mirror of
https://github.com/binary-kitchen/doorlockd
synced 2024-10-31 22:47:05 +01:00
doorlockd.py: Add LDAP authentication support
Shamelessly copied from moep's DSS tool. Signed-off-by: Ralf Ramsauer <ralf@binary-kitchen.de> Cc: Markus Hauschild <moepman@binary-kitchen.de>
This commit is contained in:
parent
d82272f53a
commit
f72f731b59
@ -3,6 +3,10 @@ SIMULATE = True
|
||||
RUN_HOOKS = False
|
||||
SECRET_KEY = 'foobar'
|
||||
|
||||
LDAP_CA = './ssl/BKCA.crt'
|
||||
LDAP_URI = 'ldaps://ldap1.binary.kitchen'
|
||||
LDAP_BINDDN = 'cn=%s,ou=people,dc=binary-kitchen,dc=de'
|
||||
|
||||
BOOTSTRAP_SERVE_LOCAL = True
|
||||
|
||||
SERIAL_PORT = '/dev/ttyS0'
|
||||
|
@ -17,6 +17,7 @@ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
details.
|
||||
"""
|
||||
|
||||
import ldap
|
||||
import logging
|
||||
import sys
|
||||
|
||||
@ -62,6 +63,14 @@ serial_port = webapp.config.get('SERIAL_PORT')
|
||||
simulate = webapp.config.get('SIMULATE')
|
||||
run_hooks = webapp.config.get('RUN_HOOKS')
|
||||
|
||||
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
|
||||
ldap.set_option(ldap.OPT_REFERRALS, 0)
|
||||
if 'LDAP_CA' in webapp.config.keys():
|
||||
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, webapp.config.get('LDAP_CA'))
|
||||
|
||||
ldap_uri = webapp.config.get('LDAP_URI')
|
||||
ldap_binddn = webapp.config.get('LDAP_BINDDN')
|
||||
|
||||
# copied from sudo
|
||||
eperm_insults = {
|
||||
'Wrong! You cheating scum!',
|
||||
@ -243,8 +252,19 @@ class Logic:
|
||||
log.info('SIMULATION MODE! ACCEPTING ANYTHING!')
|
||||
return LogicResponse.Success
|
||||
|
||||
log.info('Trying to LDAP auth (user, password) as user %s', user)
|
||||
return LogicResponse.LDAP
|
||||
log.info(' Trying to LDAP auth (user, password) as user %s', user)
|
||||
ldap_username = ldap_binddn % user
|
||||
try:
|
||||
l = ldap.initialize(ldap_uri)
|
||||
l.simple_bind_s(ldap_username, password)
|
||||
l.unbind_s()
|
||||
except ldap.INVALID_CREDENTIALS:
|
||||
log.info(' Invalid credentials')
|
||||
return LogicResponse.Perm
|
||||
except ldap.LDAPError as e:
|
||||
log.info(' LDAP Error: %s' % e)
|
||||
return LogicResponse.LDAP
|
||||
return LogicResponse.Success
|
||||
|
||||
def try_auth(self, credentials):
|
||||
method = credentials[0]
|
||||
|
Loading…
Reference in New Issue
Block a user