YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #183 from YunoHost/sasl_authentication

Browse source 
Use sasl authentication for LDAP (by root user)
This commit is contained in:
Alexandre Aubin 2019-05-22 17:51:58 +02:00 committed by GitHub
commit b1ef9d670f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
data/actionsmap/test.yml
View file

@ -13,7 +13,7 @@ _global:
parameters: parameters:
uri: ldap://localhost:389 uri: ldap://localhost:389
base_dn: dc=yunohost,dc=org base_dn: dc=yunohost,dc=org
user_rdn: cn=admin user_rdn: cn=admin,dc=yunohost,dc=org
ldap-anonymous: ldap-anonymous:
vendor: ldap vendor: ldap
parameters: parameters:
@ -25,7 +25,14 @@ _global:
parameters: parameters:
uri: ldap://localhost:389 uri: ldap://localhost:389
base_dn: dc=yunohost,dc=org base_dn: dc=yunohost,dc=org
user_rdn: cn=admin user_rdn: cn=admin,dc=yunohost,dc=org
as-root:
vendor: ldap
parameters:
# We can get this uri by (urllib.quote_plus('/var/run/slapd/ldapi')
uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
base_dn: dc=yunohost,dc=org
user_rdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
argument_auth: true argument_auth: true
lock: false lock: false
@ -52,6 +59,11 @@ test:
configuration: configuration:
authenticate: authenticate:
- cli - cli
root-auth:
api: GET /test/root-auth
configuration:
authenticate: all
authenticator: as-root
anonymous: anonymous:
api: GET /test/anon api: GET /test/anon
configuration: configuration:

4
lib/test/test.py
View file

@ -17,3 +17,7 @@ def test_auth_cli():
def test_anonymous(): def test_anonymous():
return {'action': 'anonymous', return {'action': 'anonymous',
'authenticator': 'ldap-anonymous', 'authenticate': 'all'} 'authenticator': 'ldap-anonymous', 'authenticate': 'all'}
def test_root():
return {'action': 'root-auth',
'authenticator': 'as-root', 'authenticate': 'all'}

13
moulinette/authenticators/ldap.py
View file

@ -7,6 +7,7 @@ import random
import string import string
import crypt import crypt
import ldap import ldap
import ldap.sasl
import ldap.modlist as modlist import ldap.modlist as modlist
from moulinette.core import MoulinetteError from moulinette.core import MoulinetteError
@ -40,8 +41,11 @@ class Authenticator(BaseAuthenticator):
self.uri = uri self.uri = uri
self.basedn = base_dn self.basedn = base_dn
if user_rdn: if user_rdn:
self.userdn = '%s,%s' % (user_rdn, base_dn) self.userdn = user_rdn
self.con = None if 'cn=external,cn=auth' in user_rdn:
self.authenticate(None)
else:
self.con = None
else: else:
# Initialize anonymous usage # Initialize anonymous usage
self.userdn = '' self.userdn = ''
@ -77,7 +81,10 @@ class Authenticator(BaseAuthenticator):
try: try:
con = ldap.ldapobject.ReconnectLDAPObject(self.uri, retry_max=10, retry_delay=0.5) con = ldap.ldapobject.ReconnectLDAPObject(self.uri, retry_max=10, retry_delay=0.5)
if self.userdn: if self.userdn:
con.simple_bind_s(self.userdn, password) if 'cn=external,cn=auth' in self.userdn:
con.sasl_non_interactive_bind_s('EXTERNAL')
else:
con.simple_bind_s(self.userdn, password)
else: else:
con.simple_bind_s() con.simple_bind_s()
except ldap.INVALID_CREDENTIALS: except ldap.INVALID_CREDENTIALS: