Context Navigation

Back to Ticket #926

Ticket #926: 0001-LDAP-URL-based-on-RFC-2255.patch

File 0001-LDAP-URL-based-on-RFC-2255.patch, 7.4 KB (added by sumpfralle, 10 years ago)

mediagoblin/plugins/ldap/README.rst

From dc6658bae6ec07f1ff71a1d6ed9fdb3425fae043 Mon Sep 17 00:00:00 2001
From: Lars Kruse <devel@sumpfralle.de>
Date: Fri, 25 Jul 2014 22:53:04 +0200
Subject: [PATCH] LDAP URL based on RFC 2255

---
 mediagoblin/plugins/ldap/README.rst |   17 ++++--
 mediagoblin/plugins/ldap/tools.py   |  101 ++++++++++++++++++++++++++++-------
 2 files changed, 97 insertions(+), 21 deletions(-)

diff --git a/mediagoblin/plugins/ldap/README.rst b/mediagoblin/plugins/ldap/README.rst
index ea9a34b..a2072ec 100644

                under the ldap plugin::
 Make any necessary changes to the above to work with your sever. Make sure
 ``{username}`` is where the username should be in LDAP_USER_DN_TEMPLATE.
+Starting with MediaGoblin v0.7 the following syntax is allows even more details::
+    [[mediagoblin.plugins.ldap]]
+    [[[server1]]]
+    LDAP_USER_URL = 'ldap://ldap.testathon.net:389/ou=users,dc=testathon,dc=net?uid?sub?(objectClass=*)'
+    [[[server2]]]
+    ...
+`RFC 2255 <http://www.ietf.org/rfc/rfc2255.txt>` describes the above
+``LDAP_USER_URL`` in more detail.
 If you would like to fetch the users email from the ldap server upon account
 registration, add ``LDAP_SEARCH_BASE = 'ou=users,dc=testathon,dc=net'`` and
+``EMAIL_SEARCH_FIELD = 'mail'`` under you server configuration in your
 MediaGoblin .ini file.
+registration, add ``LDAP_SEARCH_BASE = 'ou=users,dc=testathon,dc=net'``
+(only if you use ``LDAP_SERVER_URI``) and ``EMAIL_SEARCH_FIELD = 'mail'``
+under you server configuration in your MediaGoblin .ini file.
 .. Warning::
    By default, this plugin provides no encryption when communicating with the

mediagoblin/plugins/ldap/tools.py

diff --git a/mediagoblin/plugins/ldap/tools.py b/mediagoblin/plugins/ldap/tools.py
index 1c43679..1ae5655 100644

