Kezdőlap Felfedezés Súgó
Bejelentkezés
mirrors
/
Radicale
tükrözi: https://github.com/Kozea/Radicale
1
0
Másolás 0
Fájlok Problémák 0 Wiki
Fa: f725ee780f
Branch-ok Tag-ek
Radicale
/
radicale
/
auth
/
ldap.py

ldap.py 8.0 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189 
  1. # This file is part of Radicale - CalDAV and CardDAV server
    2. 

  2. # Copyright 2022 Peter Varkoly
    3. 

  3. #
    4. 

  4. # This library is free software: you can redistribute it and/or modify
    5. 

  5. # it under the terms of the GNU General Public License as published by
    6. 

  6. # the Free Software Foundation, either version 3 of the License, or
    7. 

  7. # (at your option) any later version.
    8. 

  8. #
    9. 

  9. # This library is distributed in the hope that it will be useful,
    10. 

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12. 

  12. # GNU General Public License for more details.
    13. 

  13. #
    14. 

  14. # You should have received a copy of the GNU General Public License
    15. 

  15. # along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
    16. 

  16. """
    17. 

  17. Authentication backend that checks credentials with a ldap server.
    18. 

  18. Following parameters are needed in the configuration:
    19. 

  19.    ldap_uri         The ldap url to the server like ldap://localhost
    20. 

  20.    ldap_base        The baseDN of the ldap server
    21. 

  21.    ldap_reader_dn   The DN of a ldap user with read access to get the user accounts
    22. 

  22.    ldap_secret      The password of the ldap_reader_dn
    23. 

  23.    ldap_secret_file The path of the file containing the password of the ldap_reader_dn
    24. 

  24.    ldap_filter      The search filter to find the user to authenticate by the username
    25. 

  25.    ldap_load_groups If the groups of the authenticated users need to be loaded
    26. 

  26. Following parameters controls SSL connections:
    27. 

  27.    ldap_use_ssl   If the connection
    28. 

  28.    ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED
    29. 

  29.    ldap_ssl_ca_file
    30. 

  30. 

  31. """
    32. 

  32. import ssl
    33. 

  33. 

  34. from radicale import auth, config
    35. 

  35. from radicale.log import logger
    36. 

  36. 

  37. 

  38. class Auth(auth.BaseAuth):
    39. 

  39.     _ldap_uri: str
    40. 

  40.     _ldap_base: str
    41. 

  41.     _ldap_reader_dn: str
    42. 

  42.     _ldap_secret: str
    43. 

  43.     _ldap_filter: str
    44. 

  44.     _ldap_load_groups: bool
    45. 

  45.     _ldap_version: int = 3
    46. 

  46.     _ldap_use_ssl: bool = False
    47. 

  47.     _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
    48. 

  48.     _ldap_ssl_ca_file: str = ""
    49. 

  49. 

  50.     def __init__(self, configuration: config.Configuration) -> None:
    51. 

  51.         super().__init__(configuration)
    52. 

  52.         try:
    53. 

  53.             import ldap3
    54. 

  54.             self.ldap3 = ldap3
    55. 

  55.         except ImportError:
    56. 

  56.             try:
    57. 

  57.                 import ldap
    58. 

  58.                 self._ldap_version = 2
    59. 

  59.                 self.ldap = ldap
    60. 

  60.             except ImportError as e:
    61. 

  61.                 raise RuntimeError("LDAP authentication requires the ldap3 module") from e
    62. 

  62.         self._ldap_uri = configuration.get("auth", "ldap_uri")
    63. 

  63.         self._ldap_base = configuration.get("auth", "ldap_base")
    64. 

  64.         self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn")
    65. 

  65.         self._ldap_load_groups = configuration.get("auth", "ldap_load_groups")
    66. 

  66.         self._ldap_secret = configuration.get("auth", "ldap_secret")
    67. 

  67.         self._ldap_filter = configuration.get("auth", "ldap_filter")
    68. 

  68.         ldap_secret_file_path = configuration.get("auth", "ldap_secret_file")
    69. 

  69.         if ldap_secret_file_path:
    70. 

  70.             with open(ldap_secret_file_path, 'r') as file:
    71. 

  71.                 self._ldap_secret = file.read().rstrip('\n')
    72. 

  72.         if self._ldap_version == 3:
    73. 

  73.             self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl")
    74. 

  74.             if self._ldap_use_ssl:
    75. 

  75.                 self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file")
    76. 

  76.                 tmp = configuration.get("auth", "ldap_ssl_verify_mode")
    77. 

  77.                 if tmp == "NONE":
    78. 

  78.                     self._ldap_ssl_verify_mode = ssl.CERT_NONE
    79. 

  79.                 elif tmp == "OPTIONAL":
    80. 

  80.                     self._ldap_ssl_verify_mode = ssl.CERT_OPTIONAL
    81. 

  81. 

  82.     def _login2(self, login: str, password: str) -> str:
    83. 

  83.         try:
    84. 

  84.             """Bind as reader dn"""
    85. 

  85.             logger.debug(f"_login2 {self._ldap_uri}, {self._ldap_reader_dn}")
    86. 

  86.             conn = self.ldap.initialize(self._ldap_uri)
    87. 

  87.             conn.protocol_version = 3
    88. 

  88.             conn.set_option(self.ldap.OPT_REFERRALS, 0)
    89. 

  89.             conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret)
    90. 

  90.             """Search for the dn of user to authenticate"""
    91. 

  91.             res = conn.search_s(self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(login), attrlist=['memberOf'])
    92. 

