124 {'type' : 'csv', |
124 {'type' : 'csv', |
125 'default': ('top', 'posixAccount'), |
125 'default': ('top', 'posixAccount'), |
126 'help': 'classes of user', |
126 'help': 'classes of user', |
127 'group': 'ldap-source', 'level': 1, |
127 'group': 'ldap-source', 'level': 1, |
128 }), |
128 }), |
|
129 ('user-filter', |
|
130 {'type': 'string', |
|
131 'default': '', |
|
132 'help': 'additional filters to be set in the ldap query to find valid users', |
|
133 'group': 'ldap-source', 'level': 2, |
|
134 }), |
129 ('user-login-attr', |
135 ('user-login-attr', |
130 {'type' : 'string', |
136 {'type' : 'string', |
131 'default': 'uid', |
137 'default': 'uid', |
132 'help': 'attribute used as login on authentication', |
138 'help': 'attribute used as login on authentication', |
133 'group': 'ldap-source', 'level': 1, |
139 'group': 'ldap-source', 'level': 1, |
176 self.user_base_scope = globals()[source_config['user-scope']] |
182 self.user_base_scope = globals()[source_config['user-scope']] |
177 self.user_classes = splitstrip(source_config['user-classes']) |
183 self.user_classes = splitstrip(source_config['user-classes']) |
178 self.user_login_attr = source_config['user-login-attr'] |
184 self.user_login_attr = source_config['user-login-attr'] |
179 self.user_default_groups = splitstrip(source_config['user-default-group']) |
185 self.user_default_groups = splitstrip(source_config['user-default-group']) |
180 self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map'])) |
186 self.user_attrs = dict(v.split(':', 1) for v in splitstrip(source_config['user-attrs-map'])) |
|
187 self.user_filter = source_config['user-filter'] |
181 self.user_rev_attrs = {'eid': 'dn'} |
188 self.user_rev_attrs = {'eid': 'dn'} |
182 for ldapattr, cwattr in self.user_attrs.items(): |
189 for ldapattr, cwattr in self.user_attrs.items(): |
183 self.user_rev_attrs[cwattr] = ldapattr |
190 self.user_rev_attrs[cwattr] = ldapattr |
184 self.base_filters = [filter_format('(%s=%s)', ('objectClass', o)) |
191 self.base_filters = self._make_base_filters() |
185 for o in self.user_classes] |
|
186 self._conn = None |
192 self._conn = None |
187 self._cache = {} |
193 self._cache = {} |
188 # ttlm is in minutes! |
194 # ttlm is in minutes! |
189 self._cache_ttl = time_validator(None, None, |
195 self._cache_ttl = time_validator(None, None, |
190 source_config.get('cache-life-time', 2*60*60)) |
196 source_config.get('cache-life-time', 2*60*60)) |
192 self._query_cache = TimedCache(self._cache_ttl) |
198 self._query_cache = TimedCache(self._cache_ttl) |
193 # interval is in seconds ! |
199 # interval is in seconds ! |
194 self._interval = time_validator(None, None, |
200 self._interval = time_validator(None, None, |
195 source_config.get('synchronization-interval', |
201 source_config.get('synchronization-interval', |
196 24*60*60)) |
202 24*60*60)) |
|
203 |
|
204 def _make_base_filters(self): |
|
205 return [filter_format('(%s=%s)', ('objectClass', o)) |
|
206 for o in self.user_classes] + [self.user_filter] |
197 |
207 |
198 def reset_caches(self): |
208 def reset_caches(self): |
199 """method called during test to reset potential source caches""" |
209 """method called during test to reset potential source caches""" |
200 self._cache = {} |
210 self._cache = {} |
201 self._query_cache = TimedCache(self._cache_ttl) |
211 self._query_cache = TimedCache(self._cache_ttl) |
282 # On Windows + ADAM this would have succeeded (!!!) |
292 # On Windows + ADAM this would have succeeded (!!!) |
283 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
293 # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'. |
284 # we really really don't want that |
294 # we really really don't want that |
285 raise AuthenticationError() |
295 raise AuthenticationError() |
286 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
296 searchfilter = [filter_format('(%s=%s)', (self.user_login_attr, login))] |
287 searchfilter.extend([filter_format('(%s=%s)', ('objectClass', o)) |
297 searchfilter.extend(self._make_base_filters()) |
288 for o in self.user_classes]) |
|
289 searchstr = '(&%s)' % ''.join(searchfilter) |
298 searchstr = '(&%s)' % ''.join(searchfilter) |
290 # first search the user |
299 # first search the user |
291 try: |
300 try: |
292 user = self._search(session, self.user_base_dn, |
301 user = self._search(session, self.user_base_dn, |
293 self.user_base_scope, searchstr)[0] |
302 self.user_base_scope, searchstr)[0] |