diff options
author | Michael DeHaan <mdehaan@redhat.com> | 2008-03-25 18:06:32 -0400 |
---|---|---|
committer | Michael DeHaan <mdehaan@redhat.com> | 2008-03-25 18:06:32 -0400 |
commit | 25a743c875c6af64e51769f7a78d028dd2594aac (patch) | |
tree | 3c5cd88334c74c5e307761e35b635c30db0199a9 | |
parent | 0ceedaa6657d4b31267a3a7224d3c9db3bd124aa (diff) | |
download | third_party-cobbler-25a743c875c6af64e51769f7a78d028dd2594aac.tar.gz third_party-cobbler-25a743c875c6af64e51769f7a78d028dd2594aac.tar.xz third_party-cobbler-25a743c875c6af64e51769f7a78d028dd2594aac.zip |
Preliminary support for authentication against LDAP
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | cobbler/modules/authn_ldap.py | 105 | ||||
-rw-r--r-- | cobbler/modules/authz_configfile.py | 42 | ||||
-rw-r--r-- | cobbler/settings.py | 6 |
4 files changed, 153 insertions, 1 deletions
@@ -7,6 +7,7 @@ Cobbler CHANGELOG - applied patch to send hostname from ISC - added patch to allow --kopts/--ksmeta items to be cleared with --kopts=delete - tftpboot location is now inferred from xinetd config (added for F9 compat) +- added authn_ldap and stub for authz_configfile - ??? - 0.8.3 - fix WebUI documentation URL diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py new file mode 100644 index 0000000..e228db3 --- /dev/null +++ b/cobbler/modules/authn_ldap.py @@ -0,0 +1,105 @@ +""" +Authentication module that uses ldap +Settings in /etc/cobbler/authn_ldap.conf +Choice of authentication module is in /etc/cobbler/modules.conf + +This software may be freely redistributed under the terms of the GNU +general public license. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +""" + +import distutils.sysconfig +#import ConfigParser +import sys +import os +from rhpl.translate import _, N_, textdomain, utf8 +import md5 +import traceback +import ldap +import traceback + +plib = distutils.sysconfig.get_python_lib() +mod_path="%s/cobbler" % plib +sys.path.insert(0, mod_path) + +import cexceptions +import utils +import api as cobbler_api + +#CONFIG_FILE='/etc/cobbler/auth_ldap.conf' + +def register(): + """ + The mandatory cobbler module registration hook. + """ + + return "authn" + +def authenticate(api_handle,username,password): + """ + Validate an ldap bind, returning True/False + """ + + server = api_handle.settings().ldap_server + basedn = api_handle.settings().ldap_base_dn + port = api_handle.settings().ldap_port + tls = api_handle.settings().ldap_tls + + # parse CONFIG_FILE + # server,basedn,port,tls = __parse_config() + + # form our ldap uri based on connection port + if port == '389': + uri = 'ldap://' + server + elif port == '636': + uri = 'ldaps://' + server + else: + uri = 'ldap://' + "%s:%s" % (server,port) + + # connect to LDAP host + dir = ldap.initialize(uri) + + # start_tls if tls is 'on', 'true' or 'yes' + # and we're not already using old-SSL + tls = str(tls).lower() + if port != '636': + if tls in [ "on", "true", "yes", "1" ]: + try: + dir.start_tls_s() + except: + traceback.print_exc() + return False + + # perform a subtree search in basedn to find the full dn of the user + # TODO: what if username is a CN? maybe it goes into the config file as well? + filter = "uid=" + username + result = dir.search_s(basedn, ldap.SCOPE_SUBTREE, filter, []) + if result: + for dn,entry in result: + # uid should be unique so we should only have one result + # ignore entry; we don't need it + pass + else: + print "FAIL 2" + return False + + try: + # attempt to bind as the user + dir.simple_bind_s(dn,password) + dir.unbind() + print "FAIL 1" + return True + except: + traceback.print_exc() + return False + # catch-all + return False + +if __name__ == "__main__": + api_handle = cobbler_api.BootAPI() + # print authenticate(api_handle, "mdehaan", "test1") + print authenticate(api_handle, "mdehaan", "dog8code") + diff --git a/cobbler/modules/authz_configfile.py b/cobbler/modules/authz_configfile.py new file mode 100644 index 0000000..0d41cce --- /dev/null +++ b/cobbler/modules/authz_configfile.py @@ -0,0 +1,42 @@ +""" +Authorization module that allow users listed in +the auth_ldap.conf config file + +This software may be freely redistributed under the terms of the GNU +general public license. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +""" + +import distutils.sysconfig +import ConfigParser +import sys +import os +from rhpl.translate import _, N_, textdomain, utf8 + +plib = distutils.sysconfig.get_python_lib() +mod_path="%s/cobbler" % plib +sys.path.insert(0, mod_path) + +import cexceptions +import utils + +CONFIG_FILE='/etc/cobbler/auth_ldap.conf' + +def register(): + """ + The mandatory cobbler module registration hook. + """ + return "authz" + +def authorize(api_handle,user,resource,arg1=None,arg2=None): + """ + Validate a user against a resource. + """ + + # FIXME: implement this, only users in /etc/cobbler/users.conf + # will return 1. Later we'll do authz_ownership.py + + return 0 diff --git a/cobbler/settings.py b/cobbler/settings.py index cdbcabd..495a4b5 100644 --- a/cobbler/settings.py +++ b/cobbler/settings.py @@ -40,7 +40,11 @@ DEFAULTS = { "httpd_bin" : "/usr/sbin/httpd", "http_port" : "80", "isc_set_host_name" : 0, - "kerberos_realm" : "example.org", + "ldap_server" : "grimlock.devel.redhat.com", + "ldap_base_dn" : "DC=devel,DC=redhat,DC=com", + "ldap_port" : 389, + "ldap_tls" : "on", + "kerberos_realm" : "EXAMPLE.COM", "kernel_options" : { "lang" : " ", "text" : None, |