diff options
| author | B. Stack <bgstack15@gmail.com> | 2021-06-24 22:47:02 -0400 |
|---|---|---|
| committer | B. Stack <bgstack15@gmail.com> | 2021-06-24 22:58:58 -0400 |
| commit | 5b3973c954db30f24160ce43d6f07ad50f8c47da (patch) | |
| tree | e04383a32b515ecfd665c8adda7c8b878f5151d8 /session_ldap.py | |
| parent | add dns-based ldap domain controller lookup (diff) | |
| download | session_app-5b3973c954db30f24160ce43d6f07ad50f8c47da.tar.gz session_app-5b3973c954db30f24160ce43d6f07ad50f8c47da.tar.bz2 session_app-5b3973c954db30f24160ce43d6f07ad50f8c47da.zip | |
WIP: convert ldap to use bind credential
Multiple functions have been written to handle username resolution
using a bind credential, but the the main app does not use them yet,
and is actually broken.
Diffstat (limited to 'session_ldap.py')
| -rw-r--r-- | session_ldap.py | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/session_ldap.py b/session_ldap.py index d12f008..423f322 100644 --- a/session_ldap.py +++ b/session_ldap.py @@ -8,15 +8,27 @@ import ldap3 from ldap3.core.exceptions import LDAPBindError, LDAPPasswordIsMandatoryError -def authenticated_user(server_uri, user_format, username, password): - user = user_format.replace("%s",username) +def list_matching_users(server_uri, bind_dn, bind_pw,user_base, username, user_match_attrib): + search_filter=f"({user_match_attrib}={username})" + server = ldap3.Server(server_uri) + conn = ldap3.Connection(server, auto_bind=True,user=bind_dn, password=bind_pw) + conn.search( + search_base=user_base, + search_filter=search_filter) + print(f"DEBUG: search_base {user_base}") + print(f"DEBUG: search_filter {search_filter}") + result = [] + for i in conn.entries: + result.append(i.entry_dn) + print(f"DEBUG: result {result}") + return result + +def authenticated_user(server_uri, user_dn, password): print(f"server_uri: {server_uri}") - print(f"username: {username}") - print(f"user_format: {user_format}") - print(f"user: {user}") + print(f"user_dn: {user_dn}") try: server = ldap3.Server(server_uri) - conn = ldap3.Connection(server, auto_bind=True, user=user, password=password) + conn = ldap3.Connection(server, auto_bind=True, user=user_dn, password=password) return conn except LDAPBindError as e: if 'invalidCredentials' in str(e): @@ -48,3 +60,39 @@ def list_ldap_servers_for_domain(domain): if not len(namelist): namelist.append(domain) return namelist + +def get_ldap_user_groups(server_uri, bind_dn, bind_pw,user_dn,user_attrib_memberof,group_name_attrib,group_base): + server = ldap3.Server(server_uri) + conn = ldap3.Connection(server, auto_bind=True,user=bind_dn, password=bind_pw) + conn.search( + search_base=user_dn, + search_filter="(cn=*)", # this has the potential to not work in a directory where CN is not a part of any dn? + search_scope="BASE", + attributes=[user_attrib_memberof] + ) + these_groups = conn.entries[0].entry_attributes_as_dict[user_attrib_memberof] + #print(f"DEBUG: these_groups={these_groups}") + result = [] + for group in these_groups: + #print(f"DEBUG: will check for value {group_base} in {group}") + if group_base in group: + if group_name_attrib == "dn": + #print(f"DEBUG: just add group via dn {group}") + result.append(group) + else: + # we need to lookup this group and pick the attribute of it the admin wants. + #print(f"DEBUG: need to lookup group {group} and extract attrib {group_name_attrib}") + conn.search( + search_base=group, + search_filter="(objectClass=*)", + search_scope="BASE", + attributes=[group_name_attrib] + ) + this_group=conn.entries[0].entry_attributes_as_dict[group_name_attrib][0] + #print(f"DEBUG: Group {group} identified as attrib {group_name_attrib}={this_group}") + result.append(this_group) + return result + +def get_ldap_dn_from_krbPrincipalName(server_uri, bind_dn, bind_pw,user_krbPrincipalName): + # goal: return as string the dn + print("stub") |