Source code for privacyidea.lib.resolvers.LDAPIdResolver

#  Copyright (C) 2014 Cornelius Kölbel
#  contact:  corny@cornelinux.de
#
#  2018-12-14 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Add censored password functionality
#  2017-12-22 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Add configurable multi-value-attributes
#             with the help of Nomen Nescio
#  2017-07-20 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Fix unicode usernames
#  2017-01-23 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Add certificate verification
#  2017-01-07 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Use get_info=ldap3.NONE for binds to avoid querying of subschema
#             Remove LDAPFILTER and self.reversefilter
#  2016-07-14 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Adding getUserId cache.
#  2016-04-13 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Add object_classes and dn_composition to configuration
#             to allow flexible user_add
#  2016-04-10 Martin Wheldon <martin.wheldon@greenhills-it.co.uk>
#             Allow user accounts held in LDAP to be edited, providing
#             that the account they are using has permission to edit
#             those attributes in the LDAP directory
#  2016-02-22 Salvo Rapisarda
#             Allow objectGUID to be a users attribute
#  2016-02-19 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Allow objectGUID to be the uid.
#  2015-10-05 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Remove reverse_map, so that one LDAP field can map
#             to several privacyIDEA fields.
#  2015-04-16 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Add redundancy with LDAP3 Server pools. Round Robin Strategy
#  2015-04-15 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#             Increase test coverage
#  2014-12-25 Cornelius Kölbel <cornelius@privacyidea.org>
#             Rewrite for flask migration
#
# This code is free software; you can redistribute it and/or
# modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
# License as published by the Free Software Foundation; either
# version 3 of the License, or any later version.
#
# This code is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU AFFERO GENERAL PUBLIC LICENSE for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
__doc__ = """This is the resolver to find users in LDAP directories like
OpenLDAP and Active Directory.

The file is tested in tests/test_lib_resolver.py
"""

import logging

import yaml
import threading
import functools

from .UserIdResolver import UserIdResolver

import ldap3
from ldap3 import MODIFY_REPLACE, MODIFY_ADD, MODIFY_DELETE
from ldap3 import Tls
from ldap3.core.exceptions import LDAPOperationResult
from ldap3.core.results import RESULT_SIZE_LIMIT_EXCEEDED
import ssl

import os.path

import traceback
from passlib.hash import ldap_salted_sha1
import hashlib
import binascii
from privacyidea.lib.framework import get_app_local_store, get_app_config_value
import datetime

from privacyidea.lib import _
from privacyidea.lib.utils import (is_true, to_bytes, to_unicode,
                                   convert_column_to_unicode)
from privacyidea.lib.error import privacyIDEAError
import uuid
from ldap3.utils.conv import escape_bytes
from operator import itemgetter

log = logging.getLogger(__name__)

try:
    import gssapi
    have_gssapi = True
except ImportError:
    log.info('Could not import gssapi package. Kerberos authentication not available')
    have_gssapi = False

CACHE = {}

ENCODING = "utf-8"
# The number of rounds the resolver tries to reach a responding server in the
#  pool
SERVERPOOL_ROUNDS = 2
# The number of seconds a non-responding server is removed from the server pool
SERVERPOOL_SKIP = 30
# The pooling strategy for the ldap servers
LDAP_STRATEGY = {"ROUND_ROBIN": ldap3.ROUND_ROBIN, "FIRST": ldap3.FIRST, "RANDOM": ldap3.RANDOM}
SERVERPOOL_STRATEGY = "ROUND_ROBIN"

# 1 sec == 10^9 nano secs == 10^7 * (100 nano secs)
MS_AD_MULTIPLYER = 10 ** 7
MS_AD_START = datetime.datetime(1601, 1, 1)

if os.path.isfile("/etc/privacyidea/ldap-ca.crt"):
    DEFAULT_CA_FILE = "/etc/privacyidea/ldap-ca.crt"
elif os.path.isfile("/etc/ssl/certs/ca-certificates.crt"):
    DEFAULT_CA_FILE = "/etc/ssl/certs/ca-certificates.crt"
elif os.path.isfile("/etc/ssl/certs/ca-bundle.crt"):
    DEFAULT_CA_FILE = "/etc/ssl/certs/ca-bundle.crt"
else:
    DEFAULT_CA_FILE = "/etc/privacyidea/ldap-ca.crt"

TLS_NEGOTIATE_PROTOCOL = ssl.PROTOCOL_TLS

DEFAULT_TLS_PROTOCOL = TLS_NEGOTIATE_PROTOCOL

TLS_OPTIONS_1_3 = (ssl.OP_NO_TLSv1_2, ssl.OP_NO_TLSv1_1, ssl.OP_NO_TLSv1, ssl.OP_NO_SSLv3)


class LockingServerPool(ldap3.ServerPool):
    """
    A ``ServerPool`` subclass that uses a RLock to synchronize invocations of
    ``initialize``, ``get_server`` and ``get_current_server``.

    We synchronize invocations to rule out race conditions when multiple threads
    try to manipulate the server pool state concurrently.

    We use a ``RLock`` instead of a simple ``Lock`` to avoid locking ourselves.
    """
    def __init__(self, *args, **kwargs):
        ldap3.ServerPool.__init__(self, *args, **kwargs)
        self._lock = threading.RLock()

    def initialize(self, connection):
        with self._lock:
            return ldap3.ServerPool.initialize(self, connection)

    def get_server(self, connection):
        with self._lock:
            return ldap3.ServerPool.get_server(self, connection)

    def get_current_server(self, connection):
        with self._lock:
            return ldap3.ServerPool.get_current_server(self, connection)


def get_ad_timestamp_now():
    """
    returns the current UTC time as it is used in Active Directory in the
    attribute accountExpires.
    This is 100-nano-secs since 1.1.1601

    :return: time
    :rtype: int
    """
    utc_now = datetime.datetime.utcnow()
    elapsed_time = utc_now - MS_AD_START
    total_seconds = elapsed_time.total_seconds()
    # convert this to (100 nanoseconds)
    return int(MS_AD_MULTIPLYER * total_seconds)


def trim_objectGUID(userId):
    userId = uuid.UUID("{{{0!s}}}".format(userId)).bytes_le
    userId = escape_bytes(userId)
    return userId


def get_info_configuration(noschemas):
    """
    Given the value of the NOSCHEMAS config option, return the value that should
    be passed as ldap3's `get_info` argument.
    :param noschemas: a boolean
    :return: one of ldap3.SCHEMA or ldap3.NONE
    """
    get_schema_info = ldap3.SCHEMA
    if noschemas:
        get_schema_info = ldap3.NONE
    log.debug("Get LDAP schema info: {0!r}".format(get_schema_info))
    return get_schema_info


def ignore_sizelimit_exception(conn, generator):
    """
    Wrapper for ``paged_search``, which (since ldap3 2.3) throws an exception if the size limit has been
    reached. This function wraps the generator and ignores this exception.

    Additionally, this checks ``conn.response`` for any leftover entries that were not yet returned
    by the generator and yields them.
    """
    last_entry = None
    while True:
        try:
            last_entry = next(generator)
            yield last_entry
        except StopIteration:
            # If the generator is exceed, we stop
            break
        except LDAPOperationResult as e:
            # If the size limit has been reached, we stop. All other exceptions are re-raised.
            if e.result == RESULT_SIZE_LIMIT_EXCEEDED:
                # Workaround: In ldap3 <= 2.4.1, the generator may "forget" to yield some entries that
                # were transmitted just before the "size limit exceeded" message. In other words,
                # the exception is raised *before* the generator has yielded those entries.
                # These leftover entries can still be found in ``conn.response``, so we
                # just yield them here.
                # However, as future versions of ldap3 may fix this behavior and
                # may actually yield those elements as well, this workaround may result in
                # duplicate entries.
                # Thus, we check if the last entry we got from the generator can be found
                # in ``conn.response``. If that is the case, we assume the generator works correctly
                # and *all* of ``conn.response`` have been yielded already.
                if last_entry is None or last_entry not in conn.response:
                    for entry in conn.response:
                        yield entry
                break
            else:
                raise


def cache(func):
    """
    cache the user with his loginname, resolver and UID in a local
    dictionary cache.
    This is a per process cache.
    """
    @functools.wraps(func)
    def cache_wrapper(self, *args, **kwds):
        # Only run the code, in case we have a configured cache!
        if self.cache_timeout > 0:
            # If it does not exist, create the node for this instance
            resolver_id = self.getResolverId()
            now = datetime.datetime.now()
            tdelta = datetime.timedelta(seconds=self.cache_timeout)
            if not resolver_id in CACHE:
                CACHE[resolver_id] = {"getUserId": {},
                                      "getUserInfo": {},
                                      "_getDN": {}}
            else:
                # Clean up the cache in the current resolver and the current function
                _to_be_deleted = []
                try:
                    for user, cached_result in CACHE[resolver_id].get(func.__name__).items():
                        if now > cached_result.get("timestamp") + tdelta:
                            _to_be_deleted.append(user)
                except RuntimeError:
                    # This might happen if thread A evicts an expired
                    # cache entry while thread B looks for expired cache entries
                    pass
                for user in _to_be_deleted:
                    try:
                        del CACHE[resolver_id][func.__name__][user]
                    except KeyError:
                        pass
                del _to_be_deleted

            # get the portion of the cache for this very LDAP resolver
            r_cache = CACHE.get(resolver_id).get(func.__name__)
            entry = r_cache.get(args[0])
            if entry and now < entry.get("timestamp") + tdelta:
                log.debug("Reading {0!r} from cache for {1!r}".format(args[0], func.__name__))
                return entry.get("value")

        f_result = func(self, *args, **kwds)

        if self.cache_timeout > 0:
            # now we cache the result
            CACHE[resolver_id][func.__name__][args[0]] = {
                "value": f_result,
                "timestamp": now}

        return f_result

    return cache_wrapper


class AUTHTYPE(object):
    SIMPLE = "Simple"
    SASL_DIGEST_MD5 = "SASL Digest-MD5"
    NTLM = "NTLM"
    SASL_KERBEROS = "SASL Kerberos"


