diff --git a/doorlockd-new/config.cfg b/doorlockd-new/config.cfg index b3cadec..8fa22bd 100644 --- a/doorlockd-new/config.cfg +++ b/doorlockd-new/config.cfg @@ -3,6 +3,10 @@ SIMULATE = True RUN_HOOKS = False SECRET_KEY = 'foobar' +LDAP_CA = './ssl/BKCA.crt' +LDAP_URI = 'ldaps://ldap1.binary.kitchen' +LDAP_BINDDN = 'cn=%s,ou=people,dc=binary-kitchen,dc=de' + BOOTSTRAP_SERVE_LOCAL = True SERIAL_PORT = '/dev/ttyS0' diff --git a/doorlockd-new/doorlockd.py b/doorlockd-new/doorlockd.py index 102c49f..617e592 100755 --- a/doorlockd-new/doorlockd.py +++ b/doorlockd-new/doorlockd.py @@ -17,6 +17,7 @@ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. """ +import ldap import logging import sys @@ -62,6 +63,14 @@ serial_port = webapp.config.get('SERIAL_PORT') simulate = webapp.config.get('SIMULATE') run_hooks = webapp.config.get('RUN_HOOKS') +ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) +ldap.set_option(ldap.OPT_REFERRALS, 0) +if 'LDAP_CA' in webapp.config.keys(): + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, webapp.config.get('LDAP_CA')) + +ldap_uri = webapp.config.get('LDAP_URI') +ldap_binddn = webapp.config.get('LDAP_BINDDN') + # copied from sudo eperm_insults = { 'Wrong! You cheating scum!', @@ -243,8 +252,19 @@ class Logic: log.info('SIMULATION MODE! ACCEPTING ANYTHING!') return LogicResponse.Success - log.info('Trying to LDAP auth (user, password) as user %s', user) - return LogicResponse.LDAP + log.info(' Trying to LDAP auth (user, password) as user %s', user) + ldap_username = ldap_binddn % user + try: + l = ldap.initialize(ldap_uri) + l.simple_bind_s(ldap_username, password) + l.unbind_s() + except ldap.INVALID_CREDENTIALS: + log.info(' Invalid credentials') + return LogicResponse.Perm + except ldap.LDAPError as e: + log.info(' LDAP Error: %s' % e) + return LogicResponse.LDAP + return LogicResponse.Success def try_auth(self, credentials): method = credentials[0]