[Kimchi-devel] [PATCHv1 3/4] Add LDAP authentication

Aline Manera alinefm at linux.vnet.ibm.com
Tue Oct 21 18:43:56 UTC 2014 

On 10/20/2014 11:52 AM, lvroyce0210 at gmail.com wrote:
> From: Royce Lv <lvroyce at linux.vnet.ibm.com>
>
> Add LDAP authentication, also deals with invalid user,
> LDAP search base configure error and other LDAP errors.
>
> Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
> ---
>   contrib/DEBIAN/control.in     |  1 +
>   contrib/kimchi.spec.fedora.in |  1 +
>   contrib/kimchi.spec.suse.in   |  1 +
>   src/kimchi/auth.py            | 44 ++++++++++++++++++++++++++++++++++++++++++-
>   4 files changed, 46 insertions(+), 1 deletion(-)
>
> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
> index 7372a58..0721960 100644
> --- a/contrib/DEBIAN/control.in
> +++ b/contrib/DEBIAN/control.in
> @@ -27,6 +27,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
>            firewalld,
>            nginx,
>            python-guestfs,
> +         python-ldap,
>            libguestfs-tools
>   Build-Depends: libxslt,
>                  python-libxml2,
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index 2ca3076..fcb8c11 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -29,6 +29,7 @@ Requires:	nfs-utils
>   Requires:	nginx
>   Requires:	iscsi-initiator-utils
>   Requires:	policycoreutils-python
> +Requires:	python-ldap
>   Requires:	python-libguestfs
>   Requires:	libguestfs-tools
>   BuildRequires:	libxslt
> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
> index 9ea240c..b8f0531 100644
> --- a/contrib/kimchi.spec.suse.in
> +++ b/contrib/kimchi.spec.suse.in
> @@ -23,6 +23,7 @@ Requires:	python-psutil >= 0.6.0
>   Requires:	python-jsonschema >= 1.3.0
>   Requires:	python-ethtool
>   Requires:	python-ipaddr
> +Requires:	python-ldap
>   Requires:	python-lxml
>   Requires:	python-xml
>   Requires:	nfs-client
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index 10c7c1f..162bbfd 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -20,6 +20,7 @@
>   import base64
>   import cherrypy
>   import fcntl
> +import ldap
>   import multiprocessing
>   import os
>   import PAM
> @@ -177,6 +178,7 @@ class PAMUser(User):
>
>   class LDAPUser(User):
>       auth_type = "ldap"
> +
>       def __init__(self, username):
>           self.user = {}
>           self.user[USER_NAME] = username
> @@ -187,7 +189,47 @@ class LDAPUser(User):
>
>       @staticmethod
>       def authenticate(username, password):
> -        return False
> +        ldap_server = config.get("authentication", "ldap_server").strip('"')
> +        ldap_search_base = config.get(
> +            "authentication", "ldap_search_base").strip('"')
> +        ldap_search_filter = config.get(
> +            "authentication", "ldap_search_filter",
> +            vars={"username": username.encode("utf-8")}).strip('"')
> +
> +        connect = ldap.open(ldap_server)
> +        try:
> +            try:
> +                result = connect.search_s(
> +                    ldap_search_base, ldap.SCOPE_SUBTREE, ldap_search_filter)
> +                if len(result) == 0:
> +                    entity = ldap_search_filter % {'username': username}
> +                    raise ldap.LDAPError("Invalid ldap entity:%s" % entity)
> +            except ldap.NO_SUCH_OBJECT:
> +                # ldap search base specified wrongly.
> +                raise ldap.LDAPError(
> +                    "invalid ldap search base %s" % ldap_search_base)
> +
> +            try:
> +                connect.bind_s(result[0][0], password)
> +            except ldap.INVALID_CREDENTIALS:
> +                # invalid user password
> +                raise ldap.LDAPError("invalid user/passwd")
> +            connect.unbind_s()
> +            return True
> +        except ldap.LDAPError, e:
> +            arg = {"username": username, "code": e.message}
> +            raise OperationFailed("KCHAUTH0001E", arg)
> +
> +    def get_groups(self):
> +        return self.user[USER_GROUPS]
> +

> +    def get_roles(self):
> +        self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin')
> +        return self.user[USER_ROLES]

The admin ID's should be listed on Kimchi config file, instead of doing 
admin permissions to all users.

So on __init__():

self.admin_users = config.get("authentication", "ldap_admin_users")
self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin') if 
self.user[USERNAME] in self.admin_users else dict.fromkeys(tabs, 'user')

And on get_roles():

def get_roles(self):
     return self.user[USER_ROLES]



> +
> +    def get_user(self):
> +        return self.user
> +
>
>   def from_browser():
>       # Enable Basic Authentication for REST tools.

More information about the Kimchi-devel mailing list