* Add optional group limit
This commit is contained in:
Colin Leroy
parent
d9a2149825
commit
4936446940
|
|
@ -40,7 +40,7 @@ case "$1" in
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SSDOPTS="--quiet --oknodo --background --no-close --make-pidfile --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON"
|
SSDOPTS="--quiet --oknodo --background --no-close --make-pidfile --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON"
|
||||||
DAEMON_ARGS="$URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM"
|
DAEMON_ARGS="$URL $BASE $GROUP_BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $GROUP_FILTER $GROUP_LIMIT $REALM"
|
||||||
|
|
||||||
if start-stop-daemon --start $SSDOPTS -- $DAEMON_ARGS > $LOG 2>&1
|
if start-stop-daemon --start $SSDOPTS -- $DAEMON_ARGS > $LOG 2>&1
|
||||||
then
|
then
|
||||||
|
|
|
||||||
|
|
@ -151,7 +151,10 @@ class LDAPAuthHandler(AuthHandler):
|
||||||
'starttls': ('X-Ldap-Starttls', 'false'),
|
'starttls': ('X-Ldap-Starttls', 'false'),
|
||||||
'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
|
'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
|
||||||
'basedn': ('X-Ldap-BaseDN', None),
|
'basedn': ('X-Ldap-BaseDN', None),
|
||||||
|
'groupbasedn': ('X-Ldap-GroupBaseDN', None),
|
||||||
|
'grouplimit': ('X-Ldap-GroupLimit', None),
|
||||||
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
|
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
|
||||||
|
'grouptemplate': ('X-Ldap-GroupTemplate', '(cn=%(groupname)s)'),
|
||||||
'binddn': ('X-Ldap-BindDN', ''),
|
'binddn': ('X-Ldap-BindDN', ''),
|
||||||
'bindpasswd': ('X-Ldap-BindPass', ''),
|
'bindpasswd': ('X-Ldap-BindPass', ''),
|
||||||
'cookiename': ('X-CookieName', '')
|
'cookiename': ('X-CookieName', '')
|
||||||
|
|
@ -223,6 +226,9 @@ class LDAPAuthHandler(AuthHandler):
|
||||||
'"%s" with filter "%s"') %
|
'"%s" with filter "%s"') %
|
||||||
(ctx['url'], ctx['basedn'], searchfilter))
|
(ctx['url'], ctx['basedn'], searchfilter))
|
||||||
|
|
||||||
|
self.log_message(('groupBaseDn is "%s", groupLimit is "%s"') %
|
||||||
|
(ctx['groupbasedn'], ctx['grouplimit']))
|
||||||
|
|
||||||
ctx['action'] = 'running search query'
|
ctx['action'] = 'running search query'
|
||||||
results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE,
|
results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE,
|
||||||
searchfilter, ['objectclass'], 1)
|
searchfilter, ['objectclass'], 1)
|
||||||
|
|
@ -253,6 +259,21 @@ class LDAPAuthHandler(AuthHandler):
|
||||||
|
|
||||||
self.log_message('Auth OK for user "%s"' % (ctx['user']))
|
self.log_message('Auth OK for user "%s"' % (ctx['user']))
|
||||||
|
|
||||||
|
if ctx['grouplimit'] and ctx['groupbasedn']:
|
||||||
|
groupsearchfilter = ctx['grouptemplate'] % { 'groupname': ctx['grouplimit'] }
|
||||||
|
groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE,
|
||||||
|
groupsearchfilter, ["memberUid"])
|
||||||
|
if len(groupResults) > 0:
|
||||||
|
for dn, entry in groupResults:
|
||||||
|
if ctx['user'] in entry.get('memberUid'):
|
||||||
|
self.log_message(('found user "%s" in group "%s"') %
|
||||||
|
(ctx['user'], ctx['grouplimit']))
|
||||||
|
else:
|
||||||
|
self.log_message(('user "%s" NOT in group "%s"') %
|
||||||
|
(ctx['user'], ctx['grouplimit']))
|
||||||
|
self.auth_failed(ctx)
|
||||||
|
return
|
||||||
|
|
||||||
# Successfully authenticated user
|
# Successfully authenticated user
|
||||||
self.send_response(200)
|
self.send_response(200)
|
||||||
self.end_headers()
|
self.end_headers()
|
||||||
|
|
@ -295,6 +316,10 @@ if __name__ == '__main__':
|
||||||
help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
|
help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
|
||||||
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
||||||
help="LDAP base dn (Default: unset)")
|
help="LDAP base dn (Default: unset)")
|
||||||
|
