Use sasl authentication for LDAP (by root user)

2024-09-03 20:06:31 +02:00 · 2018-11-27 13:04:17 +01:00 · 2018-11-27 13:04:17 +01:00 · 35988d9273
commit 35988d9273
parent 9720bd1a7c
3 changed files with 28 additions and 5 deletions
--- a/data/actionsmap/test.yml
+++ b/data/actionsmap/test.yml
@ -13,7 +13,7 @@ _global:
                parameters:
                    uri: ldap://localhost:389
                    base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
            ldap-anonymous:
                vendor: ldap
                parameters:
@ -25,7 +25,14 @@ _global:
                parameters:
                    uri: ldap://localhost:389
                    base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
+            as-root:
+                vendor: ldap
+                parameters:
+                    # We can get this uri by (urllib.quote_plus('/var/run/slapd/ldapi')
+                    uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
+                    base_dn: dc=yunohost,dc=org
+                    user_rdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
        argument_auth: true
        lock: false

@ -52,6 +59,11 @@ test:
            configuration:
                authenticate:
                    - cli
+        root-auth:
+            api: GET /test/root-auth
+            configuration:
+                authenticate: all
+                authenticator: as-root
        anonymous:
            api: GET /test/anon
            configuration:
--- a/lib/test/test.py
+++ b/lib/test/test.py
@ -17,3 +17,7 @@ def test_auth_cli():
 def test_anonymous():
    return {'action': 'anonymous',
            'authenticator': 'ldap-anonymous', 'authenticate': 'all'}
+
+def test_root():
+    return {'action': 'root-auth',
+            'authenticator': 'as-root', 'authenticate': 'all'}
--- a/moulinette/authenticators/ldap.py
+++ b/moulinette/authenticators/ldap.py
@ -8,6 +8,7 @@ import random
 import string
 import crypt
 import ldap
+import ldap.sasl
 import ldap.modlist as modlist

 from moulinette import m18n
@ -41,8 +42,11 @@ class Authenticator(BaseAuthenticator):
        self.uri = uri
        self.basedn = base_dn
        if user_rdn:
-            self.userdn = '%s,%s' % (user_rdn, base_dn)
-            self.con = None
+            self.userdn = user_rdn
+            if 'cn=external,cn=auth' in user_rdn:
+                self.authenticate(None)
+            else:
+                self.con = None
        else:
            # Initialize anonymous usage
            self.userdn = ''
@ -78,7 +82,10 @@ class Authenticator(BaseAuthenticator):
        try:
            con = ldap.initialize(self.uri)
            if self.userdn:
-                con.simple_bind_s(self.userdn, password)
+                if 'cn=external,cn=auth' in self.userdn:
+                    con.sasl_non_interactive_bind_s('EXTERNAL')
+                else:
+                    con.simple_bind_s(self.userdn, password)
            else:
                con.simple_bind_s()
        except ldap.INVALID_CREDENTIALS: