Back to index

moin  1.9.0~rc2
Public Member Functions | Public Attributes | Static Public Attributes
MoinMoin.auth.ldap_login.LDAPAuth Class Reference
Inheritance diagram for MoinMoin.auth.ldap_login.LDAPAuth:
Inheritance graph
[legend]
Collaboration diagram for MoinMoin.auth.ldap_login.LDAPAuth:
Collaboration graph
[legend]

List of all members.

Public Member Functions

def __init__
def login
def request
def logout
def login_hint

Public Attributes

 server_uri
 bind_dn
 bind_pw
 base_dn
 scope
 referrals
 search_filter
 givenname_attribute
 surname_attribute
 aliasname_attribute
 email_attribute
 email_callback
 name_callback
 coding
 timeout
 start_tls
 tls_cacertdir
 tls_cacertfile
 tls_certfile
 tls_keyfile
 tls_require_cert
 bind_once
 autocreate
 name

Static Public Attributes

list login_inputs = ['username', 'password']
 logout_possible = True
string name = 'ldap'

Detailed Description

get authentication data from form, authenticate against LDAP (or Active
    Directory), fetch some user infos from LDAP and create a user object
    for that user. The session is kept by moin automatically.

Definition at line 33 of file ldap_login.py.


Constructor & Destructor Documentation

def MoinMoin.auth.ldap_login.LDAPAuth.__init__ (   self,
  server_uri = 'ldap://localhost',
  bind_dn = '',
  bind_pw = '',
  base_dn = '',
  scope = ldap.SCOPE_SUBTREE,
  referrals = 0,
  search_filter = '(uid=%(username)s)',
  givenname_attribute = None,
  surname_attribute = None,
  aliasname_attribute = None,
  email_attribute = None,
  email_callback = None,
  name_callback = None,
  coding = 'utf-8',
  timeout = 10,
  start_tls = 0,
  tls_cacertdir = None,
  tls_cacertfile = None,
  tls_certfile = None,
  tls_keyfile = None,
  tls_require_cert = 0,
  bind_once = False,
  autocreate = False,
  name = 'ldap' 
)

Definition at line 87 of file ldap_login.py.

00087 
00088         ):
00089         self.server_uri = server_uri
00090         self.bind_dn = bind_dn
00091         self.bind_pw = bind_pw
00092         self.base_dn = base_dn
00093         self.scope = scope
00094         self.referrals = referrals
00095         self.search_filter = search_filter
00096 
00097         self.givenname_attribute = givenname_attribute
00098         self.surname_attribute = surname_attribute
00099         self.aliasname_attribute = aliasname_attribute
00100         self.email_attribute = email_attribute
00101         self.email_callback = email_callback
00102         self.name_callback = name_callback
00103 
00104         self.coding = coding
00105         self.timeout = timeout
00106 
00107         self.start_tls = start_tls
00108         self.tls_cacertdir = tls_cacertdir
00109         self.tls_cacertfile = tls_cacertfile
00110         self.tls_certfile = tls_certfile
00111         self.tls_keyfile = tls_keyfile
00112         self.tls_require_cert = tls_require_cert
00113 
00114         self.bind_once = bind_once
00115         self.autocreate = autocreate
00116         self.name = name


Member Function Documentation

def MoinMoin.auth.ldap_login.LDAPAuth.login (   self,
  request,
  user_obj,
  kw 
)

Reimplemented from MoinMoin.auth.BaseAuth.

Definition at line 117 of file ldap_login.py.

