1
0
mirror of https://github.com/binary-kitchen/doorlockd synced 2024-10-31 22:47:05 +01:00

doorlockd.py: Add LDAP authentication support

Shamelessly copied from moep's DSS tool.

Signed-off-by: Ralf Ramsauer <ralf@binary-kitchen.de>
Cc: Markus Hauschild <moepman@binary-kitchen.de>
This commit is contained in:
Ralf Ramsauer 2018-03-22 23:32:34 +00:00
parent d82272f53a
commit f72f731b59
2 changed files with 26 additions and 2 deletions

View File

@ -3,6 +3,10 @@ SIMULATE = True
RUN_HOOKS = False RUN_HOOKS = False
SECRET_KEY = 'foobar' SECRET_KEY = 'foobar'
LDAP_CA = './ssl/BKCA.crt'
LDAP_URI = 'ldaps://ldap1.binary.kitchen'
LDAP_BINDDN = 'cn=%s,ou=people,dc=binary-kitchen,dc=de'
BOOTSTRAP_SERVE_LOCAL = True BOOTSTRAP_SERVE_LOCAL = True
SERIAL_PORT = '/dev/ttyS0' SERIAL_PORT = '/dev/ttyS0'

View File

@ -17,6 +17,7 @@ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details. details.
""" """
import ldap
import logging import logging
import sys import sys
@ -62,6 +63,14 @@ serial_port = webapp.config.get('SERIAL_PORT')
simulate = webapp.config.get('SIMULATE') simulate = webapp.config.get('SIMULATE')
run_hooks = webapp.config.get('RUN_HOOKS') run_hooks = webapp.config.get('RUN_HOOKS')
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_REFERRALS, 0)
if 'LDAP_CA' in webapp.config.keys():
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, webapp.config.get('LDAP_CA'))
ldap_uri = webapp.config.get('LDAP_URI')
ldap_binddn = webapp.config.get('LDAP_BINDDN')
# copied from sudo # copied from sudo
eperm_insults = { eperm_insults = {
'Wrong! You cheating scum!', 'Wrong! You cheating scum!',
@ -243,8 +252,19 @@ class Logic:
log.info('SIMULATION MODE! ACCEPTING ANYTHING!') log.info('SIMULATION MODE! ACCEPTING ANYTHING!')
return LogicResponse.Success return LogicResponse.Success
log.info('Trying to LDAP auth (user, password) as user %s', user) log.info(' Trying to LDAP auth (user, password) as user %s', user)
ldap_username = ldap_binddn % user
try:
l = ldap.initialize(ldap_uri)
l.simple_bind_s(ldap_username, password)
l.unbind_s()
except ldap.INVALID_CREDENTIALS:
log.info(' Invalid credentials')
return LogicResponse.Perm
except ldap.LDAPError as e:
log.info(' LDAP Error: %s' % e)
return LogicResponse.LDAP return LogicResponse.LDAP
return LogicResponse.Success
def try_auth(self, credentials): def try_auth(self, credentials):
method = credentials[0] method = credentials[0]