['dn']
+elif self.cnx_dn:
+kwargs['user'] = self.cnx_dn
+if self.cnx_pwd:
+kwargs['password'] = self.cnx_pwd
 self.info('connecting %s://%s:%s as %s', protocol, host, port,
-user and user['dn'] or 'anonymous')
+kwargs.get('user', 'anonymous'))
 server = ldap3.Server(host, port=int(port))
 conn = ldap3.Connection(
-server, user=user and user['dn'],
+server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
-client_strategy=ldap3.STRATEGY_SYNC_RESTARTABLE,
+raise_exceptions=True,
-auto_referrals=False)
+**kwargs)
 # Now bind with the credentials given. Let exceptions propagate out.
 if user is None:
-# XXX always use simple bind for data connection
+# anonymous bind
 if not self.cnx_dn:
-conn.bind()
+if not conn.bind():
+raise AuthenticationError(conn.result["message"])
 else:
 self._authenticate(conn, {'dn': self.cnx_dn}, self.cnx_pwd)
 else:
 # user specified, we want to check user/password, no need to return
 # the connection which will be thrown out
 if not self._authenticate(conn, user, userpwd):
 raise AuthenticationError()
 return conn
 def _auth_simple(self, conn, user, userpwd):
-conn.authentication = ldap3.AUTH_SIMPLE
 conn.user = user['dn']
 conn.password = userpwd
 return conn.bind()
 def _auth_digest_md5(self, conn, user, userpwd):
 self.debug('ldap search %s %s %s %s %s', self.uri, base, scope,
 searchstr, list(attrs))
 if self._conn is None:
 self._conn = self._connect()
 ldapcnx = self._conn
-if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=attrs):
+if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
 return []
 result = []
 for rec in ldapcnx.response:
 if rec['type'] != 'searchResEntry':
 continue
 def _process_ldap_item(self, dn, iterator):
 """Turn an ldap received item into a proper dict."""
 itemdict = {'dn': dn}
 for key, value in iterator:
 if self.user_attrs.get(key) == 'upassword':  # XXx better password detection
-value = value[0].encode('utf-8')
+value = value[0]
 # we only support ldap_salted_sha1 for ldap sources, see: server/utils.py
 if not value.startswith(b'{SSHA}'):
 value = utils.crypt_password(value)
 itemdict[key] = Binary(value)
 elif self.user_attrs.get(key) == 'modification_date':
-itemdict[key] = datetime.strptime(value[0], '%Y%m%d%H%M%SZ')
+itemdict[key] = value
 else:
 if len(value) == 1:
 itemdict[key] = value = value[0]
 else:
 itemdict[key] = value

branch	3.27
changeset 12895	5a9d1e64f505
parent 12894	ba528f08ddfa
child 12897	d0ade9350d0e