00117 
00118     def login(self, request, user_obj, **kw):
00119         username = kw.get('username')
00120         password = kw.get('password')
00121         _ = request.getText
00122 
00123 
00124         # we require non-empty password as ldap bind does a anon (not password
00125         # protected) bind if the password is empty and SUCCEEDS!
00126         if not password:
00127             return ContinueLogin(user_obj, _('Missing password. Please enter user name and password.'))
00128 
00129         try:
00130             try:
00131                 u = None
00132                 dn = None
00133                 coding = self.coding
00134                 logging.debug("Setting misc. ldap options...")
00135                 ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) # ldap v2 is outdated
00136                 ldap.set_option(ldap.OPT_REFERRALS, self.referrals)
00137                 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
00138 
00139                 if hasattr(ldap, 'TLS_AVAIL') and ldap.TLS_AVAIL:
00140                     for option, value in (
00141                         (ldap.OPT_X_TLS_CACERTDIR, self.tls_cacertdir),
00142                         (ldap.OPT_X_TLS_CACERTFILE, self.tls_cacertfile),
00143                         (ldap.OPT_X_TLS_CERTFILE, self.tls_certfile),
00144                         (ldap.OPT_X_TLS_KEYFILE, self.tls_keyfile),
00145                         (ldap.OPT_X_TLS_REQUIRE_CERT, self.tls_require_cert),
00146                         (ldap.OPT_X_TLS, self.start_tls),
00147                         #(ldap.OPT_X_TLS_ALLOW, 1),
00148                     ):
00149                         if value is not None:
00150                             ldap.set_option(option, value)
00151 
00152                 server = self.server_uri
00153                 logging.debug("Trying to initialize %r." % server)
00154                 l = ldap.initialize(server)
00155                 logging.debug("Connected to LDAP server %r." % server)
00156 
00157                 if self.start_tls and server.startswith('ldap:'):
00158                     logging.debug("Trying to start TLS to %r." % server)
00159                     try:
00160                         l.start_tls_s()
00161                         logging.debug("Using TLS to %r." % server)
00162                     except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR), err:
00163                         logging.warning("Couldn't establish TLS to %r (err: %s)." % (server, str(err)))
00164                         raise
00165 
00166                 # you can use %(username)s and %(password)s here to get the stuff entered in the form:
00167                 binddn = self.bind_dn % locals()
00168                 bindpw = self.bind_pw % locals()
00169                 l.simple_bind_s(binddn.encode(coding), bindpw.encode(coding))
00170                 logging.debug("Bound with binddn %r" % binddn)
00171 
00172                 # you can use %(username)s here to get the stuff entered in the form:
00173                 filterstr = self.search_filter % locals()
00174                 logging.debug("Searching %r" % filterstr)
00175                 attrs = [getattr(self, attr) for attr in [
00176                                          'email_attribute',
00177                                          'aliasname_attribute',
00178                                          'surname_attribute',
00179                                          'givenname_attribute',
00180                                          ] if getattr(self, attr) is not None]
00181                 lusers = l.search_st(self.base_dn, self.scope, filterstr.encode(coding),
00182                                      attrlist=attrs, timeout=self.timeout)
00183                 # we remove entries with dn == None to get the real result list:
00184                 lusers = [(dn, ldap_dict) for dn, ldap_dict in lusers if dn is not None]
00185                 for dn, ldap_dict in lusers:
00186                     logging.debug("dn:%r" % dn)
00187                     for key, val in ldap_dict.items():
00188                         logging.debug("    %r: %r" % (key, val))
00189 
00190                 result_length = len(lusers)
00191                 if result_length != 1:
00192                     if result_length > 1:
00193                         logging.warning("Search found more than one (%d) matches for %r." % (result_length, filterstr))
00194                     if result_length == 0:
00195                         logging.debug("Search found no matches for %r." % (filterstr, ))
00196                     return ContinueLogin(user_obj, _("Invalid username or password."))
00197 
00198                 dn, ldap_dict = lusers[0]
00199                 if not self.bind_once:
00200                     logging.debug("DN found is %r, trying to bind with pw" % dn)
00201                     l.simple_bind_s(dn, password.encode(coding))
00202                     logging.debug("Bound with dn %r (username: %r)" % (dn, username))
00203 
00204                 if self.email_callback is None:
00205                     if self.email_attribute:
00206                         email = ldap_dict.get(self.email_attribute, [''])[0].decode(coding)
00207                     else:
00208                         email = None
00209                 else:
00210                     email = self.email_callback(ldap_dict)
00211 
00212                 aliasname = ''
00213                 try:
00214                     aliasname = ldap_dict[self.aliasname_attribute][0]
00215                 except (KeyError, IndexError):
00216                     pass
00217                 if not aliasname:
00218                     sn = ldap_dict.get(self.surname_attribute, [''])[0]
00219                     gn = ldap_dict.get(self.givenname_attribute, [''])[0]
00220                     if sn and gn:
00221                         aliasname = "%s, %s" % (sn, gn)
00222                     elif sn:
00223                         aliasname = sn
00224                 aliasname = aliasname.decode(coding)
00225 
00226                 if self.name_callback:
00227                     username = self.name_callback(ldap_dict)
00228 
00229                 if email:
00230                     u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', ))
00231                     u.email = email
00232                 else:
00233                     u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', ))
00234                 u.name = username
00235                 u.aliasname = aliasname
00236                 u.remember_me = 0 # 0 enforces cookie_lifetime config param
00237                 logging.debug("creating user object with name %r email %r alias %r" % (username, email, aliasname))
00238 
00239             except ldap.INVALID_CREDENTIALS, err:
00240                 logging.debug("invalid credentials (wrong password?) for dn %r (username: %r)" % (dn, username))
00241                 return CancelLogin(_("Invalid username or password."))
00242 
00243             if u and self.autocreate:
00244                 logging.debug("calling create_or_update to autocreate user %r" % u.name)
00245                 u.create_or_update(True)
00246             return ContinueLogin(u)
00247 
00248         except ldap.SERVER_DOWN, err:
00249             # looks like this LDAP server isn't working, so we just try the next
00250             # authenticator object in cfg.auth list (there could be some second
00251             # ldap authenticator that queries a backup server or any other auth
00252             # method).
00253             logging.error("LDAP server %s failed (%s). "
00254                           "Trying to authenticate with next auth list entry." % (server, str(err)))
00255             return ContinueLogin(user_obj, _("LDAP server %(server)s failed.") % {'server': server})
00256 
00257         except:
00258             logging.exception("caught an exception, traceback follows...")
00259             return ContinueLogin(user_obj)
00260 
def MoinMoin.auth.BaseAuth.login_hint (   self,
  request 
) [inherited]

