diff options
| author | B. Stack <bgstack15@gmail.com> | 2021-06-24 11:35:00 -0400 |
|---|---|---|
| committer | B. Stack <bgstack15@gmail.com> | 2021-06-24 11:35:00 -0400 |
| commit | 23837ea33e62d279a039931f9cee781112b2f3ea (patch) | |
| tree | cb06b3a91f61a008e746a33422e33012ad78de81 /session_app.py.publish | |
| parent | add www-negotiate basic header to /login/basic (diff) | |
| download | session_app-23837ea33e62d279a039931f9cee781112b2f3ea.tar.gz session_app-23837ea33e62d279a039931f9cee781112b2f3ea.tar.bz2 session_app-23837ea33e62d279a039931f9cee781112b2f3ea.zip | |
add dns-based ldap domain controller lookup
and rotate through the returned list of servers, per request!
Diffstat (limited to 'session_app.py.publish')
| -rwxr-xr-x | session_app.py.publish | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/session_app.py.publish b/session_app.py.publish index adfd0ad..fd403c2 100755 --- a/session_app.py.publish +++ b/session_app.py.publish @@ -10,11 +10,11 @@ # future: https://code.tutsplus.com/tutorials/flask-authentication-with-ldap--cms-23101 # better timeout session: https://stackoverflow.com/a/49891626/3569534 # store "formdata" in session for changing the basic auth to form data for the ldap login https://stackoverflow.com/a/56904875/3569534 +# modify url from urlparse https://stackoverflow.com/a/21629125/3569534 # Improve: # move all configs to config file # move all references to references section # accept a bind credential so we can perform lookups of users who match "uid=%s" under a basedn. -# accept a ldap dns domain name, and a SRV lookup for _tcp._ldap # Run: # FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0 # Dependencies: @@ -28,6 +28,7 @@ from functools import wraps import binascii, datetime import os import session_ldap +from urllib.parse import urlparse DEBUG=True app = Flask(__name__) @@ -36,7 +37,7 @@ app.debug=True secret_key_value = os.urandom(24) secret_key_value_hex_encoded = binascii.hexlify(secret_key_value) app.config['SECRET_KEY'] = secret_key_value_hex_encoded -app.config['LDAP_URI'] = "ldaps://dns1.ipa.internal.com:636" +app.config['LDAP_URI'] = "ldaps://ipa.internal.com:636" app.config['LDAP_USER_BASEDN'] = "cn=users,cn=accounts,dc=ipa,dc=internal,dc=com" app.config['LDAP_GROUP_BASEDN'] = "cn=groups,cn=accounts,dc=ipa,dc=internal,dc=com" app.config['LDAP_USER_FORMAT'] = "uid=%s,cn=users,cn=accounts,dc=ipa,dc=internal,dc=com" @@ -183,8 +184,26 @@ def login(user="None"): def ldap_login(username,password): #print(f"DEBUG: Trying user {username} with pw '{password}'") + # on first ldap_login attempt, cache this lookup result: + if 'LDAP_HOSTS' not in app.config: + this_domain = urlparse(app.config['LDAP_URI']).hostname + app.config['LDAP_HOSTS'] = session_ldap.list_ldap_servers_for_domain(this_domain) + else: + # rotate them! So every ldap_login attempt will use the next ldap server in the list. + this_list = app.config['LDAP_HOSTS'] + a = this_list[0] + this_list.append(a) + this_list.pop(0) + app.config['LDAP_HOSTS'] = this_list + # construct a new, full uri. + this_netloc = app.config['LDAP_HOSTS'][0] + up = urlparse(app.config['LDAP_URI']) + if up.port: + this_netloc += f":{up.port}" + this_uri = up._replace(netloc=this_netloc).geturl() + # Perform the ldap interactions user = session_ldap.authenticated_user( - app.config['LDAP_URI'], + this_uri, app.config['LDAP_USER_FORMAT'], username, password |