1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
###############################################################################
# Copyright (c) 2017 Koren Lev (Cisco Systems), Yaron Yogev (Cisco Systems) #
# and others #
# #
# All rights reserved. This program and the accompanying materials #
# are made available under the terms of the Apache License, Version 2.0 #
# which accompanies this distribution, and is available at #
# http://www.apache.org/licenses/LICENSE-2.0 #
###############################################################################
import ssl
from ldap3 import Server, Connection, Tls
from utils.config_file import ConfigFile
from utils.logging.full_logger import FullLogger
from utils.singleton import Singleton
class LDAPAccess(metaclass=Singleton):
default_config_file = "ldap.conf"
TLS_REQUEST_CERTS = {
"demand": ssl.CERT_REQUIRED,
"allow": ssl.CERT_OPTIONAL,
"never": ssl.CERT_NONE,
"default": ssl.CERT_NONE
}
user_ssl = True
def __init__(self, config_file_path=""):
super().__init__()
self.log = FullLogger()
self.ldap_params = self.get_ldap_params(config_file_path)
self.server = self.connect_ldap_server()
def get_ldap_params(self, config_file_path):
ldap_params = {
"url": "ldap://localhost:389"
}
if not config_file_path:
config_file_path = ConfigFile.get(self.default_config_file)
if config_file_path:
try:
config_file = ConfigFile(config_file_path)
params = config_file.read_config()
ldap_params.update(params)
except Exception as e:
self.log.error(str(e))
raise
if "user_tree_dn" not in ldap_params:
raise ValueError("user_tree_dn must be specified in " +
config_file_path)
if "user_id_attribute" not in ldap_params:
raise ValueError("user_id_attribute must be specified in " +
config_file_path)
return ldap_params
def connect_ldap_server(self):
ca_certificate_file = self.ldap_params.get('tls_cacertfile')
req_cert = self.ldap_params.get('tls_req_cert')
ldap_url = self.ldap_params.get('url')
if ca_certificate_file:
if not req_cert or req_cert not in self.TLS_REQUEST_CERTS.keys():
req_cert = 'default'
tls_req_cert = self.TLS_REQUEST_CERTS[req_cert]
tls = Tls(local_certificate_file=ca_certificate_file,
validate=tls_req_cert)
return Server(ldap_url, use_ssl=self.user_ssl, tls=tls)
return Server(ldap_url, use_ssl=self.user_ssl)
def authenticate_user(self, username, pwd):
if not self.server:
self.server = self.connect_ldap_server()
user_dn = self.ldap_params['user_id_attribute'] + "=" +
username + "," + self.ldap_params['user_tree_dn']
connection = Connection(self.server, user=user_dn, password=pwd)
# validate the user by binding
# bound is true if binding succeed, otherwise false
bound = False
try:
bound = connection.bind()
connection.unbind()
except Exception as e:
self.log.error('Failed to bind the server for {0}'.format(str(e)))
return bound
|