Reimplemented in MoinMoin.auth.openidrp.OpenIDAuth, and MoinMoin.auth.MoinAuth.

Definition at line 213 of file __init__.py.

00213 
00214     def login_hint(self, request):
00215         return None

def MoinMoin.auth.BaseAuth.logout (   self,
  request,
  user_obj,
  kw 
) [inherited]

Reimplemented in MoinMoin.auth.cas.CASAuth, MoinMoin.auth.smb_mount.SMBMount, and MoinMoin.auth.log.AuthLog.

Definition at line 208 of file __init__.py.

00208 
00209     def logout(self, request, user_obj, **kw):
00210         if self.name and user_obj and user_obj.auth_method == self.name:
00211             logging.debug("%s: logout - invalidating user %r" % (self.name, user_obj.name))
00212             user_obj.valid = False
        return user_obj, True
def MoinMoin.auth.BaseAuth.request (   self,
  request,
  user_obj,
  kw 
) [inherited]

Member Data Documentation

Definition at line 98 of file ldap_login.py.

Definition at line 114 of file ldap_login.py.

Definition at line 91 of file ldap_login.py.

Definition at line 89 of file ldap_login.py.

Definition at line 113 of file ldap_login.py.

Definition at line 90 of file ldap_login.py.

Definition at line 103 of file ldap_login.py.

Definition at line 99 of file ldap_login.py.

Definition at line 100 of file ldap_login.py.

Definition at line 96 of file ldap_login.py.

list MoinMoin.auth.ldap_login.LDAPAuth.login_inputs = ['username', 'password'] [static]

Reimplemented from MoinMoin.auth.BaseAuth.

Definition at line 39 of file ldap_login.py.

Reimplemented from MoinMoin.auth.BaseAuth.

Definition at line 40 of file ldap_login.py.

string MoinMoin.auth.ldap_login.LDAPAuth.name = 'ldap' [static]

Reimplemented from MoinMoin.auth.BaseAuth.

Definition at line 41 of file ldap_login.py.

Reimplemented from MoinMoin.auth.BaseAuth.

Definition at line 115 of file ldap_login.py.

Definition at line 101 of file ldap_login.py.

Definition at line 93 of file ldap_login.py.

Definition at line 92 of file ldap_login.py.

Definition at line 94 of file ldap_login.py.

Definition at line 88 of file ldap_login.py.

Definition at line 106 of file ldap_login.py.

Definition at line 97 of file ldap_login.py.

Definition at line 104 of file ldap_login.py.

Definition at line 107 of file ldap_login.py.

Definition at line 108 of file ldap_login.py.

Definition at line 109 of file ldap_login.py.

Definition at line 110 of file ldap_login.py.

Definition at line 111 of file ldap_login.py.


The documentation for this class was generated from the following file: