8:52 a.m.
From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
Add LDAP authentication, also deals with invalid user,
LDAP search base configure error and other LDAP errors.
Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
---
contrib/DEBIAN/control.in | 1 +
contrib/kimchi.spec.fedora.in | 1 +
contrib/kimchi.spec.suse.in | 1 +
src/kimchi/auth.py | 44 ++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 7372a58..0721960 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -27,6 +27,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
firewalld,
nginx,
python-guestfs,
+ python-ldap,
libguestfs-tools
Build-Depends: libxslt,
python-libxml2,
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 2ca3076..fcb8c11 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -29,6 +29,7 @@ Requires: nfs-utils
Requires: nginx
Requires: iscsi-initiator-utils
Requires: policycoreutils-python
+Requires: python-ldap
Requires: python-libguestfs
Requires: libguestfs-tools
BuildRequires: libxslt
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 9ea240c..b8f0531 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -23,6 +23,7 @@ Requires: python-psutil >= 0.6.0
Requires: python-jsonschema >= 1.3.0
Requires: python-ethtool
Requires: python-ipaddr
+Requires: python-ldap
Requires: python-lxml
Requires: python-xml
Requires: nfs-client
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index 10c7c1f..162bbfd 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -20,6 +20,7 @@
import base64
import cherrypy
import fcntl
+import ldap
import multiprocessing
import os
import PAM
@@ -177,6 +178,7 @@ class PAMUser(User):
class LDAPUser(User):
auth_type = "ldap"
+
def __init__(self, username):
self.user = {}
self.user[USER_NAME] = username
@@ -187,7 +189,47 @@ class LDAPUser(User):
@staticmethod
def authenticate(username, password):
- return False
+ ldap_server = config.get("authentication",
"ldap_server").strip('"')
+ ldap_search_base = config.get(
+ "authentication",
"ldap_search_base").strip('"')
+ ldap_search_filter = config.get(
+ "authentication", "ldap_search_filter",
+ vars={"username":
username.encode("utf-8")}).strip('"')
+
+ connect = ldap.open(ldap_server)
+ try:
+ try:
+ result = connect.search_s(
+ ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter)
+ if len(result) == 0:
+ entity = ldap_search_filter % {'username': username}
+ raise ldap.LDAPError("Invalid ldap entity:%s" % entity)
+ except ldap.NO_SUCH_OBJECT:
+ # ldap search base specified wrongly.
+ raise ldap.LDAPError(
+ "invalid ldap search base %s" % ldap_search_base)
+
+ try:
+ connect.bind_s(result[0][0], password)
+ except ldap.INVALID_CREDENTIALS:
+ # invalid user password
+ raise ldap.LDAPError("invalid user/passwd")
+ connect.unbind_s()
+ return True
+ except ldap.LDAPError, e:
+ arg = {"username": username, "code": e.message}
+ raise OperationFailed("KCHAUTH0001E", arg)
+
+ def get_groups(self):
+ return self.user[USER_GROUPS]
+
+ def get_roles(self):
+ self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin')
+ return self.user[USER_ROLES]
+
+ def get_user(self):
+ return self.user
+
def from_browser():
# Enable Basic Authentication for REST tools.
--
1.8.3.2