Issues addressed in the attached patch:
* - allow anonymous or bind'ed searches to obtain a user's full DN
* - allow for a configurable user search prefix (eg: 'uid=', 'cn=', etc...)
The following items (and their proposed defaults) are needed in /var/lib/cobbler/settings to accommodate this patch:
ldap_anonymous_bind: 1
ldap_search_bind_dn: '
ldap_search_passwd: '
ldap_search_prefix: 'uid='
So if your LDAP server does not allow anonymous binds, you would need to set:
ldap_anonymous_bind: 0
ldap_search_bind_dn: '<full_bind_user_dn_with_full_read_access_to_base_ dn>'
ldap_search_passwd: '<passwd>'
Questions?* See me in #cobbler.
--Vito Laurenza
diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py
index 6d190bd..36d4054 100644
--- a/cobbler/modules/authn_ldap.py
+++ b/cobbler/modules/authn_ldap.py
@@ -1,6 +1,6 @@
"""
Authentication module that uses ldap
-Settings in /etc/cobbler/authn_ldap.conf
+Settings in /var/lib/cobbler/settings (ldap_*)
Choice of authentication module is in /etc/cobbler/modules.conf
This software may be freely redistributed under the terms of the GNU
@@ -12,14 +12,12 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
"""
import distutils.sysconfig
-#import ConfigParser
import sys
import os
from rhpl.translate import _, N_, textdomain, utf8
import md5
import traceback
import ldap
-import traceback
plib = distutils.sysconfig.get_python_lib()
mod_path="%s/cobbler" % plib
@@ -29,8 +27,6 @@ import cexceptions
import utils
import api as cobbler_api
-#CONFIG_FILE='/etc/cobbler/auth_ldap.conf'
-
def register():
"""
The mandatory cobbler module registration hook.
@@ -43,13 +39,12 @@ def authenticate(api_handle,username,password):
Validate an ldap bind, returning True/False
"""
- server = api_handle.settings().ldap_server
- basedn = api_handle.settings().ldap_base_dn
- port = api_handle.settings().ldap_port
- tls = api_handle.settings().ldap_tls
-
- # parse CONFIG_FILE
- # server,basedn,port,tls = __parse_config()
+ server = api_handle.settings().ldap_server
+ basedn = api_handle.settings().ldap_base_dn
+ port = api_handle.settings().ldap_port
+ tls = api_handle.settings().ldap_tls
+ anon_bind = api_handle.settings().ldap_anonymous_bind
+ prefix = api_handle.settings().ldap_search_prefix
# form our ldap uri based on connection port
if port == '389':
@@ -73,17 +68,32 @@ def authenticate(api_handle,username,password):
traceback.print_exc()
return False
+ # if we're not allowed to search anonymously,
+ # grok the search bind settings and attempt to bind
+ anon_bind = str(anon_bind).lower()
+ if anon_bind not in [ "on", "true", "yes", "1" ]:
+ searchdn = api_handle.settings().ldap_search_bind_dn
+ searchpw = api_handle.settings().ldap_search_passwd
+
+ if searchdn == ' or searchpw == ':
+ raise "Missing search bind settings"
+
+ try:
+ dir.simple_bind_s(searchdn, searchpw)
+ except:
+ traceback.print_exc()
+ return False
+
# perform a subtree search in basedn to find the full dn of the user
# TODO: what if username is a CN? maybe it goes into the config file as well?
- filter = "uid=" + username
+ filter = prefix + username
result = dir.search_s(basedn, ldap.SCOPE_SUBTREE, filter, [])
if result:
for dn,entry in result:
- # uid should be unique so we should only have one result
+ # username _should_ be unique so we should only have one result
# ignore entry; we don't need it
pass
else:
- print "FAIL 2"
return False
try:______________________________________________ _
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
Cleaning up the authn_ldap module
