Add SSL noverify and group membership
Add an SSL noverify option to allow use of self-signed certificates. Add Group membership query and response to allow authorization in addition to authentication
This commit is contained in:
garethhumphriesmoh
GitHub
parent
3776f634c0
commit
5d6e8e4f93
|
|
@ -149,7 +149,9 @@ class LDAPAuthHandler(AuthHandler):
|
|||
'realm': ('X-Ldap-Realm', 'Restricted'),
|
||||
'url': ('X-Ldap-URL', None),
|
||||
'starttls': ('X-Ldap-Starttls', 'false'),
|
||||
'verifyca': ('X-Ldap-VerifyCa', 'true'),
|
||||
'basedn': ('X-Ldap-BaseDN', None),
|
||||
'groupbasedn': ('X-Ldap-GroupBaseDN', None),
|
||||
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
|
||||
'binddn': ('X-Ldap-BindDN', ''),
|
||||
'bindpasswd': ('X-Ldap-BindPass', ''),
|
||||
|
|
@ -190,6 +192,9 @@ class LDAPAuthHandler(AuthHandler):
|
|||
if not ctx['basedn']:
|
||||
self.log_message('LDAP baseDN is not set!')
|
||||
return
|
||||
|
||||
if not ctx['groupbasedn']:
|
||||
ctx['groupbasedn'] = ctx['basedn']
|
||||
|
||||
ctx['action'] = 'initializing LDAP connection'
|
||||
ldap_obj = ldap.initialize(ctx['url']);
|
||||
|
|
@ -205,6 +210,9 @@ class LDAPAuthHandler(AuthHandler):
|
|||
|
||||
# Establish a STARTTLS connection if required by the
|
||||
# headers.
|
||||
if ctx['verifyca'] != 'true':
|
||||
ldap_obj.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
||||
ldap_obj.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
|
||||
if ctx['starttls'] == 'true':
|
||||
ldap_obj.start_tls_s()
|
||||
|
||||
|
|
@ -238,8 +246,20 @@ class LDAPAuthHandler(AuthHandler):
|
|||
|
||||
self.log_message('Auth OK for user "%s"' % (ctx['user']))
|
||||
|
||||
ctx['action'] = 'getting group membership'
|
||||
search_filter='(|(&(objectClass=group)(member=' + ldap_dn + ')))'
|
||||
results = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE, search_filter, ['cn',])
|
||||
group_names = {}
|
||||
for group in results:
|
||||
group_names[ group[1]['cn'][0] ] = ""
|
||||
groups = sorted(group_names.keys())
|
||||
|
||||
# Successfully authenticated user
|
||||
self.send_response(200)
|
||||
#self.send_header('REMOTE_USER', ctx['user'] )
|
||||
#self.send_header('REMOTE_GROUPS', '|'.join( groups ) )
|
||||
for group in groups:
|
||||
self.send_header('X-Ldap-MemberOf-'+group, "True" )
|
||||
self.end_headers()
|
||||
|
||||
except:
|
||||
|
|
@ -272,11 +292,16 @@ if __name__ == '__main__':
|
|||
group.add_argument('-u', '--url', metavar="URL",
|
||||
default="ldap://localhost:389",
|
||||
help=("LDAP URI to query (Default: ldap://localhost:389)"))
|
||||
group.add_argument('-k', '--verifyca', metavar="verifyca",
|
||||
default="true",
|
||||
help=("Verify root CA is correctly signed (disallow self-signed cerificates) (Default: true)"))
|
||||
group.add_argument('-s', '--starttls', metavar="starttls",
|
||||
default="false",
|
||||
help=("Establish a STARTTLS protected session (Default: false)"))
|
||||
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
|
||||
help="LDAP base dn (Default: unset)")
|
||||
group.add_argument('-g', metavar="groupBaseDn", dest="groupbasedn", default=None,
|
||||
help="LDAP user groups base dn (Default: same as base dn)")
|
||||
group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
|
||||
help="LDAP bind DN (Default: anonymous)")
|
||||
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
|
||||
|
|
@ -298,7 +323,9 @@ if __name__ == '__main__':
|
|||
'realm': ('X-Ldap-Realm', args.realm),
|
||||
'url': ('X-Ldap-URL', args.url),
|
||||
'starttls': ('X-Ldap-Starttls', args.starttls),
|
||||
'verifyca': ('X-Ldap-VerifyCa', args.starttls)
|
||||
'basedn': ('X-Ldap-BaseDN', args.basedn),
|
||||
'groupbasedn': ('X-Ldap-GroupBaseDN', args.groupbasedn),
|
||||
'template': ('X-Ldap-Template', args.filter),
|
||||
'binddn': ('X-Ldap-BindDN', args.binddn),
|
||||
'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
|
||||
|
|
|
|||
Loading…
Reference in New Issue