doorlockd.py: Add LDAP authentication support

Shamelessly copied from moep's DSS tool. Signed-off-by: Ralf Ramsauer <ralf@binary-kitchen.de> Cc: Markus Hauschild <moepman@binary-kitchen.de>
2018-03-22 23:32:34 +00:00 · 2018-03-22 23:32:34 +00:00 · f72f731b59
parent d82272f53a
commit f72f731b59
2 changed files with 26 additions and 2 deletions
--- a/doorlockd-new/config.cfg
+++ b/doorlockd-new/config.cfg
@ -3,6 +3,10 @@ SIMULATE = True
 RUN_HOOKS = False
 SECRET_KEY = 'foobar'

+LDAP_CA = './ssl/BKCA.crt'
+LDAP_URI = 'ldaps://ldap1.binary.kitchen'
+LDAP_BINDDN = 'cn=%s,ou=people,dc=binary-kitchen,dc=de'
+
 BOOTSTRAP_SERVE_LOCAL = True

 SERIAL_PORT = '/dev/ttyS0'
--- a/doorlockd-new/doorlockd.py
+++ b/doorlockd-new/doorlockd.py
@ -17,6 +17,7 @@ FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 details.
 """

+import ldap
 import logging
 import sys

@ -62,6 +63,14 @@ serial_port = webapp.config.get('SERIAL_PORT')
 simulate = webapp.config.get('SIMULATE')
 run_hooks = webapp.config.get('RUN_HOOKS')

+ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
+ldap.set_option(ldap.OPT_REFERRALS, 0)
+if 'LDAP_CA' in webapp.config.keys():
+    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, webapp.config.get('LDAP_CA'))
+
+ldap_uri = webapp.config.get('LDAP_URI')
+ldap_binddn = webapp.config.get('LDAP_BINDDN')
+
 # copied from sudo
 eperm_insults = {
        'Wrong!  You cheating scum!',
@ -243,8 +252,19 @@ class Logic:
            log.info('SIMULATION MODE! ACCEPTING ANYTHING!')
            return LogicResponse.Success

-        log.info('Trying to LDAP auth (user, password) as user %s', user)
-        return LogicResponse.LDAP
+        log.info('  Trying to LDAP auth (user, password) as user %s', user)
+        ldap_username = ldap_binddn % user
+        try:
+            l = ldap.initialize(ldap_uri)
+            l.simple_bind_s(ldap_username, password)
+            l.unbind_s()
+        except ldap.INVALID_CREDENTIALS:
+            log.info('  Invalid credentials')
+            return LogicResponse.Perm
+        except ldap.LDAPError as e:
+            log.info('  LDAP Error: %s' % e)
+            return LogicResponse.LDAP
+        return LogicResponse.Success

    def try_auth(self, credentials):
        method = credentials[0]