--- a/.hgtags Fri Feb 28 17:11:01 2020 +0100
+++ b/.hgtags Thu Mar 05 10:15:38 2020 +0100
@@ -647,3 +647,7 @@
172f683a84f6dbc069298bba811f590afb5e5a43 3.26.14
e77900f19390fdf38515afdd212d21ac2592693d 3.27.0
e77900f19390fdf38515afdd212d21ac2592693d debian/3.27.0-1
+917601bb5b1ba13eb92296f5bd82eaa89e99bdad 3.27.1
+917601bb5b1ba13eb92296f5bd82eaa89e99bdad debian/3.27.1-1
+e731c31eaed06ac0a781db4d9a36d8b3732a4852 3.27.2
+e731c31eaed06ac0a781db4d9a36d8b3732a4852 debian/3.27.2-1
--- a/cubicweb/server/sources/ldapfeed.py Fri Feb 28 17:11:01 2020 +0100
+++ b/cubicweb/server/sources/ldapfeed.py Thu Mar 05 10:15:38 2020 +0100
@@ -17,10 +17,6 @@
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
"""cubicweb ldap feed source"""
-from __future__ import division # XXX why?
-
-from datetime import datetime
-
import ldap3
from logilab.common.configuration import merge_options
@@ -32,12 +28,11 @@
from cubicweb import _
# search scopes
-BASE = ldap3.SEARCH_SCOPE_BASE_OBJECT
-ONELEVEL = ldap3.SEARCH_SCOPE_SINGLE_LEVEL
-SUBTREE = ldap3.SEARCH_SCOPE_WHOLE_SUBTREE
-LDAP_SCOPES = {'BASE': BASE,
- 'ONELEVEL': ONELEVEL,
- 'SUBTREE': SUBTREE}
+LDAP_SCOPES = {
+ 'BASE': ldap3.BASE,
+ 'ONELEVEL': ldap3.LEVEL,
+ 'SUBTREE': ldap3.SUBTREE,
+}
# map ldap protocol to their standard port
PROTO_PORT = {'ldap': 389,
@@ -117,6 +112,13 @@
'help': 'additional filters to be set in the ldap query to find valid users',
'group': 'ldap-source', 'level': 2,
}),
+ ('start-tls',
+ {'type': 'choice',
+ 'choices': ('true', 'false'),
+ 'default': 'false',
+ 'help': 'Start tls on connection (before bind)',
+ 'group': 'ldap-source', 'level': 1,
+ }),
('user-login-attr',
{'type': 'string',
'default': 'uid',
@@ -196,8 +198,9 @@
self._authenticate = getattr(self, '_auth_%s' % self.authmode)
self.cnx_dn = typedconfig['data-cnx-dn']
self.cnx_pwd = typedconfig['data-cnx-password']
+ self.start_tls = typedconfig['start-tls'] == "true"
self.user_base_dn = str(typedconfig['user-base-dn'])
- self.user_base_scope = globals()[typedconfig['user-scope']]
+ self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
self.user_login_attr = typedconfig['user-login-attr']
self.user_default_groups = typedconfig['user-default-group']
self.user_attrs = {'dn': 'eid', 'modifyTimestamp': 'modification_date'}
@@ -254,7 +257,7 @@
# check password by establishing a (unused) connection
try:
self._connect(user, password)
- except ldap3.LDAPException as ex:
+ except ldap3.core.exceptions.LDAPException as ex:
# Something went wrong, most likely bad credentials
self.info('while trying to authenticate %s: %s', user, ex)
raise AuthenticationError()
@@ -270,18 +273,29 @@
def _connect(self, user=None, userpwd=None):
protocol, host, port = self.connection_info()
+ kwargs = {}
+ if user:
+ kwargs['user'] = user['dn']
+ elif self.cnx_dn:
+ kwargs['user'] = self.cnx_dn
+ if self.cnx_pwd:
+ kwargs['password'] = self.cnx_pwd
self.info('connecting %s://%s:%s as %s', protocol, host, port,
- user and user['dn'] or 'anonymous')
+ kwargs.get('user', 'anonymous'))
server = ldap3.Server(host, port=int(port))
conn = ldap3.Connection(
- server, user=user and user['dn'],
- client_strategy=ldap3.STRATEGY_SYNC_RESTARTABLE,
- auto_referrals=False)
+ server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
+ raise_exceptions=True,
+ **kwargs)
+ if self.start_tls:
+ conn.start_tls()
