Ticket #5568: 0001-Fix-LDAP-for-Active-Directory.patch

.gitignore

@@ -31 +31 @@
 /mediagoblin.ini
 /node_modules/
 /pip-selfcheck.json
+/mediagoblin/tests/.pytest_cache/
+package-lock.json
 
 # pyconfigure/automake generated files
 /Makefile
@@ -63 +65 @@
 /extlib/leaflet/
 /extlib/tinymce/
 /extlib/video.js/
+
+# Pycharm artifacts
+.idea/

mediagoblin/plugins/ldap/README.rst

@@ -18 +18 @@
 =============
 
 .. Warning::
-   This plugin is not compatible with the other authentication plugins.
+    This plugin is not compatible with the other authentication plugins.
+    All other authentication plugins will need to be disabled in order
+    for this plugin to work.
 
 This plugin allow your GNU Mediagoblin instance to authenticate against an
 LDAP server.
@@ -44 +46 @@
     [[[server1]]]
     LDAP_SERVER_URI = 'ldap://ldap.testathon.net:389'
     LDAP_USER_DN_TEMPLATE = 'cn={username},ou=users,dc=testathon,dc=net'
+    LDAP_SEARCH_BASE = 'ou=users,dc=testathon,dc=net'
     [[[server2]]]
     ...
 
 Make any necessary changes to the above to work with your sever. Make sure
 ``{username}`` is where the username should be in LDAP_USER_DN_TEMPLATE.
-   
+
 If you would like to fetch the users email from the ldap server upon account
 registration, add ``LDAP_SEARCH_BASE = 'ou=users,dc=testathon,dc=net'`` and
 ``EMAIL_SEARCH_FIELD = 'mail'`` under you server configuration in your
 MediaGoblin .ini file.
 
