Lines 756-762
def format_escaped(format_string, *args, **kwargs):
|
Link Here
|
---|
|
756 |
""" |
756 |
""" |
757 |
return LDAPEscapeFormatter().format(format_string, *args, **kwargs) |
757 |
return LDAPEscapeFormatter().format(format_string, *args, **kwargs) |
758 |
|
758 |
|
759 |
class Simple_AD_Connection(): |
759 |
class Simple_AD_Connection(object): |
760 |
|
760 |
|
761 |
''' stripped down univention.connector.ad.ad class |
761 |
''' stripped down univention.connector.ad.ad class |
762 |
difference: accept "bindpwd" directly instead of "bindpw" filename |
762 |
difference: accept "bindpwd" directly instead of "bindpw" filename |
Lines 765-770
class Simple_AD_Connection():
|
Link Here
|
---|
|
765 |
difference: don't use TLS |
765 |
difference: don't use TLS |
766 |
''' |
766 |
''' |
767 |
|
767 |
|
|
|
768 |
def bind_sasl_gssapi(self, binddn, bindpw, access): |
769 |
ENV_KRB5CCNAME = 'KRB5CCNAME' |
770 |
princ = binddn |
771 |
if ldap.dn.is_dn(princ): |
772 |
princ = ldap.dn.str2dn(princ)[0][0][1] |
773 |
os.environ[ENV_KRB5CCNAME] = '/var/cache/univention-ad-connector/krb5.cc.well' |
774 |
with NamedTemporaryFile('w') as tmp_file: |
775 |
tmp_file.write(bindpw) |
776 |
tmp_file.flush() |
777 |
cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] |
778 |
p1 = subprocess.Popen(cmd_block, close_fds=True) |
779 |
stdout, stderr = p1.communicate() |
780 |
auth = ldap.sasl.gssapi("") |
781 |
access.lo.sasl_interactive_bind_s("", auth) |
782 |
return access |
783 |
|
768 |
def __init__(self, CONFIGBASENAME, ucr, host, port, base, binddn, bindpw, certificate): |
784 |
def __init__(self, CONFIGBASENAME, ucr, host, port, base, binddn, bindpw, certificate): |
769 |
|
785 |
|
770 |
self.CONFIGBASENAME = CONFIGBASENAME |
786 |
self.CONFIGBASENAME = CONFIGBASENAME |
Lines 776-812
class Simple_AD_Connection():
|
Link Here
|
---|
|
776 |
self.bindpw = bindpw |
792 |
self.bindpw = bindpw |
777 |
self.certificate = certificate |
793 |
self.certificate = certificate |
778 |
self.ucr = ucr |
794 |
self.ucr = ucr |
779 |
self.protocol = 'ldaps' if ucr.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' |
795 |
self.ldaps = self.ucr.is_true('%s/ad/ldap/ldaps' % self.CONFIGBASENAME, False) |
780 |
self.uri = "%s://%s:%d" % (self.protocol, self.host, int(self.port)) |
796 |
|
781 |
|
797 |
access = univention.uldap.access( |
782 |
if self.certificate: |
798 |
host=self.host, |
783 |
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.certificate) |
799 |
port=int(self.port), |
784 |
|
800 |
base=self.base, |
785 |
#ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095) |
801 |
binddn=None, |
786 |
#ldap._trace_level = 9 |
802 |
bindpw=None, |
787 |
#ldap.set_option(ldap.OPT_X_SASL_SSF_MIN, 1) |
803 |
start_tls=0, |
788 |
#ldap.set_option(ldap.OPT_X_SASL_SECPROPS, "minssf=1") |
804 |
use_ldaps=self.ldaps, |
789 |
|
805 |
ca_certfile=self.certificate, |
790 |
self.lo = ldap.ldapobject.ReconnectLDAPObject(self.uri, retry_max=10, retry_delay=1) |
806 |
follow_referral=True, |
791 |
|
807 |
decode_ignorelist=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord', 'member']) |
|
|
808 |
|
809 |
# TODO move sasl/gssapi ldap authentication to uldap.access |
792 |
if ucr.is_true('%s/ad/ldap/kerberos' % CONFIGBASENAME): |
810 |
if ucr.is_true('%s/ad/ldap/kerberos' % CONFIGBASENAME): |
793 |
princ = self.binddn |
811 |
access = self.bind_sasl_gssapi(self.binddn, self.bindpw, access) |
794 |
if ldap.dn.is_dn(self.binddn): |
|
|
795 |
princ = ldap.dn.str2dn(self.binddn)[0][0][1] |
796 |
os.environ['KRB5CCNAME'] = '/var/cache/univention-ad-connector/krb5.cc.well' |
797 |
with NamedTemporaryFile('w') as tmp_file: |
798 |
tmp_file.write(self.bindpw) |
799 |
tmp_file.flush() |
800 |
cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] |
801 |
p1 = subprocess.Popen(cmd_block, close_fds=True) |
802 |
stdout, stderr = p1.communicate() |
803 |
auth = ldap.sasl.gssapi("") |
804 |
self.lo.sasl_interactive_bind_s("", auth) |
805 |
else: |
812 |
else: |
806 |
self.lo.simple_bind_s(self.binddn, self.bindpw) |
813 |
access.bind(self.binddn, self.bindpw) |
807 |
|
|
|
808 |
self.lo.set_option(ldap.OPT_REFERRALS, 0) |
809 |
|
814 |
|
|
|
815 |
self.lo = access.lo |
810 |
self.ad_sid = None |
816 |
self.ad_sid = None |
811 |
result = self.lo.search_ext_s(self.base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'], timeout=-1, sizelimit=0) |
817 |
result = self.lo.search_ext_s(self.base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'], timeout=-1, sizelimit=0) |
812 |
if 'objectSid' in result[0][1]: |
818 |
if 'objectSid' in result[0][1]: |