[docs]class IdResolver (UserIdResolver): # If the resolver could be configured editable updateable = True def __init__(self): self.i_am_bound = False self.uri = "" self.basedn = "" self.binddn = "" self.bindpw = "" self.object_classes = [] self.dn_template = "" self.timeout = 5 # seconds! self.sizelimit = 500 self.loginname_attribute = [""] self.searchfilter = "" self.userinfo = {} self.multivalueattributes = [] self.uidtype = "" self.noreferrals = False self._editable = False self.resolverId = self.uri self.scope = ldap3.SUBTREE self.cache_timeout = 120 self.tls_context = None self.start_tls = False self.serverpool_persistent = False self.serverpool_rounds = SERVERPOOL_ROUNDS self.serverpool_skip = SERVERPOOL_SKIP self.serverpool_strategy = SERVERPOOL_STRATEGY self.serverpool = None self.keytabfile = None # The number of seconds that ldap3 waits if no server is left in the pool, before # starting the next round pooling_loop_timeout = get_app_config_value("PI_LDAP_POOLING_LOOP_TIMEOUT", 10) log.info("Setting system wide POOLING_LOOP_TIMEOUT to {0!s}.".format(pooling_loop_timeout)) ldap3.set_config_parameter("POOLING_LOOP_TIMEOUT", pooling_loop_timeout)
[docs] def checkPass(self, uid, password): """ This function checks the password for a given uid. - returns true in case of success - false if password does not match """ if self.authtype == AUTHTYPE.SASL_KERBEROS: if not have_gssapi: log.warning('gssapi module not available. Kerberos authentication not possible') return False # we need to check credentials with kerberos differently since we # can not use bind for every user name = gssapi.Name(self.getUserInfo(uid).get('username')) try: gssapi.raw.ext_password.acquire_cred_with_password(name, to_bytes(password)) except gssapi.exceptions.GSSError as e: log.info('Failed to authenticate user {0!s} with GSSAPI: {1!r}'.format(name, e)) log.debug(traceback.format_exc()) return False return True elif self.authtype == AUTHTYPE.NTLM: # pragma: no cover # fetch the PreWindows 2000 Domain from the self.binddn # which would be of the format DOMAIN\username and compose the # bind_user to DOMAIN\sAMAccountName domain_name = self.binddn.split('\\')[0] uinfo = self.getUserInfo(uid) # In fact, we need the sAMAccountName. If the username mapping is # another attribute than the sAMAccountName the authentication # will fail! bind_user = "{0!s}\\{1!s}".format(domain_name, uinfo.get("username")) else: bind_user = self._getDN(uid) if not self.serverpool: self.serverpool = self.get_serverpool_instance(get_info=ldap3.NONE) try: log.debug("Authtype: {0!r}".format(self.authtype)) log.debug("user : {0!r}".format(bind_user)) # Whatever happens. If we have an empty bind_user, we must break # since we must avoid anonymous binds! if not bind_user or len(bind_user) < 1: raise Exception("No valid user. Empty bind_user.") l = self.create_connection(authtype=self.authtype, server=self.serverpool, user=bind_user, password=password, receive_timeout=self.timeout, auto_referrals=not self.noreferrals, start_tls=self.start_tls) r = l.bind() log.debug("bind result: {0!r}".format(r)) if not r: raise Exception("Wrong credentials") log.debug("bind seems successful.") l.unbind() log.debug("unbind successful.") except Exception as e: log.warning("failed to check password for {0!r}/{1!r}: {2!r}".format(uid, bind_user, e)) log.debug(traceback.format_exc()) return False return True
def _trim_result(self, result_list): """ The resultlist can contain entries of type:searchResEntry and of type:searchResRef. If self.noreferrals is true, all type:searchResRef will be removed. :param result_list: The result list of a LDAP search :type result_list: resultlist (list of dicts) :return: new resultlist """ if self.noreferrals: new_list = [] for result in result_list: if result.get("type") == "searchResEntry": new_list.append(result) elif result.get("type") == "searchResRef": # This is a Referral pass else: new_list = result_list return new_list @staticmethod def _escape_loginname(loginname): """ This function escapes the loginname according to https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx This is to avoid username guessing by trying to login as user a* ac* ach* achm* achme* achemd* :param loginname: The loginname :return: The escaped loginname """ return loginname.replace("\\", "\\5c").replace("*", "\\2a").replace( "(", "\\28").replace(")", "\\29").replace("/", "\\2f") @staticmethod def _get_uid(entry, uidtype): uid = None if uidtype.lower() == "dn": uid = entry.get("dn") else: attributes = entry.get("attributes") if type(attributes.get(uidtype)) == list: uid = attributes.get(uidtype)[0] else: uid = attributes.get(uidtype) if uidtype.lower() == "objectguid": # For ldap3 versions <= 2.4.1, objectGUID attribute values are returned as UUID strings. # For versions greater than 2.4.1, they are returned in the curly-braced string # representation, i.e. objectGUID := "{" UUID "}" # In order to ensure backwards compatibility for user mappings, # we strip the curly braces from objectGUID values. # If we are using ldap3 <= 2.4.1, there are no curly braces and we leave the value unchanged. try: uid = convert_column_to_unicode(uid).strip("{").strip("}") except UnicodeDecodeError as e: # in some weird cases we sometimes get a byte-array here # which resembles an uuid. So we just convert it to one... log.warning('Found a byte-array as uid ({0!s}), trying to ' 'convert it to a UUID. ({1!s})'.format(binascii.hexlify(uid), e)) log.debug(traceback.format_exc()) uid = str(uuid.UUID(bytes_le=uid)) return convert_column_to_unicode(uid) def _trim_user_id(self, userId): """ If we search for the objectGUID we can not search for the normal string representation but we need to search for the bytestring in AD. :param userId: The userId :return: the trimmed userId """ if self.uidtype == "objectGUID": userId = trim_objectGUID(userId) return userId @cache def _getDN(self, userId): """ This function returns the DN of a userId. Therefor it evaluates the self.uidtype. :param userId: The userid of a user :type userId: string :return: The DN of the object. """ dn = "" if self.uidtype.lower() == "dn": dn = userId else: # get the DN for the Object self._bind() search_userId = self._trim_user_id(userId) filter = "(&{0!s}({1!s}={2!s}))".format(self.searchfilter, self.uidtype, search_userId) self.l.search(search_base=self.basedn, search_scope=self.scope, search_filter=filter, attributes=list(self.userinfo.values())) r = self.l.response r = self._trim_result(r) if len(r) > 1: # pragma: no cover raise Exception("Found more than one object for uid {0!r}".format(userId)) elif len(r) == 1: dn = r[0].get("dn") else: log.info("The filter {0!r} returned no DN.".format(filter)) return dn def _bind(self): if not self.i_am_bound: if not self.serverpool: self.serverpool = self.get_serverpool_instance(self.get_info) self.l = self.create_connection(authtype=self.authtype, server=self.serverpool, user=self.binddn, password=self.bindpw, receive_timeout=self.timeout, auto_referrals=not self.noreferrals, start_tls=self.start_tls, keytabfile=self.keytabfile) if not self.l.bind(): raise Exception("Wrong credentials") self.i_am_bound = True @staticmethod def _get_tls_context(ldap_uri=None, start_tls=False, tls_version=None, tls_verify=None, tls_ca_file=None, tls_options=None): """ This method creates the Tls object to be used with ldap3. """ if ldap_uri.lower().startswith("ldaps") or is_true(start_tls): if not tls_version: tls_version = int(DEFAULT_TLS_PROTOCOL) # If TLS_VERSION is 2, set tls_options to use TLS v1.3 if not tls_options: tls_options = TLS_OPTIONS_1_3 if int(tls_version) == int(TLS_NEGOTIATE_PROTOCOL) else None if tls_verify: tls_ca_file = tls_ca_file or DEFAULT_CA_FILE else: tls_verify = ssl.CERT_NONE tls_ca_file = None tls_context = Tls(validate=tls_verify, version=int(tls_version), ssl_options=tls_options, ca_certs_file=tls_ca_file) else: tls_context = None return tls_context
[docs] @cache def getUserInfo(self, userId): """ This function returns all user info for a given userid/object. :param userId: The userid of the object :type userId: string :return: A dictionary with the keys defined in self.userinfo :rtype: dict """ ret = {} self._bind() if self.uidtype.lower() == "dn": # encode utf8, so that also german umlauts work in the DN self.l.search(search_base=userId, search_scope=self.scope, search_filter="(&" + self.searchfilter + ")", attributes=list(self.userinfo.values())) else: search_userId = to_unicode(self._trim_user_id(userId)) filter = "(&{0!s}({1!s}={2!s}))".format(self.searchfilter, self.uidtype, search_userId) self.l.search(search_base=self.basedn, search_scope=self.scope, search_filter=filter, attributes=list(self.userinfo.values())) r = self.l.response r = self._trim_result(r) if len(r) > 1: # pragma: no cover raise Exception("Found more than one object for uid {0!r}".format(userId)) for entry in r: attributes = entry.get("attributes") ret = self._ldap_attributes_to_user_object(attributes) return ret
def _ldap_attributes_to_user_object(self, attributes): """ This helper function converts the LDAP attributes to a dictionary for the privacyIDEA user. The LDAP Userinfo mapping is used to do so. :param attributes: :return: dict with privacyIDEA users. """ ret = {} for ldap_k, ldap_v in attributes.items(): for map_k, map_v in self.userinfo.items(): if ldap_k == map_v: if ldap_k == "objectGUID": # An objectGUID should be no list, since it is unique if isinstance(ldap_v, str): ret[map_k] = ldap_v.strip("{").strip("}") else: raise Exception("The LDAP returns an objectGUID, " "that is no string: {0!s}".format(type(ldap_v))) elif type(ldap_v) == list and map_k not in self.multivalueattributes: # lists that are not in self.multivalueattributes return first value # as a string. Multi-value-attributes are returned as a list if ldap_v: ret[map_k] = ldap_v[0] else: ret[map_k] = "" else: ret[map_k] = ldap_v return ret
[docs] def getUsername(self, user_id): """ Returns the username/loginname for a given user_id :param user_id: The user_id in this resolver :type user_id: string :return: username :rtype: string """ info = self.getUserInfo(user_id) return info.get('username', "")
[docs] @cache def getUserId(self, LoginName): """ resolve the loginname to the userid. :param LoginName: The login name from the credentials :type LoginName: str :return: UserId as found for the LoginName :rtype: str """ userid = "" self._bind() LoginName = to_unicode(LoginName) login_name = self._escape_loginname(LoginName) if len(self.loginname_attribute) > 1: loginname_filter = "" for l_attribute in self.loginname_attribute: # Special case if we have a guid try: if l_attribute.lower() == "objectguid": search_login_name = trim_objectGUID(login_name) else: search_login_name = login_name loginname_filter += "({!s}={!s})".format(l_attribute.strip(), search_login_name) except ValueError: # This happens if we have a self.loginname_attribute like ["sAMAccountName","objectGUID"], # the user logs in with his sAMAccountName, which can # not be transformed to a UUID log.debug("Can not transform {0!s} to a objectGUID.".format(login_name)) loginname_filter = "|" + loginname_filter else: if self.loginname_attribute[0].lower() == "objectguid": search_login_name = trim_objectGUID(login_name) else: search_login_name = login_name loginname_filter = "{!s}={!s}".format(self.loginname_attribute[0], search_login_name) log.debug("login name filter: {!r}".format(loginname_filter)) filter = "(&{0!s}({1!s}))".format(self.searchfilter, loginname_filter) # create search attributes attributes = list(self.userinfo.values()) if self.uidtype.lower() != "dn": attributes.append(str(self.uidtype)) log.debug("Searching user {0!r} in LDAP.".format(LoginName)) self.l.search(search_base=self.basedn, search_scope=self.scope, search_filter=filter, attributes=attributes) r = self.l.response r = self._trim_result(r) if len(r) > 1: # pragma: no cover raise Exception("Found more than one object for Loginname {0!r}".format( LoginName)) for entry in r: userid = self._get_uid(entry, self.uidtype) return userid
[docs] def getUserList(self, searchDict=None): """ :param searchDict: A dictionary with search parameters :type searchDict: dict :return: list of users, where each user is a dictionary """ ret = [] self._bind() attributes = list(self.userinfo.values()) ad_timestamp = get_ad_timestamp_now() if self.uidtype.lower() != "dn": attributes.append(str(self.uidtype)) # do the filter depending on the searchDict filter = "(&" + self.searchfilter for search_key in searchDict.keys(): # convert to unicode searchDict[search_key] = to_unicode(searchDict[search_key]) if search_key == "accountExpires": comperator = ">=" if searchDict[search_key] in ["1", 1]: comperator = "<=" filter += "(&({0!s}{1!s}{2!s})(!({3!s}=0)))".format( self.userinfo[search_key], comperator, get_ad_timestamp_now(), self.userinfo[search_key]) else: filter += "({0!s}={1!s})".format(self.userinfo[search_key], searchDict[search_key]) filter += ")" g = self.l.extend.standard.paged_search(search_base=self.basedn, search_filter=filter, search_scope=self.scope, attributes=attributes, paged_size=100, size_limit=self.sizelimit, generator=True) # returns a generator of dictionaries for entry in ignore_sizelimit_exception(self.l, g): # Simple fix for ignored sizelimit with Active Directory if len(ret) >= self.sizelimit: break # Fix for searchResRef entries which have no attributes if entry.get('type') == 'searchResRef': continue try: attributes = entry.get("attributes") user = self._ldap_attributes_to_user_object(attributes) user['userid'] = self._get_uid(entry, self.uidtype) ret.append(user) except Exception as exx: # pragma: no cover log.error("Error during fetching LDAP objects: {0!r}".format(exx)) log.debug("{0!s}".format(traceback.format_exc())) return ret
[docs] def getResolverId(self): """ Returns the resolver Id This should be an Identifier of the resolver, preferable the type and the name of the resolver. :return: the id of the resolver :rtype: str """ s = "{0!s}{1!s}{2!s}{3!s}".format(self.uri, self.basedn, self.searchfilter, sorted(self.userinfo.items(), key=itemgetter(0))) r = binascii.hexlify(hashlib.sha1(s.encode("utf-8")).digest()) # nosec B324 # hash used as unique identifier return r.decode('utf8')
[docs] @staticmethod def getResolverClassType(): return 'ldapresolver'
[docs] @staticmethod def getResolverDescriptor(): return IdResolver.getResolverClassDescriptor()
[docs] @staticmethod def getResolverType(): return IdResolver.getResolverClassType()
[docs] def loadConfig(self, config): """ Load the config from conf. :param config: The configuration from the Config Table :type config: dict '#ldap_uri': 'LDAPURI', '#ldap_basedn': 'LDAPBASE', '#ldap_binddn': 'BINDDN', '#ldap_password': 'BINDPW', '#ldap_timeout': 'TIMEOUT', '#ldap_sizelimit': 'SIZELIMIT', '#ldap_loginattr': 'LOGINNAMEATTRIBUTE', '#ldap_searchfilter': 'LDAPSEARCHFILTER', '#ldap_mapping': 'USERINFO', '#ldap_uidtype': 'UIDTYPE', '#ldap_noreferrals' : 'NOREFERRALS', '#ldap_editable' : 'EDITABLE', '#ldap_certificate': 'CACERTIFICATE', '#ldap_keytabfile': 'KEYTABFILE', """ self.uri = config.get("LDAPURI") self.basedn = config.get("LDAPBASE") self.binddn = config.get("BINDDN") # object_classes is a comma separated list like # ["top", "person", "organizationalPerson", "user", "inetOrgPerson"] self.object_classes = [cl.strip() for cl in config.get("OBJECT_CLASSES", "").split(",")] self.dn_template = config.get("DN_TEMPLATE", "") self.bindpw = config.get("BINDPW") self.timeout = int(config.get("TIMEOUT", 5)) self.cache_timeout = int(config.get("CACHE_TIMEOUT", 120)) self.sizelimit = int(config.get("SIZELIMIT", 500)) self.loginname_attribute = [la.strip() for la in config.get("LOGINNAMEATTRIBUTE","").split(",")] self.searchfilter = config.get("LDAPSEARCHFILTER") userinfo = config.get("USERINFO", "{}") self.userinfo = yaml.safe_load(userinfo) self.userinfo["username"] = self.loginname_attribute[0] multivalueattributes = config.get("MULTIVALUEATTRIBUTES") or '["mobile"]' self.multivalueattributes = yaml.safe_load(multivalueattributes) self.map = yaml.safe_load(userinfo) self.uidtype = config.get("UIDTYPE", "DN") self.noreferrals = is_true(config.get("NOREFERRALS", False)) self.start_tls = is_true(config.get("START_TLS", False)) and not self.uri.lower().startswith("ldaps") self.get_info = get_info_configuration(is_true(config.get("NOSCHEMAS", False))) self._editable = config.get("EDITABLE", False) self.scope = config.get("SCOPE") or ldap3.SUBTREE self.resolverId = self.uri self.authtype = config.get("AUTHTYPE", AUTHTYPE.SIMPLE) self.keytabfile = config.get('KEYTABFILE', None) self.tls_verify = is_true(config.get("TLS_VERIFY", False)) # Fallback to DEFAULT_TLS_PROTOCOL (TLSv1: 3, TLSv1.1: 4, v1.2: 5, TLS negotiation: 2) self.tls_version = int(config.get("TLS_VERSION") or DEFAULT_TLS_PROTOCOL) self.tls_ca_file = config.get("TLS_CA_FILE") self.tls_context = self._get_tls_context(ldap_uri=self.uri, start_tls=self.start_tls, tls_version=self.tls_version, tls_verify=self.tls_verify, tls_ca_file=self.tls_ca_file) self.serverpool_persistent = is_true(config.get("SERVERPOOL_PERSISTENT", False)) self.serverpool_rounds = int(config.get("SERVERPOOL_ROUNDS") or SERVERPOOL_ROUNDS) self.serverpool_skip = int(config.get("SERVERPOOL_SKIP") or SERVERPOOL_SKIP) self.serverpool_strategy = config.get("SERVERPOOL_STRATEGY") or SERVERPOOL_STRATEGY # The configuration might have changed. We reset the serverpool self.serverpool = None self.i_am_bound = False return self
@property def has_multiple_loginnames(self): """ Return if this resolver has multiple loginname attributes :return: bool """ return len(self.loginname_attribute) > 1
[docs] @staticmethod def split_uri(uri): """ Splits LDAP URIs like: * ldap://server * ldaps://server * ldap[s]://server:1234 * server :param uri: The LDAP URI :return: Returns a tuple of Servername, Port and SSL(bool) """ port = None ssl = False ldap_elems = uri.split(":") if len(ldap_elems) == 3: server = ldap_elems[1].strip("/") port = int(ldap_elems[2]) if ldap_elems[0].lower() == "ldaps": ssl = True else: ssl = False elif len(ldap_elems) == 2: server = ldap_elems[1].strip("/") port = None if ldap_elems[0].lower() == "ldaps": ssl = True else: ssl = False else: server = uri return server, port, ssl
[docs] @classmethod def create_serverpool(cls, urilist, timeout, get_info=None, tls_context=None, rounds=SERVERPOOL_ROUNDS, exhaust=SERVERPOOL_SKIP, pool_cls=ldap3.ServerPool, strategy=SERVERPOOL_STRATEGY): """ This creates the serverpool for the ldap3 connection. The URI from the LDAP resolver can contain a comma separated list of LDAP servers. These are split and then added to the pool. See https://github.com/cannatag/ldap3/blob/master/docs/manual/source/servers.rst#server-pool :param urilist: The list of LDAP URIs, comma separated :type urilist: basestring :param timeout: The connection timeout :type timeout: float :param get_info: The get_info type passed to the ldap3.Sever constructor. default: ldap3.SCHEMA, should be ldap3.NONE in case of a bind. :param tls_context: A ldap3.tls object, which defines if certificate verification should be performed :param rounds: The number of rounds we should cycle through the server pool before giving up :param exhaust: The seconds, for how long a non-reachable server should be removed from the serverpool :param pool_cls: ``ldap3.ServerPool`` subclass that should be instantiated :param strategy: The pooling strategy of the server-pool :type strategy: str :return: Server Pool :rtype: ldap3.ServerPool """ get_info = get_info or ldap3.SCHEMA strategy = LDAP_STRATEGY.get(strategy, SERVERPOOL_STRATEGY) server_pool = pool_cls(None, strategy, active=rounds, exhaust=exhaust) for uri in urilist.split(","): uri = uri.strip() host, port, ssl = cls.split_uri(uri) server = ldap3.Server(host, port=port, use_ssl=ssl, connect_timeout=float(timeout), get_info=get_info, tls=tls_context) server_pool.add(server) log.debug("Added {0!s}, {1!s}, {2!s} to server pool.".format(host, port, ssl)) return server_pool
[docs] def get_serverpool_instance(self, get_info=None): """ Return a ``ServerPool`` instance that should be used. If ``SERVERPOOL_PERSISTENT`` is enabled, invoke ``get_persistent_serverpool`` to retrieve a per-process server pool instance. If it is not enabled, invoke ``create_serverpool`` to retrieve a per-request server pool instance. :param get_info: one of ldap3.SCHEMA, ldap3.NONE, ldap3.ALL :return: a ``ServerPool``/``LockingServerPool`` instance """ if self.serverpool_persistent: return self.get_persistent_serverpool(get_info) else: return self.create_serverpool(self.uri, self.timeout, get_info, self.tls_context, self.serverpool_rounds, self.serverpool_skip, strategy=self.serverpool_strategy)
[docs] def get_persistent_serverpool(self, get_info=None): """ Return a process-level instance of ``LockingServerPool`` for the current LDAP resolver configuration. Retrieve it from the app-local store. If such an instance does not exist yet, create one. :param get_info: one of ldap3.SCHEMA, ldap3.NONE, ldap3.ALL :return: a ``LockingServerPool`` instance """ if not get_info: get_info = ldap3.SCHEMA pools = get_app_local_store().setdefault('ldap_server_pools', {}) # Create a hashable tuple that describes the current server pool configuration pool_description = (self.uri, self.timeout, get_info, repr(self.tls_context), # this is the string representation of the TLS context self.serverpool_rounds, self.serverpool_skip) if pool_description not in pools: log.debug("Creating a persistent server pool instance for {!r} ...".format(pool_description)) # Create a suitable instance of ``LockingServerPool`` server_pool = self.create_serverpool(self.uri, self.timeout, get_info, self.tls_context, self.serverpool_rounds, self.serverpool_skip, pool_cls=LockingServerPool, strategy=self.serverpool_strategy) # It may happen that another thread tries to add an instance to the dictionary concurrently. # However, only one of them will win, and the other ``LockingServerPool`` instance will be # garbage-collected eventually. return pools.setdefault(pool_description, server_pool) else: # If there is already a ``LockingServerPool`` instance, return it. # We never remove instances from the dictionary, so a ``KeyError`` cannot occur. # As a side effect, when we change the LDAP Id resolver configuration, # outdated ``LockingServerPool`` instances will survive until the next server restart. return pools[pool_description]
[docs] @classmethod def getResolverClassDescriptor(cls): """ return the descriptor of the resolver, which is - the class name and - the config description :return: resolver description dict :rtype: dict """ descriptor = {} typ = cls.getResolverType() descriptor['clazz'] = "useridresolver.LDAPIdResolver.IdResolver" descriptor['config'] = {'LDAPURI': 'string', 'LDAPBASE': 'string', 'BINDDN': 'string', 'BINDPW': 'password', 'KEYTABFILE': 'string', 'TIMEOUT': 'int', 'SIZELIMIT': 'int', 'LOGINNAMEATTRIBUTE': 'string', 'LDAPSEARCHFILTER': 'string', 'USERINFO': 'string', 'UIDTYPE': 'string', 'NOREFERRALS': 'bool', 'NOSCHEMAS': 'bool', 'CACERTIFICATE': 'string', 'EDITABLE': 'bool', 'SCOPE': 'string', 'AUTHTYPE': 'string', 'TLS_VERIFY': 'bool', 'TLS_VERSION': 'int', 'TLS_CA_FILE': 'string', 'START_TLS': 'bool', 'CACHE_TIMEOUT': 'int', 'SERVERPOOL_STRATEGY': 'string', 'SERVERPOOL_ROUNDS': 'int', 'SERVERPOOL_SKIP': 'int', 'SERVERPOOL_PERSISTENT': 'bool', 'OBJECT_CLASSES': 'string', 'DN_TEMPLATE': 'string', 'MULTIVALUEATTRIBUTES': 'string'} return {typ: descriptor}
[docs] @classmethod def testconnection(cls, param): """ This function lets you test the to be saved LDAP connection. Parameters are: BINDDN, BINDPW, LDAPURI, TIMEOUT, LDAPBASE, LOGINNAMEATTRIBUTE, LDAPSEARCHFILTER, USERINFO, SIZELIMIT, NOREFERRALS, CACERTIFICATE, AUTHTYPE, TLS_VERIFY, TLS_VERSION, TLS_CA_FILE, SERVERPOOL_ROUNDS, SERVERPOOL_SKIP, SERVERPOOL_STRATEGY :param param: A dictionary with all necessary parameter to test the connection. :type param: dict :return: Tuple of success and a description :rtype: (bool, string) """ success = False uidtype = param.get("UIDTYPE") timeout = int(param.get("TIMEOUT", 5)) ldap_uri = param.get("LDAPURI") size_limit = int(param.get("SIZELIMIT", 500)) serverpool_rounds = int(param.get("SERVERPOOL_ROUNDS") or SERVERPOOL_ROUNDS) serverpool_skip = int(param.get("SERVERPOOL_SKIP") or SERVERPOOL_SKIP) pool_strat = param.get("SERVERPOOL_STRATEGY") or SERVERPOOL_STRATEGY serverpool_strategy = LDAP_STRATEGY.get(pool_strat, SERVERPOOL_STRATEGY) start_tls = is_true(param.get("START_TLS", False)) and not ldap_uri.lower().startswith("ldaps") tls_context = cls._get_tls_context(ldap_uri=ldap_uri, start_tls=start_tls, tls_version=param.get("TLS_VERSION"), tls_verify=param.get("TLS_VERIFY"), tls_ca_file=param.get("TLS_CA_FILE"), tls_options=None) get_info = get_info_configuration(is_true(param.get("NOSCHEMAS"))) try: server_pool = cls.create_serverpool(ldap_uri, timeout, tls_context=tls_context, get_info=get_info, rounds=serverpool_rounds, exhaust=serverpool_skip, strategy=serverpool_strategy) l = cls.create_connection(authtype=param.get("AUTHTYPE", AUTHTYPE.SIMPLE), server=server_pool, user=param.get("BINDDN"), password=param.get("BINDPW"), receive_timeout=timeout, auto_referrals=not param.get( "NOREFERRALS"), start_tls=start_tls, keytabfile=param.get('KEYTABFILE', None)) if not l.bind(): raise Exception("Wrong credentials") # create searchattributes attributes = list(yaml.safe_load(param["USERINFO"]).values()) if uidtype.lower() != "dn": attributes.append(str(uidtype)) # search for users... g = l.extend.standard.paged_search( search_base=param["LDAPBASE"], search_filter="(&" + param["LDAPSEARCHFILTER"] + ")", search_scope=param.get("SCOPE") or ldap3.SUBTREE, attributes=attributes, paged_size=100, size_limit=size_limit, generator=True) # returns a generator of dictionaries count = 0 uidtype_count = 0 for entry in ignore_sizelimit_exception(l, g): try: userid = cls._get_uid(entry, uidtype) count += 1 if userid: uidtype_count += 1 except Exception as exx: # pragma: no cover log.warning("Error during fetching LDAP objects:" " {0!r}".format(exx)) log.debug("{0!s}".format(traceback.format_exc())) if uidtype_count < count: # pragma: no cover desc = _("Your LDAP config found {0!s} user objects, but only {1!s} " "with the specified uidtype").format(count, uidtype_count) else: desc = _("Your LDAP config seems to be OK, {0!s} user objects " "found.").format(count) l.unbind() success = True except Exception as e: desc = "{0!r}".format(e) log.debug("{0!s}".format(traceback.format_exc())) return success, desc
[docs] def add_user(self, attributes=None): """ Add a new user to the LDAP directory. The user can only be created in the LDAP using a DN. So we have to construct the DN out of the given attributes. attributes are these "username", "surname", "givenname", "email", "mobile", "phone", "password" :param attributes: Attributes according to the attribute mapping :type attributes: dict :return: The new UID of the user. The UserIdResolver needs to determine the way how to create the UID. """ # TODO: We still have some utf8 issues creating users with special characters. attributes = attributes or {} dn = self.dn_template dn = dn.replace("<basedn>", self.basedn) dn = dn.replace("<username>", attributes.get("username", "")) dn = dn.replace("<givenname>", attributes.get("givenname", "")) dn = dn.replace("<surname>", attributes.get("surname", "")) try: self._bind() params = self._attributes_to_ldap_attributes(attributes) self.l.add(dn, self.object_classes, params) except Exception as e: log.error("Error accessing LDAP server: {0!r}".format(e)) log.debug("{0}".format(traceback.format_exc())) raise privacyIDEAError(e) if self.l.result.get('result') != 0: log.error("Error during adding of user {0!r}: " "{1!r}".format(dn, self.l.result.get('message'))) raise privacyIDEAError(self.l.result.get('message')) return self.getUserId(attributes.get("username"))