+If you are using Microsoft's Active Directory for your LDAP provider, you will
+want to specify the following::
+
+    [[mediagoblin.plugins.ldap]]
+    [[[server1]]]
+    LDAP_SERVER_URI = 'ldap://ldap.testathon.net'
+    LDAP_USER_DN_TEMPLATE = '{username}@testathon.net'
+    LDAP_SEARCH_BASE = 'ou=users,dc=testathon,dc=net'
+    LDAP_IS_ACTIVE_DIRECTORY = 'true'
+    UID_SEARCH_FIELD = 'sAMAccountName'
+    [[[server2]]]
+    ...
+
 .. Warning::
    By default, this plugin provides no encryption when communicating with the
    ldap servers. If you would like to use an SSL connection, change
@@ -62 +78 @@
    port for SSL connections is 636. If you would like to use a TLS connection,
    add ``LDAP_START_TLS = 'true'`` under your server configuration in your
    MediaGoblin .ini file.
+
+   If you are able, start with SSL & TLS disabled, until you have things working,
+   then enable the security pieces one at a time to help eliminate issues as you
+   are getting started.
+
+How LDAP Authentication works
+=============================
+
+When the LDAP plugin is enabled and all other authentication plugins are
+disabled, attempting to Register or Login will result in the LDAP login form
+being presented to the end user.
+
+The end user will enter their LDAP credentials. A lookup is made against the
+local users table in the GNU Mediagoblin database. If a user with the specified
+username already exists, then the user will be authenticated against the
+directory.
+
+If a user with the specified username does not already exist in the GNU
+Mediagoblin database, then the LDAP authenitcation will be performed. If the
+user does not have permissions in LDAP to authenticate to GNU Mediagoblin,
+they will be presented with a login error.
+
+If they are allowed to authenticate, and ``EMAIL_SEARCH_FIELD`` is not
+specified, the user will be prompted to enter their email address. Upon
+submission, they will be successfully registered and authenticated.
+
+If they are allowed to authenticate and ``EMAIL_SEARCH_FIELD`` is specified,
+an email address lookup will be performed against the directory. The user will
+be prompted to confirm or change their email address. Upon submission, they
+will be successfully registered and authenticated.
+
+
+LDAP Configuration Options
+==========================
+
+LDAP_SERVER_URI
+---------------
+
+This required option is to specify the DNS name or IP address of the LDAP
+server to which your GNU Mediagoblin instance will attempt to bind. In the
+examples, the ports are specified but they are not required.
+
+For plain LDAP, the default port is 387.
+For LDAPS, the default port is 636.
+
+If your instance is using a non-standard port, the port should be indicated.
+
+LDAP_USER_DN_TEMPLATE
+---------------------
+
+This is the required template to use when LDAP searches for a user. It is
+imperative that the value have ``{username}`` in it somewhere, as the string is
+interpolated with the username at the time of login.
+
+The value of this will vary depending up the LDAP schema in the domain. It is
+possible to use either a full path
+( ``cn={username},ou=users,dc=testathon,dc=net`` ) or a UPN
+( ``{username}@testathon.net`` ). Some Active Directory users have reported
+that the second form of the LDAP_USER_DN_TEMPLATE works better.
+
+LDAP_SEARCH_BASE
+----------------
+
+This is required and represents the root of the domain where GNU Mediagoblin
+will search for users' email addresses. If your users should all exist under
+a certain OU, then it is possible to restrict the scope of the search by
+specifying an OU, as in the example. If users are scattered across all of the
+domain, the it is also possible to specify just the domain itself:
+``LDAP_SEARCH_BASE = 'dc=testathon,dc=net'``
+
+EMAIL_SEARCH_FIELD
+------------------
+
+If this optional field is specified in the LDAP configuration, then GNU
+Mediagoblin will lookup the user's email address in LDAP as soon as the user
+authenticates, and the field named in the configuration will used as the search
+field.
+
+If this field is not specified, the user will be asked to input
+their email address when registering.
+
+The default value is None.
+
+UID_SEARCH_FIELD
+----------------
+
+This optional value is used to specify the name of the field that holds the UID.
+For example, imagine that your username in LDAP is ``media.goblin``. For most
+LDAP the search string will need to be ``uid = media.goblin``. In this case,
+the value of UID_SEARCH_FIELD should be set to ``uid``.
+
+However, Active Directory uses a different field for this, and the value should
+be adjusted to be ``sAMAccountName``.
+
+The default value is ``'uid'``.
+
+LDAP_IS_ACTIVE_DIRECTORY
+---------------------
+
+This optional value is used to specify if you are using Active Directory. If that is the
+case, this value should be set to ``'true'``, otherwise it should be left at
+``'false'``
+
+The default value is ``'false'``.
+
+LDAP_START_TLS
+--------------
+
+This optional value will enable TLS for LDAP communications. If your LDAP
+server has a TLS certificate that your GNU Mediagoblin will trust, then enable
+this by setting the value to ``'true'``.
+
+The default value is ``'false'``.
+
+LDAP_FILTER
+-----------
+This optional value will be used to restrict the LDAP authentication to users
+who match the filter criteria. This string is built using LDAP filtering syntax.
+
+For example, to restrict authentication to members of the MediaGoblinGroup
+container that is located in the Groups OU, a filter such as this could be used:
+
+``LDAP_FILTER = '(&(objectClass=person)(memberOf=cn=MediaGoblinGroup,ou=Groups,dc=testathon,dc=net))'``
+
+Any user who is not a member of the MediaGoblinGroup container will be denied authentication.
+
+The default value of this filter is ``(objectClass=person)``

mediagoblin/plugins/ldap/tools.py

@@ -27 +27 @@
     def __init__(self):
         self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
 