  92.             if len(res) == 0:
    93. 

  93.                 """User could not be find"""
    94. 

  94.                 return ""
    95. 

  95.             user_dn = res[0][0]
    96. 

  96.             logger.debug("LDAP Auth user: %s", user_dn)
    97. 

  97.             """Close ldap connection"""
    98. 

  98.             conn.unbind()
    99. 

  99.         except Exception as e:
    100. 

  100.             raise RuntimeError(f"Invalid ldap configuration:{e}")
    101. 

  101. 

  102.         try:
    103. 

  103.             """Bind as user to authenticate"""
    104. 

  104.             conn = self.ldap.initialize(self._ldap_uri)
    105. 

  105.             conn.protocol_version = 3
    106. 

  106.             conn.set_option(self.ldap.OPT_REFERRALS, 0)
    107. 

  107.             conn.simple_bind_s(user_dn, password)
    108. 

  108.             tmp: list[str] = []
    109. 

  109.             if self._ldap_load_groups:
    110. 

  110.                 tmp = []
    111. 

  111.                 for t in res[0][1]['memberOf']:
    112. 

  112.                     tmp.append(t.decode('utf-8').split(',')[0][3:])
    113. 

  113.                 self._ldap_groups = set(tmp)
    114. 

  114.                 logger.debug("LDAP Auth groups of user: %s", ",".join(self._ldap_groups))
    115. 

  115.             conn.unbind()
    116. 

  116.             return login
    117. 

  117.         except self.ldap.INVALID_CREDENTIALS:
    118. 

  118.             return ""
    119. 

  119. 

  120.     def _login3(self, login: str, password: str) -> str:
    121. 

  121.         """Connect the server"""
    122. 

  122.         try:
    123. 

  123.             logger.debug(f"_login3 {self._ldap_uri}, {self._ldap_reader_dn}")
    124. 

  124.             if self._ldap_use_ssl:
    125. 

  125.                 tls = self.ldap3.Tls(validate=self._ldap_ssl_verify_mode)
    126. 

  126.                 if self._ldap_ssl_ca_file != "":
    127. 

  127.                     tls = self.ldap3.Tls(
    128. 

  128.                         validate=self._ldap_ssl_verify_mode,
    129. 

  129.                         ca_certs_file=self._ldap_ssl_ca_file
    130. 

  130.                         )
    131. 

  131.                 server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)
    132. 

  132.             else:
    133. 

  133.                 server = self.ldap3.Server(self._ldap_uri)
    134. 

  134.             conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret)
    135. 

  135.         except self.ldap3.core.exceptions.LDAPSocketOpenError:
    136. 

  136.             raise RuntimeError("Unable to reach ldap server")
    137. 

  137.         except Exception as e:
    138. 

  138.             logger.debug(f"_login3 error 1 {e}")
    139. 

  139.             pass
    140. 

  140. 

  141.         if not conn.bind():
    142. 

  142.             logger.debug("_login3 can not bind")
    143. 

  143.             raise RuntimeError("Unable to read from ldap server")
    144. 

  144. 

  145.         logger.debug(f"_login3 bind as {self._ldap_reader_dn}")
    146. 

  146.         """Search the user dn"""
    147. 

  147.         conn.search(
    148. 

  148.             search_base=self._ldap_base,
    149. 

  149.             search_filter=self._ldap_filter.format(login),
    150. 

  150.             search_scope=self.ldap3.SUBTREE,
    151. 

  151.             attributes=['memberOf']
    152. 

  152.         )
    153. 

  153.         if len(conn.entries) == 0:
    154. 

  154.             logger.debug(f"_login3 user '{login}' can not be find")
    155. 

  155.             """User could not be find"""
    156. 

  156.             return ""
    157. 

  157. 

  158.         user_entry = conn.response[0]
    159. 

  159.         conn.unbind()
    160. 

  160.         user_dn = user_entry['dn']
    161. 

  161.         logger.debug(f"_login3 found user_dn {user_dn}")
    162. 

  162.         try:
    163. 

  163.             """Try to bind as the user itself"""
    164. 

  164.             conn = self.ldap3.Connection(server, user_dn, password=password)
    165. 

  165.             if not conn.bind():
    166. 

  166.                 logger.debug(f"_login3 user '{login}' can not be find")
    167. 

  167.                 return ""
    168. 

  168.             if self._ldap_load_groups:
    169. 

  169.                 tmp = []
    170. 

  170.                 for g in user_entry['attributes']['memberOf']:
    171. 

  171.                     tmp.append(g.split(',')[0][3:])
    172. 

  172.                 self._ldap_groups = set(tmp)
    173. 

  173.             conn.unbind()
    174. 

  174.             logger.debug(f"_login3 {login} successfully authorized")
    175. 

  175.             return login
    176. 

  176.         except Exception as e:
    177. 

  177.             logger.debug(f"_login3 error 2 {e}")
    178. 

  178.             pass
    179. 

  179.         return ""
    180. 

  180. 

  181.     def login(self, login: str, password: str) -> str:
    182. 

  182.         """Validate credentials.
    183. 

  183.         In first step we make a connection to the ldap server with the ldap_reader_dn credential.
    184. 

  184.         In next step the DN of the user to authenticate will be searched.
    185. 

  185.         In the last step the authentication of the user will be proceeded.
    186. 

  186.         """
    187. 

  187.         if self._ldap_version == 2:
    188. 

  188.             return self._login2(login, password)
    189. 

  189.         return self._login3(login, password)
    190.