-              a
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import ldap
 import logging
+import re
+import urllib2
 from mediagoblin.tools import pluginapi
-…
+               _log = logging.getLogger(__name__)
 class LDAP(object):
     def __init__(self):
         self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
+        self.conn = None
     def _connect(self, server):
         _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
         self.conn = ldap.initialize(server['LDAP_SERVER_URI'])
+    def _connect(self, server_uri, use_start_tls):
+        _log.info('Connecting to {0}.'.format(server_uri))
+        self.conn = ldap.initialize(server_uri)
         if server['LDAP_START_TLS'] == 'true':
+        if use_start_tls == 'true':
             _log.info('Initiating TLS')
             self.conn.start_tls_s()
     def _get_email(self, server, username):
+    def _get_entry_value(self, user_dn, field_name):
         try:
+            results = self.conn.search_s(server['LDAP_SEARCH_BASE'],
+                                        ldap.SCOPE_SUBTREE, 'uid={0}'
+                                        .format(username),
+                                        [server['EMAIL_SEARCH_FIELD']])
+            email = results[0][1][server['EMAIL_SEARCH_FIELD']][0]
+            results = self.conn.search_s(user_dn, ldap.SCOPE_BASE,
+                                        attrlist=[field_name])
+            return results[0][1][field_name][0]
         except KeyError:
             email = None
+            return None
+        return email
+    def _parse_ldap_url(self, url):
+        url_regex = re.compile(r'^([\w+.-]+://[\w.-]+(?:\d+)?)/(.*)$')
+        match = re.search(url_regex, url)
+        if match:
+            server_uri, query = match.groups()
+            result = {'SERVER_URI': server_uri}
+            tokens = query.split('?')
+            result['BASE_DN'] = ''
+            # 'base' is the default scope
+            result['SCOPE'] = ldap.SCOPE_BASE
+            attribute = ''
+            scope = ''
+            result['FILTERS'] = '(objectClass=*)'
+            try:
+                result['BASE_DN'] = tokens.pop(0)
+                # 'uid' is the default attribute
+                result['ATTRIBUTES'] = tokens.pop(0).split(",") or ['uid']
+                scope = tokens.pop(0)
+                result['FILTERS'] = tokens.pop(0)
+            except IndexError:
+                pass
+            try:
+                result['SCOPE'] = {'': ldap.SCOPE_BASE,
+                                   'base': ldap.SCOPE_BASE,
+                                   'one': ldap.SCOPE_ONELEVEL,
+                                   'sub': ldap.SCOPE_SUBTREE}[scope]
+            except KeyError as err:
+                _log.info(err)
+            return result
+        else:
+            return None
+    def _get_dn(self, username, attribute, base_dn, scope, filters):
+        if filters:
+            if filters.startswith("("):
+                # remove surrounding braces - otherwise the filter string fails
+                filters = filters.lstrip("(").rstrip(")")
+            filters = "(&({0})({1}={2}))".format(filters, attribute, username)
+        else:
+            filters = "{0}={1}".format(attribute, username)
+        try:
+            results = self.conn.search_s(base_dn, scope, filters)
+            return results[0][0]
+        except KeyError:
+            return None
     def login(self, username, password):
         for k, v in self.ldap_settings.iteritems():
+            _log.debug("Server settings: {1}".format(k, v))
+            server_uri = None
             try:
+                self._connect(v)
+                user_dn = v['LDAP_USER_DN_TEMPLATE'].format(username=username)
+                if 'LDAP_USER_URL' in v:
+                    login_settings = self._parse_ldap_url(v['LDAP_USER_URL'])
+                    _log.debug("Parsed LDAP_USER_URL: {0}".format(login_settings))
+                    server_uri = login_settings["SERVER_URI"]
+                    self._connect(server_uri, v.get('LDAP_START_TLS', None))
+                    user_dn = self._get_dn(username,
+                                           login_settings["ATTRIBUTES"][0],
+                                           login_settings["BASE_DN"],
+                                           login_settings["SCOPE"],
+                                           login_settings["FILTERS"])
+                else:
+                    # use LDAP_USER_DN_TEMPLATE and LDAP_SERVER_URI
+                    server_uri = v["LDAP_SERVER_URI"]
+                    self._connect(server_uri, v.get('LDAP_START_TLS', None))
+                    user_dn = v['LDAP_USER_DN_TEMPLATE'].format(username=username)
+                _log.debug("DN of user: {0}".format(user_dn))
                 self.conn.simple_bind_s(user_dn, password.encode('utf8'))
+                email = self._get_email(v, username)
+                if 'EMAIL_SEARCH_FIELD' in v:
+                    email = self._get_entry_value(user_dn, v['EMAIL_SEARCH_FIELD'])
+                else:
+                    email = None
                 return username, email
             except ldap.LDAPError, e:
                 _log.info(e)
             finally:
+                _log.info('Unbinding {0}.'.format(v['LDAP_SERVER_URI']))
+                self.conn.unbind()
+                _log.info('Unbinding {0}.'.format(server_uri))
+                if self.conn:
+                    self.conn.unbind()
         return False, None

Download in other formats:

Original Format

Legacy issue tracker

Context Navigation

Ticket #926: 0001-LDAP-URL-based-on-RFC-2255.patch

mediagoblin/plugins/ldap/README.rst

mediagoblin/plugins/ldap/tools.py

Download in other formats: