1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
# Copyright (C) 2014 Ipsilon Project Contributors
#
# See the file named COPYING for the project license
from ipsilon.info.common import InfoProviderBase
from ipsilon.info.common import InfoProviderInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.policy import Policy
from ipsilon.util import config as pconfig
import ldap
import subprocess
# TODO: fetch mapping from configuration
ldap_mapping = [
['cn', 'fullname'],
['commonname', 'fullname'],
['sn', 'surname'],
['mail', 'email'],
['destinationindicator', 'country'],
['postalcode', 'postcode'],
['st', 'state'],
['statetorprovincename', 'state'],
['streetaddress', 'street'],
['telephonenumber', 'phone'],
]
class InfoProvider(InfoProviderBase):
def __init__(self, *pargs):
super(InfoProvider, self).__init__(*pargs)
self.mapper = Policy(ldap_mapping)
self.name = 'ldap'
self.description = """
Info plugin that uses LDAP to retrieve user data. """
self.new_config(
self.name,
pconfig.String(
'server url',
'The LDAP server url.',
'ldap://example.com'),
pconfig.Template(
'user dn template',
'Template to turn username into DN.',
'uid=%(username)s,ou=People,dc=example,dc=com'),
pconfig.Pick(
'tls',
'What TLS level show be required',
['Demand', 'Allow', 'Try', 'Never', 'NoTLS'],
'Demand'),
pconfig.String(
'bind dn',
'DN to bind as, if empty uses anonymous bind.',
'uid=ipsilon,ou=People,dc=example,dc=com'),
pconfig.String(
'bind password',
'Password to use for bind operation'),
)
@property
def server_url(self):
return self.get_config_value('server url')
@property
def tls(self):
return self.get_config_value('tls')
@property
def bind_dn(self):
return self.get_config_value('bind dn')
@property
def bind_password(self):
return self.get_config_value('bind password')
@property
def user_dn_tmpl(self):
return self.get_config_value('user dn template')
def _ldap_bind(self):
tls = self.tls.lower()
tls_req_opt = None
if tls == "never":
tls_req_opt = ldap.OPT_X_TLS_NEVER
elif tls == "demand":
tls_req_opt = ldap.OPT_X_TLS_DEMAND
elif tls == "allow":
tls_req_opt = ldap.OPT_X_TLS_ALLOW
elif tls == "try":
tls_req_opt = ldap.OPT_X_TLS_TRY
if tls_req_opt is not None:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, tls_req_opt)
conn = ldap.initialize(self.server_url)
if tls != "notls":
if not self.server_url.startswith("ldaps"):
conn.start_tls_s()
conn.simple_bind_s(self.bind_dn, self.bind_password)
return conn
def _get_user_data(self, conn, dn):
result = conn.search_s(dn, ldap.SCOPE_BASE)
if result is None or result == []:
raise Exception('User object could not be found!')
elif len(result) > 1:
raise Exception('No unique user object could be found!')
data = dict()
for name, value in result[0][1].iteritems():
if type(value) is list and len(value) == 1:
value = value[0]
data[name] = value
return data
def _get_user_groups(self, conn, dn, ldapattrs):
# TODO: fixme to support RFC2307bis schemas
if 'memberuid' in ldapattrs:
return ldapattrs['memberuid']
else:
return []
def get_user_data_from_conn(self, conn, dn):
reply = dict()
try:
ldapattrs = self._get_user_data(conn, dn)
userattrs, extras = self.mapper.map_attributes(ldapattrs)
groups = self._get_user_groups(conn, dn, ldapattrs)
reply = userattrs
reply['_groups'] = groups
reply['_extras'] = {'ldap': extras}
except Exception, e: # pylint: disable=broad-except
self.error(e)
return reply
def get_user_attrs(self, user):
try:
conn = self._ldap_bind()
dn = self.user_dn_tmpl % {'username': user}
return self.get_user_data_from_conn(conn, dn)
except Exception, e: # pylint: disable=broad-except
self.error(e)
return {}
class Installer(InfoProviderInstaller):
def __init__(self, *pargs):
super(Installer, self).__init__()
self.name = 'ldap'
self.pargs = pargs
def install_args(self, group):
group.add_argument('--info-ldap', choices=['yes', 'no'], default='no',
help='Use LDAP to populate user attrs')
group.add_argument('--info-ldap-server-url', action='store',
help='LDAP Server Url')
group.add_argument('--info-ldap-bind-dn', action='store',
help='LDAP Bind DN')
group.add_argument('--info-ldap-bind-pwd', action='store',
help='LDAP Bind Password')
group.add_argument('--info-ldap-user-dn-template', action='store',
help='LDAP User DN Template')
def configure(self, opts):
if opts['info_ldap'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'ldap'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'info_ldap_server_url' in opts:
config['server url'] = opts['info_ldap_server_url']
elif 'ldap_server_url' in opts:
config['server url'] = opts['ldap_server_url']
config = {'bind dn': opts['info_ldap_bind_dn']}
config = {'bind password': opts['info_ldap_bind_pwd']}
config = {'user dn template': opts['info_ldap_user_dn_template']}
if 'info_ldap_bind_dn' in opts:
config['bind dn'] = opts['info_ldap_bind_dn']
if 'info_ldap_bind_pwd' in opts:
config['bind password'] = opts['info_ldap_bind_pwd']
if 'info_ldap_user_dn_template' in opts:
config['user dn template'] = opts['info_ldap_user_dn_template']
elif 'ldap_bind_dn_template' in opts:
config['user dn template'] = opts['ldap_bind_dn_template']
config['tls'] = 'Demand'
po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
# For selinux enabled platforms permit httpd to connect to ldap,
# ignore if it fails
try:
subprocess.call(['/usr/sbin/setsebool', '-P',
'httpd_can_connect_ldap=on'])
except Exception: # pylint: disable=broad-except
pass
|