+
# Now bind with the credentials given. Let exceptions propagate out.
if user is None:
- # XXX always use simple bind for data connection
+ # anonymous bind
if not self.cnx_dn:
- conn.bind()
+ if not conn.bind():
+ raise AuthenticationError(conn.result["message"])
else:
self._authenticate(conn, {'dn': self.cnx_dn}, self.cnx_pwd)
else:
@@ -292,7 +306,6 @@
return conn
def _auth_simple(self, conn, user, userpwd):
- conn.authentication = ldap3.AUTH_SIMPLE
conn.user = user['dn']
conn.password = userpwd
return conn.bind()
@@ -317,7 +330,10 @@
if self._conn is None:
self._conn = self._connect()
ldapcnx = self._conn
- if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=attrs):
+ if self.start_tls:
+ ldapcnx.start_tls()
+ self.info("ldap start_tls started for %s", self.uri)
+ if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
return []
result = []
for rec in ldapcnx.response:
@@ -334,13 +350,13 @@
itemdict = {'dn': dn}
for key, value in iterator:
if self.user_attrs.get(key) == 'upassword': # XXx better password detection
- value = value[0].encode('utf-8')
+ value = value[0]
# we only support ldap_salted_sha1 for ldap sources, see: server/utils.py
if not value.startswith(b'{SSHA}'):
value = utils.crypt_password(value)
itemdict[key] = Binary(value)
elif self.user_attrs.get(key) == 'modification_date':
- itemdict[key] = datetime.strptime(value[0], '%Y%m%d%H%M%SZ')
+ itemdict[key] = value
else:
if len(value) == 1:
itemdict[key] = value = value[0]
--- a/cubicweb/server/test/unittest_ldapsource.py Fri Feb 28 17:11:01 2020 +0100
+++ b/cubicweb/server/test/unittest_ldapsource.py Thu Mar 05 10:15:38 2020 +0100
@@ -143,12 +143,8 @@
@classmethod
def pre_setup_database(cls, cnx, config):
- if sys.version_info[:2] >= (3, 7):
- raise unittest.SkipTest(
- 'ldapfeed is not currently compatible with Python 3.7')
cnx.create_entity('CWSource', name=u'ldap', type=u'ldapfeed', parser=u'ldapfeed',
url=URL, config=CONFIG_LDAPFEED)
-
cnx.commit()
return cls.pull(cnx)
--- a/debian/changelog Fri Feb 28 17:11:01 2020 +0100
+++ b/debian/changelog Thu Mar 05 10:15:38 2020 +0100
@@ -1,3 +1,15 @@
+cubicweb (3.27.2-1) unstable; urgency=medium
+
+ * New upstream release
+
+ -- Philippe Pepiot <philippe.pepiot@logilab.fr> Thu, 05 Mar 2020 09:54:26 +0100
+
+cubicweb (3.27.1-1) unstable; urgency=medium
+
+ * New upstream release
+
+ -- Katia Saurfelt <katia.saurfelt@logilab.fr> Tue, 11 Feb 2020 10:51:08 +0100
+
cubicweb (3.27.0-1) unstable; urgency=medium
* New upstream release
--- a/doc/book/admin/ldap.rst Fri Feb 28 17:11:01 2020 +0100
+++ b/doc/book/admin/ldap.rst Thu Mar 05 10:15:38 2020 +0100
@@ -83,6 +83,8 @@
* `data-cnx-password`, password to use to open data connection to the
ldap (eg used to respond to rql queries)
+* `start-tls`, starting TLS before bind (valid values: "true", "false")
+
If the LDAP server accepts anonymous binds, then it is possible to
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
unlikely in practice. Beware that the LDAP server might hide attributes
--- a/requirements/test-server.txt Fri Feb 28 17:11:01 2020 +0100
+++ b/requirements/test-server.txt Thu Mar 05 10:15:38 2020 +0100
@@ -1,2 +1,2 @@
psycopg2-binary
-ldap3 < 2
+ldap3<3,>2