+        for k, v in six.iteritems(self.ldap_settings):
+            try:
+                v['LDAP_SERVER_URI']
+            except KeyError:
+                _log.error('LDAP_SERVER_URI was not defined in the config.')
+                # Do something here to raise a fatal error
+
+            try:
+                v['LDAP_START_TLS']
+            except KeyError:
+                _log.info('LDAP_START_TLS is not defined. Assuming false')
+                self.ldap_settings[k]['LDAP_START_TLS'] = 'false'
+
+            try:
+                v['LDAP_USER_DN_TEMPLATE']
+            except KeyError:
+                _log.error('LDAP_USER_DN_TEMPLATE '
+                           'was not defined in the config')
+                # Do something here to raise a fatal error
+
+            try:
+                v['LDAP_IS_ACTIVE_DIRECTORY']
+            except KeyError:
+                _log.info('Active Directory flag was not set. Assuming false')
+                self.ldap_settings[k]['LDAP_IS_ACTIVE_DIRECTORY'] = 'false'
+
+            try:
+                v['LDAP_SEARCH_BASE']
+            except KeyError:
+                _log.error('LDAP_SEARCH_BASE was not defined in the config')
+                # Do something here to raise a fatal error
+
+            try:
+                v['UID_SEARCH_FIELD']
+            except KeyError:
+                _log.info('UID_SEARCH_FIELD was not defined in the config. '
+                          'Assuming ''uid''.')
+                self.ldap_settings[k]['UID_SEARCH_FIELD'] = 'uid'
+
+            try:
+                v['EMAIL_SEARCH_FIELD']
+            except KeyError:
+                _log.info('EMAIL_SEARCH_FIELD was not defined in the config. '
+                          'Assuming mail lookup is not wanted.')
+                self.ldap_settings[k]['EMAIL_SEARCH_FIELD'] = None
+
+            try:
+                v['LDAP_FILTER']
+            except KeyError:
+                _log.info('LDAP_FILTER was not defined in the config. '
+                          'Assuming ''(objectClass=person)''')
+                self.ldap_settings[k]['LDAP_FILTER'] = '(objectClass=person)'
+
+        _log.info(self.ldap_settings)
+
     def _connect(self, server):
         _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
         self.conn = ldap.initialize(server['LDAP_SERVER_URI'])
 
-        if server['LDAP_START_TLS'] == 'true':
+        if server['LDAP_START_TLS'].lower() == 'true':
             _log.info('Initiating TLS')
             self.conn.start_tls_s()
 
     def _get_email(self, server, username):
+        if server['EMAIL_SEARCH_FIELD']:
+            try:
+                filter = '{0}={1}'.format(server['UID_SEARCH_FIELD'], username)
+                attrs = [server['EMAIL_SEARCH_FIELD']]
+                results = self.conn.search_s(server['LDAP_SEARCH_BASE'],
+                                            ldap.SCOPE_SUBTREE, filter, attrs)
+
+                email = results[0][1][server['EMAIL_SEARCH_FIELD']][0]
+            except KeyError:
+                email = None
+        else:
+            email = None
+
+        return email
+
+    def _validate_account(self, server, username):
         try:
+            filter = server['LDAP_FILTER']
+            attrs = [server['UID_SEARCH_FIELD']]
+
             results = self.conn.search_s(server['LDAP_SEARCH_BASE'],
-                                        ldap.SCOPE_SUBTREE, 'uid={0}'
-                                        .format(username),
-                                        [server['EMAIL_SEARCH_FIELD']])
+                                         ldap.SCOPE_SUBTREE, filter, attrs)
+
+            valid_account = False
+            for res in results:
+                if res[1][server['UID_SEARCH_FIELD']][0] == username:
+                    valid_account = True
+                    break
 
-            email = results[0][1][server['EMAIL_SEARCH_FIELD']][0]
         except KeyError:
-            email = None
+            valid_account = False
+        except TypeError:
+            valid_account = False
 
-        return email
+        return valid_account
 
     def login(self, username, password):
         for k, v in six.iteritems(self.ldap_settings):
             try:
                 self._connect(v)
                 user_dn = v['LDAP_USER_DN_TEMPLATE'].format(username=username)
+
+                if v['LDAP_IS_ACTIVE_DIRECTORY'].lower() == 'true':
+                    self.conn.protocol_version = ldap.VERSION3
+                    self.conn.set_option(ldap.OPT_REFERRALS, 0)
+
+                _log.info('Attempting to bind to {0} as {1}'.format(
+                    v['LDAP_SERVER_URI'], user_dn))
                 self.conn.simple_bind_s(user_dn, password.encode('utf8'))
-                email = self._get_email(v, username)
+
+                if self._validate_account(v, username):
+                    email = self._get_email(v, username)
+                else:
+                    return False, None
+
                 return username, email
 
+            except ValueError, e:
+                _log.info(e)
             except ldap.LDAPError, e:
                 _log.info(e)