Commit d2e2d2ac authored by Julian Rother's avatar Julian Rother
Browse files

Merge branch '295-ldap-authentifizierung-an-active-directory' into 'master'

Resolve "LDAP-Authentifizierung an Active Directory"

Closes #295

See merge request !11
parents 1399eed3 6dd57121
......@@ -25,6 +25,7 @@ SQLITE_INIT_DATA = True
#LDAP_HOST = 'rumo.fsmpi.rwth-aachen.de'
LDAP_PORT = 636
LDAP_GROUPS = ['users']
#ICAL_URL = 'https://user:password@mail.fsmpi.rwth-aachen.de/SOGo/....ics'
ERROR_PAGE = 'static/500.html'
RWTH_IP_RANGES = ['134.130.0.0/16', '137.226.0.0/16', '134.61.0.0/16', '192.35.229.0/24', '2a00:8a60::/32']
......
......@@ -152,24 +152,14 @@ if 'LDAP_HOST' in config:
def ldapauth(user, password):
user = LDAP_USERRE.sub(r'', user.lower())
try:
conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), 'uid=%s,ou=users,dc=fsmpi,dc=rwth-aachen,dc=de'%user, password, auto_bind=True)
groups = []
if conn.search("ou=groups,dc=fsmpi,dc=rwth-aachen,dc=de", "(&(cn=*)(memberUid=%s))"%user, attributes=['cn']):
groups = [e['attributes']['cn'][0] for e in conn.response]
conn.unbind()
return user, groups
except ldap3.core.exceptions.LDAPExceptionError:
return None, []
def ldapget(user):
user = LDAP_USERRE.sub(r'', user.lower())
conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), auto_bind=True)
conn.search("ou=users,dc=fsmpi,dc=rwth-aachen,dc=de", "(uid=%s)"%user,
attributes=ldap3.ALL_ATTRIBUTES)
if not conn.response:
return {}
e = conn.response[0]
return {'uid': user, 'givenName': e['attributes']['givenName'][0], 'sn':e['attributes']['sn'][0]}
conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), 'fsmpi\\%s'%user, password, auto_bind=True, check_names=False)
except ldap3.core.exceptions.LDAPBindError:
return {}, []
conn.search("cn=users,dc=fsmpi,dc=rwth-aachen,dc=de", "(cn=%s)"%user, attributes=['memberOf', 'givenName', 'sn'])
info = {'uid': user, 'givenName': conn.response[0]['attributes']['givenName'][0], 'sn': conn.response[0]['attributes']['sn'][0]}
groups = [g.split(',')[0].split('=')[-1] for g in conn.response[0]['attributes']['memberOf']]
conn.unbind()
return info, groups
else:
notldap = {
......@@ -180,9 +170,5 @@ else:
def ldapauth(user, password):
user = LDAP_USERRE.sub(r'', user.lower())
if config.get('DEBUG') and user in notldap and password == notldap[user][0]:
return user, notldap[user][1]
return None, []
def ldapget(user):
user = LDAP_USERRE.sub(r'', user.lower())
return notldap[user][2]
return notldap[user][2], notldap[user][1]
return {}, []
......@@ -72,7 +72,7 @@ app.jinja_env.globals['gitversion'] = { 'hash': output[1], 'longhash': output[0]
if not config.get('SECRET_KEY', None):
config['SECRET_KEY'] = os.urandom(24)
from db import query, modify, show, searchquery, ldapauth, ldapget
from db import query, modify, show, searchquery, ldapauth
mod_endpoints = []
......@@ -502,17 +502,23 @@ def search():
return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
def check_mod(user, groups):
return user and 'users' in groups
if not user:
return False
for group in config['LDAP_GROUPS']:
if group in groups:
return True
return False
@app.route('/internal/login', methods=['GET', 'POST'])
def login():
if request.method == 'GET':
return render_template('login.html')
user, groups = ldapauth(request.form.get('user'), request.form.get('password'))
userinfo, groups = ldapauth(request.form.get('user'), request.form.get('password'))
user = userinfo.get('uid')
if not check_mod(user, groups):
flash('Login fehlgeschlagen!')
return render_template('login.html')
session['user'] = ldapget(user)
session['user'] = userinfo
dbuser = query('SELECT * FROM users WHERE name = ?', user)
if not dbuser:
modify('INSERT INTO users (name, realname, fsacc, level, calendar_key, rfc6238) VALUES (?, ?, ?, 1, "", "")', user, session['user']['givenName'], user)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment