|
Lines 756-762
def format_escaped(format_string, *args, **kwargs):
|
Link Here
|
|---|
|
|---|
| 756 |
""" |
756 |
""" |
| 757 |
return LDAPEscapeFormatter().format(format_string, *args, **kwargs) |
757 |
return LDAPEscapeFormatter().format(format_string, *args, **kwargs) |
| 758 |
|
758 |
|
| 759 |
class Simple_AD_Connection(): |
759 |
class Simple_AD_Connection(object): |
| 760 |
|
760 |
|
| 761 |
''' stripped down univention.connector.ad.ad class |
761 |
''' stripped down univention.connector.ad.ad class |
| 762 |
difference: accept "bindpwd" directly instead of "bindpw" filename |
762 |
difference: accept "bindpwd" directly instead of "bindpw" filename |
|
Lines 765-770
class Simple_AD_Connection():
|
Link Here
|
|---|
|
|---|
| 765 |
difference: don't use TLS |
765 |
difference: don't use TLS |
| 766 |
''' |
766 |
''' |
| 767 |
|
767 |
|
|
|
768 |
def bind_sasl_gssapi(self, binddn, bindpw, access): |
| 769 |
ENV_KRB5CCNAME = 'KRB5CCNAME' |
| 770 |
princ = binddn |
| 771 |
if ldap.dn.is_dn(princ): |
| 772 |
princ = ldap.dn.str2dn(princ)[0][0][1] |
| 773 |
os.environ[ENV_KRB5CCNAME] = '/var/cache/univention-ad-connector/krb5.cc.well' |
| 774 |
with NamedTemporaryFile('w') as tmp_file: |
| 775 |
tmp_file.write(bindpw) |
| 776 |
tmp_file.flush() |
| 777 |
cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] |
| 778 |
p1 = subprocess.Popen(cmd_block, close_fds=True) |
| 779 |
stdout, stderr = p1.communicate() |
| 780 |
auth = ldap.sasl.gssapi("") |
| 781 |
access.lo.sasl_interactive_bind_s("", auth) |
| 782 |
return access |
| 783 |
|
| 768 |
def __init__(self, CONFIGBASENAME, ucr, host, port, base, binddn, bindpw, certificate): |
784 |
def __init__(self, CONFIGBASENAME, ucr, host, port, base, binddn, bindpw, certificate): |
| 769 |
|
785 |
|
| 770 |
self.CONFIGBASENAME = CONFIGBASENAME |
786 |
self.CONFIGBASENAME = CONFIGBASENAME |
|
Lines 776-812
class Simple_AD_Connection():
|
Link Here
|
|---|
|
|---|
| 776 |
self.bindpw = bindpw |
792 |
self.bindpw = bindpw |
| 777 |
self.certificate = certificate |
793 |
self.certificate = certificate |
| 778 |
self.ucr = ucr |
794 |
self.ucr = ucr |
| 779 |
self.protocol = 'ldaps' if ucr.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' |
795 |
self.ldaps = self.ucr.is_true('%s/ad/ldap/ldaps' % self.CONFIGBASENAME, False) |
| 780 |
self.uri = "%s://%s:%d" % (self.protocol, self.host, int(self.port)) |
796 |
|
| 781 |
|
797 |
access = univention.uldap.access( |
| 782 |
if self.certificate: |
798 |
host=self.host, |
| 783 |
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.certificate) |
799 |
port=int(self.port), |
| 784 |
|
800 |
base=self.base, |
| 785 |
#ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095) |
801 |
binddn=None, |
| 786 |
#ldap._trace_level = 9 |
802 |
bindpw=None, |
| 787 |
#ldap.set_option(ldap.OPT_X_SASL_SSF_MIN, 1) |
803 |
start_tls=0, |
| 788 |
#ldap.set_option(ldap.OPT_X_SASL_SECPROPS, "minssf=1") |
804 |
use_ldaps=self.ldaps, |
| 789 |
|
805 |
ca_certfile=self.certificate, |
| 790 |
self.lo = ldap.ldapobject.ReconnectLDAPObject(self.uri, retry_max=10, retry_delay=1) |
806 |
follow_referral=True, |
| 791 |
|
807 |
decode_ignorelist=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord', 'member']) |
|
|
808 |
|
| 809 |
# TODO move sasl/gssapi ldap authentication to uldap.access |
| 792 |
if ucr.is_true('%s/ad/ldap/kerberos' % CONFIGBASENAME): |
810 |
if ucr.is_true('%s/ad/ldap/kerberos' % CONFIGBASENAME): |
| 793 |
princ = self.binddn |
811 |
access = self.bind_sasl_gssapi(self.binddn, self.bindpw, access) |
| 794 |
if ldap.dn.is_dn(self.binddn): |
|
|
| 795 |
princ = ldap.dn.str2dn(self.binddn)[0][0][1] |
| 796 |
os.environ['KRB5CCNAME'] = '/var/cache/univention-ad-connector/krb5.cc.well' |
| 797 |
with NamedTemporaryFile('w') as tmp_file: |
| 798 |
tmp_file.write(self.bindpw) |
| 799 |
tmp_file.flush() |
| 800 |
cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] |
| 801 |
p1 = subprocess.Popen(cmd_block, close_fds=True) |
| 802 |
stdout, stderr = p1.communicate() |
| 803 |
auth = ldap.sasl.gssapi("") |
| 804 |
self.lo.sasl_interactive_bind_s("", auth) |
| 805 |
else: |
812 |
else: |
| 806 |
self.lo.simple_bind_s(self.binddn, self.bindpw) |
813 |
access.bind(self.binddn, self.bindpw) |
| 807 |
|
|
|
| 808 |
self.lo.set_option(ldap.OPT_REFERRALS, 0) |
| 809 |
|
814 |
|
|
|
815 |
self.lo = access.lo |
| 810 |
self.ad_sid = None |
816 |
self.ad_sid = None |
| 811 |
result = self.lo.search_ext_s(self.base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'], timeout=-1, sizelimit=0) |
817 |
result = self.lo.search_ext_s(self.base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'], timeout=-1, sizelimit=0) |
| 812 |
if 'objectSid' in result[0][1]: |
818 |
if 'objectSid' in result[0][1]: |