group.add_argument('-g', metavar="groupBaseDn", dest="groupbasedn", default='',
|
||||||
|
help="LDAP group base dn (Default: unset)")
|
||||||
|
group.add_argument('-G', metavar="groupLimit", dest="grouplimit", default='',
|
||||||
|
help="Limit to users in group (Default: unset)")
|
||||||
group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
|
group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
|
||||||
help="LDAP bind DN (Default: anonymous)")
|
help="LDAP bind DN (Default: anonymous)")
|
||||||
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
||||||
|
|
@ -302,6 +327,9 @@ if __name__ == '__main__':
|
||||||
group.add_argument('-f', '--filter', metavar='filter',
|
group.add_argument('-f', '--filter', metavar='filter',
|
||||||
default='(cn=%(username)s)',
|
default='(cn=%(username)s)',
|
||||||
help="LDAP filter (Default: cn=%%(username)s)")
|
help="LDAP filter (Default: cn=%%(username)s)")
|
||||||
|
group.add_argument('-x', '--groupfilter', metavar='groupfilter',
|
||||||
|
default='(cn=%(groupname)s)',
|
||||||
|
help="LDAP group filter (Default: cn=%%(groupname)s)")
|
||||||
# http options:
|
# http options:
|
||||||
group = parser.add_argument_group(title="HTTP options")
|
group = parser.add_argument_group(title="HTTP options")
|
||||||
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
|
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
|
||||||
|
|
@ -318,7 +346,10 @@ if __name__ == '__main__':
|
||||||
'starttls': ('X-Ldap-Starttls', args.starttls),
|
'starttls': ('X-Ldap-Starttls', args.starttls),
|
||||||
'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
|
'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
|
||||||
'basedn': ('X-Ldap-BaseDN', args.basedn),
|
'basedn': ('X-Ldap-BaseDN', args.basedn),
|
||||||
|
'groupbasedn': ('X-Ldap-GroupBaseDN', args.groupbasedn),
|
||||||
|
'grouplimit': ('X-Ldap-GroupLimit', args.grouplimit),
|
||||||
'template': ('X-Ldap-Template', args.filter),
|
'template': ('X-Ldap-Template', args.filter),
|
||||||
|
'grouptemplate': ('X-Ldap-GroupTemplate', args.groupfilter),
|
||||||
'binddn': ('X-Ldap-BindDN', args.binddn),
|
'binddn': ('X-Ldap-BindDN', args.binddn),
|
||||||
'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
|
'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
|
||||||
'cookiename': ('X-CookieName', args.cookie)
|
'cookiename': ('X-CookieName', args.cookie)
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,13 @@
|
||||||
#
|
#
|
||||||
#URL="--url ldap://example.com:389"
|
#URL="--url ldap://example.com:389"
|
||||||
#BASE="-b dc=nodomain"
|
#BASE="-b dc=nodomain"
|
||||||
|
#GROUP_BASE="-b dc=nodomain"
|
||||||
#BIND_DN="-D cn=admin,dc=nodomain"
|
#BIND_DN="-D cn=admin,dc=nodomain"
|
||||||
#BIND_PASS="-w secret"
|
#BIND_PASS="-w secret"
|
||||||
#COOKIE="-c nginxauth"
|
#COOKIE="-c nginxauth"
|
||||||
#FILTER="-f (cn=%(username)s)"
|
#FILTER="-f (cn=%(username)s)"
|
||||||
|
#GROUP_FILTER="-x (cn=%(groupname)s)"
|
||||||
|
#GROUP_LIMIT=""
|
||||||
#REALM="-R 'Restricted Area'"
|
#REALM="-R 'Restricted Area'"
|
||||||
|
|
||||||
# these are used with init scripts only
|
# these are used with init scripts only
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ User=nginx-ldap-auth
|
||||||
Group=nginx-ldap-auth
|
Group=nginx-ldap-auth
|
||||||
WorkingDirectory=/var/run
|
WorkingDirectory=/var/run
|
||||||
EnvironmentFile=/etc/default/nginx-ldap-auth
|
EnvironmentFile=/etc/default/nginx-ldap-auth
|
||||||
ExecStart=/usr/bin/nginx-ldap-auth-daemon $URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM
|
ExecStart=/usr/bin/nginx-ldap-auth-daemon $URL $BASE $GROUP_BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $GROUP_FILTER $GROUP_LIMIT $REALM
|
||||||
KillMode=process
|
KillMode=process
|
||||||
KillSignal=SIGINT
|
KillSignal=SIGINT
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue