Merge branch '295-ldap-authentifizierung-an-active-directory' into 'master'

Resolve "LDAP-Authentifizierung an Active Directory"

Closes #295

See merge request !11

config.py.example

@@ -25,6 +25,7 @@ SQLITE_INIT_DATA = True
 
 #LDAP_HOST = 'rumo.fsmpi.rwth-aachen.de'
 LDAP_PORT = 636
+LDAP_GROUPS = ['users']
 #ICAL_URL = 'https://user:password@mail.fsmpi.rwth-aachen.de/SOGo/....ics'
 ERROR_PAGE = 'static/500.html'
 RWTH_IP_RANGES = ['134.130.0.0/16', '137.226.0.0/16', '134.61.0.0/16', '192.35.229.0/24', '2a00:8a60::/32']

db.py

@@ -152,24 +152,14 @@ if 'LDAP_HOST' in config:
 	def ldapauth(user, password):
 		user = LDAP_USERRE.sub(r'', user.lower())
 		try:
-			conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), 'uid=%s,ou=users,dc=fsmpi,dc=rwth-aachen,dc=de'%user, password, auto_bind=True)
-			groups = []
-			if conn.search("ou=groups,dc=fsmpi,dc=rwth-aachen,dc=de", "(&(cn=*)(memberUid=%s))"%user, attributes=['cn']):
-				groups = [e['attributes']['cn'][0] for e in conn.response]
+			conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), 'fsmpi\\%s'%user, password, auto_bind=True, check_names=False)
+		except ldap3.core.exceptions.LDAPBindError:
+			return {}, []
+		conn.search("cn=users,dc=fsmpi,dc=rwth-aachen,dc=de", "(cn=%s)"%user, attributes=['memberOf', 'givenName', 'sn'])
+		info = {'uid': user, 'givenName': conn.response[0]['attributes']['givenName'][0], 'sn': conn.response[0]['attributes']['sn'][0]}
+		groups = [g.split(',')[0].split('=')[-1] for g in conn.response[0]['attributes']['memberOf']]
 		conn.unbind()
-			return user, groups
-		except ldap3.core.exceptions.LDAPExceptionError:
-			return None, []
-
-	def ldapget(user):
-		user = LDAP_USERRE.sub(r'', user.lower())
-		conn = ldap3.Connection(ldap3.Server(config['LDAP_HOST'], port=config['LDAP_PORT'], use_ssl=True), auto_bind=True)
-		conn.search("ou=users,dc=fsmpi,dc=rwth-aachen,dc=de", "(uid=%s)"%user,
-				attributes=ldap3.ALL_ATTRIBUTES)
-		if not conn.response:
-			return {}
-		e = conn.response[0]
-		return {'uid': user, 'givenName': e['attributes']['givenName'][0], 'sn':e['attributes']['sn'][0]}
+		return info, groups
 
 else:
 	notldap = {
@@ -180,9 +170,5 @@ else:
 	def ldapauth(user, password):
 		user = LDAP_USERRE.sub(r'', user.lower())
 		if config.get('DEBUG') and user in notldap and password == notldap[user][0]:
-			return user, notldap[user][1]
-		return None, []
-
-	def ldapget(user):
-		user = LDAP_USERRE.sub(r'', user.lower())
-		return notldap[user][2]
+			return notldap[user][2], notldap[user][1]
+		return {}, []

server.py

@@ -72,7 +72,7 @@ app.jinja_env.globals['gitversion'] = { 'hash': output[1], 'longhash': output[0]
 if not config.get('SECRET_KEY', None):
 	config['SECRET_KEY'] = os.urandom(24)
 
-from db import query, modify, show, searchquery, ldapauth, ldapget
+from db import query, modify, show, searchquery, ldapauth
 
 mod_endpoints = []
 
@@ -502,17 +502,23 @@ def search():
 	return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
 
 def check_mod(user, groups):
-	return user and 'users' in groups
+	if not user:
+		return False
+	for group in config['LDAP_GROUPS']:
+		if group in groups:
+			return True
+	return False
 
 @app.route('/internal/login', methods=['GET', 'POST'])
 def login():
 	if request.method == 'GET':
 		return render_template('login.html')
-	user, groups = ldapauth(request.form.get('user'), request.form.get('password'))
+	userinfo, groups = ldapauth(request.form.get('user'), request.form.get('password'))
+	user = userinfo.get('uid')
 	if not check_mod(user, groups):
 		flash('Login fehlgeschlagen!')
 		return render_template('login.html')
-	session['user'] = ldapget(user)
+	session['user'] = userinfo
 	dbuser = query('SELECT * FROM users WHERE name = ?', user)
 	if not dbuser:
 		modify('INSERT INTO users (name, realname, fsacc, level, calendar_key, rfc6238) VALUES (?, ?, ?, 1, "", "")', user, session['user']['givenName'], user)