1 files changed, 118 insertions, 0 deletions
diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py
new file mode 100644
index 0000000..ff31750
--- /dev/null
+++ b/cobbler/modules/authn_ldap.py
@@ -0,0 +1,118 @@
+"""
+Authentication module that uses ldap
+Settings in /etc/cobbler/authn_ldap.conf
+Choice of authentication module is in /etc/cobbler/modules.conf
+
+This software may be freely redistributed under the terms of the GNU
+general public license.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+"""
+
+import distutils.sysconfig
+import sys
+import os
+from utils import _
+import md5
+import traceback
+
+# we'll import this just a bit later
+# to keep it from being a requirement
+# import ldap
+
+plib = distutils.sysconfig.get_python_lib()
+mod_path="%s/cobbler" % plib
+sys.path.insert(0, mod_path)
+
+import cexceptions
+import utils
+import api as cobbler_api
+
+def register():
+    """
+    The mandatory cobbler module registration hook.
+    """
+
+    return "authn"
+
+def authenticate(api_handle,username,password):
+    """
+    Validate an ldap bind, returning True/False
+    """
+ 
+    import ldap
+
+    server    = api_handle.settings().ldap_server
+    basedn    = api_handle.settings().ldap_base_dn
+    port      = api_handle.settings().ldap_port
+    tls       = api_handle.settings().ldap_tls
+    anon_bind = api_handle.settings().ldap_anonymous_bind
+    prefix    = api_handle.settings().ldap_search_prefix
+
+    # form our ldap uri based on connection port
+    if port == '389':
+        uri = 'ldap://' + server
+    elif port == '636':
+        uri = 'ldaps://' + server
+    else:
+        uri = 'ldap://' + "%s:%s" % (server,port)
+
+    # connect to LDAP host
+    dir = ldap.initialize(uri)
+
+    # start_tls if tls is 'on', 'true' or 'yes'
+    # and we're not already using old-SSL
+    tls = str(tls).lower()
+    if port != '636':
+        if tls in [ "on", "true", "yes", "1" ]:
+            try:
+                dir.start_tls_s()
+            except:
+                traceback.print_exc()
+                return False
+
+    # if we're not allowed to search anonymously,
+    # grok the search bind settings and attempt to bind
+    anon_bind = str(anon_bind).lower()
+    if anon_bind not in [ "on", "true", "yes", "1" ]:
+        searchdn = api_handle.settings().ldap_search_bind_dn
+        searchpw = api_handle.settings().ldap_search_passwd
+
+        if searchdn == '' or searchpw == '':
+            raise "Missing search bind settings"
+
+        try:
+            dir.simple_bind_s(searchdn, searchpw)
+        except:
+            traceback.print_exc()
+            return False
+
+    # perform a subtree search in basedn to find the full dn of the user
+    # TODO: what if username is a CN?  maybe it goes into the config file as well?
+    filter = prefix + username
+    result = dir.search_s(basedn, ldap.SCOPE_SUBTREE, filter, [])
+    if result:
+        for dn,entry in result:
+            # username _should_ be unique so we should only have one result
+            # ignore entry; we don't need it
+            pass
+    else:
+        return False
+
+    try:
+        # attempt to bind as the user
+        dir.simple_bind_s(dn,password)
+        dir.unbind()
+        return True
+    except:
+        # traceback.print_exc()
+        return False
+    # catch-all
+    return False
+
+if __name__ == "__main__":
+    api_handle = cobbler_api.BootAPI()
+    print authenticate(api_handle, "guest", "guest")
+