[docs] def delete_user(self, uid): """ Delete a user from the LDAP Directory. The user is referenced by the user id. :param uid: The uid of the user object, that should be deleted. :type uid: basestring :return: Returns True in case of success :rtype: bool """ res = True try: self._bind() self.l.delete(self._getDN(uid)) except Exception as exx: log.error("Error deleting user: {0!r}".format(exx)) res = False return res
def _attributes_to_ldap_attributes(self, attributes): """ takes the attributes and maps them to the LDAP attributes :param attributes: Attributes to be updated :type attributes: dict :return: dict with attribute name as keys and values """ ldap_attributes = {} for fieldname, value in attributes.items(): if self.map.get(fieldname): if fieldname == "password": # Variable value may be either a string or a list # so catch the TypeError exception if we get the wrong # variable type try: pw_hash = ldap_salted_sha1.hash(value[1][0]) value[1][0] = pw_hash ldap_attributes[self.map.get(fieldname)] = value except TypeError as _e: pw_hash = ldap_salted_sha1.hash(value) ldap_attributes[self.map.get(fieldname)] = pw_hash else: ldap_attributes[self.map.get(fieldname)] = value return ldap_attributes def _create_ldap_modify_changes(self, attributes, uid): """ Identifies if an LDAP attribute already exists and if the value needs to be updated, deleted or added. :param attributes: Attributes to be updated :type attributes: dict :param uid: The uid of the user object in the resolver :type uid: basestring :return: dict with attribute name as keys and values """ modify_changes = {} uinfo = self.getUserInfo(uid) for fieldname, value in attributes.items(): if value: if fieldname in uinfo: modify_changes[fieldname] = [MODIFY_REPLACE, [value]] else: modify_changes[fieldname] = [MODIFY_ADD, [value]] else: modify_changes[fieldname] = [MODIFY_DELETE, [value]] return modify_changes
[docs] def update_user(self, uid, attributes=None): """ Update an existing user. This function is also used to update the password. Since the attribute mapping know, which field contains the password, this function can also take care for password changing. Attributes that are not contained in the dict attributes are not modified. :param uid: The uid of the user object in the resolver. :type uid: basestring :param attributes: Attributes to be updated. :type attributes: dict :return: True in case of success """ attributes = attributes or {} try: self._bind() mapped = self._create_ldap_modify_changes(attributes, uid) params = self._attributes_to_ldap_attributes(mapped) self.l.modify(self._getDN(uid), params) except Exception as e: log.error("Error accessing LDAP server: {0!r}".format(e)) log.debug("{0!s}".format(traceback.format_exc())) return False if self.l.result.get('result') != 0: log.error("Error during update of user {0!r}: " "{1!r}".format(uid, self.l.result.get("message"))) return False return True
[docs] @staticmethod def create_connection(authtype=None, server=None, user=None, password=None, auto_bind=ldap3.AUTO_BIND_NONE, client_strategy=ldap3.SYNC, check_names=True, auto_referrals=False, receive_timeout=5, start_tls=False, keytabfile=None): """ Create a connection to the LDAP server. :param authtype: :param server: :param user: :param password: :param auto_bind: :param client_strategy: :param check_names: :param auto_referrals: :param receive_timeout: At the moment we do not use this, since receive_timeout is not supported by ldap3 < 2 :type receive_timeout: float :param start_tls: Use startTLS for connection to server :type start_tls: bool :param keytabfile: Path to keytab file for service account :type keytabfile: str :return: """ conn_opts = {'auto_bind': auto_bind, 'client_strategy': client_strategy, 'check_names': check_names, 'receive_timeout': receive_timeout, 'auto_referrals': auto_referrals} if not user: # without a user we can only use an anonymous binds conn_opts.update({'authentication': ldap3.ANONYMOUS}) elif authtype == AUTHTYPE.SIMPLE: # SIMPLE works with passwords as UTF8 and unicode password = to_unicode(password) conn_opts.update({'user': user, 'password': password, 'authentication': ldap3.SIMPLE}) elif authtype == AUTHTYPE.NTLM: # pragma: no cover # NTLM requires the password to be unicode password = to_unicode(password) conn_opts.update({'user': user, 'password': password, 'authentication': ldap3.NTLM}) elif authtype == AUTHTYPE.SASL_DIGEST_MD5: # pragma: no cover password = to_unicode(password) sasl_credentials = (str(user), str(password)) conn_opts.update({'sasl_mechanism': ldap3.DIGEST_MD5, 'sasl_credentials': sasl_credentials, 'authentication': ldap3.SASL}) elif authtype == AUTHTYPE.SASL_KERBEROS: cred_store = {'client_keytab': keytabfile} if keytabfile else None conn_opts.update({'sasl_mechanism': ldap3.KERBEROS, 'authentication': ldap3.SASL, 'user': user, 'cred_store': cred_store}) else: raise Exception("Authtype {0!s} not supported".format(authtype)) l = ldap3.Connection(server, **conn_opts) if start_tls: l.open(read_server_info=False) log.debug("Doing start_tls") r = l.start_tls(read_server_info=False) return l
@property def editable(self): """ Return true, if the instance of the resolver is configured editable :return: """ # Depending on the database this might look different # Usually this is "1" return is_true(self._editable)