Changeset f395ef in indico

Timestamp:

02/24/11 14:38:38 (2 years ago)

Author:

Pedro Ferreira <jose.pedro.ferreira@…>

Branches:

master, burotel, hello-world-walkthrough, ipv6, v0.98-series, v0.98.2, v0.98.3, v0.98b1, v0.98b2, v0.99, 051b2622c51afb171a1dedb46a0df4fbb0cbd02e, 0da0c1403bae8e51d8229f460181c71b9e6dda72

Children:

5f7a6d

Parents:

6b3931

git-author:

Pedro Ferreira <jose.pedro.ferreira@…> (02/24/11 14:29:09)

git-committer:

Pedro Ferreira <jose.pedro.ferreira@…> (02/24/11 14:38:38)

Message:

[IMP] LDAP Authentication

• Integrated Martin Kuba's patch (thanks Martin!);
• Added escaping of LDAP special chars, in order to avoid injection attacks;
• Added some extra customization options, so that the mechanism can interact with services that follow different conventions;
• Renamed some structures, including 'Ldap' -> 'LDAP';
• Changed operations to synchronous;
• Added preliminary login step that can be needed in servers that do not provide anonymous read access;
• Changed group membership strategy - faster and easier;
• Adapted code to inetOrgPerson fields;
• Improved the overall formatting and code quality (pylint and PEP8);
• closes #600 and makes many server admins happier ;)
• TODO: pluginize the whole thing (implies refactoring of auth mechanism);
• TODO: Caching - right now server calls are performed every time;

Files:

• etc/indico.conf.sample (modified) (2 diffs)
• indico/MaKaC/accessControl.py (modified) (1 diff)
• indico/MaKaC/authentication/AuthenticationMgr.py (modified) (1 diff)
• indico/MaKaC/authentication/LDAPAuthentication.py (added)
• indico/MaKaC/common/Configuration.py (modified) (1 diff)
• indico/MaKaC/common/ObjectHolders.py (modified) (1 diff)
• indico/MaKaC/externUsers.py (modified) (1 diff)
• indico/MaKaC/user.py (modified) (6 diffs)
• indico/MaKaC/webinterface/pages/admins.py (modified) (1 diff)
• indico/MaKaC/webinterface/rh/base.py (modified) (1 diff)
• indico/MaKaC/webinterface/rh/conferenceDisplay.py (modified) (1 diff)

etc/indico.conf.sample

@@ -194 +194 @@
 # to right):
 #
-#     AuthenticatorList = ['Local', 'MyAuthSystem']
+#     AuthenticatorList = ['Local', 'LDAP', 'MyAuthSystem']
 #
 # The default configuration will use only Indico's authentication system.
@@ -200 +200 @@
 AuthenticatorList    = ['Local']
 
+# Uncomment/customize the following lines if you want to use LDAP authentication
+#
+# LDAPConfig = {'host': 'myldapserver.example.com',
+#
+#               # filter parameters for users, base DN to use
+#               'peopleDNQuery': ('uid={0}', 'DC=example,DC=com'),
+#
+#               # filter parameters for groups, base DN to use
+#               'groupDNQuery': ('cn={0}', 'OU=Groups,DC=example,DC=com'),
+#
+#               # query used to infer membership of a group
+#               'membershipQuery': 'memberof={0}',
+#
+#               # access credentials of a user with read access
+#               'accessCredentials': ('CN=user,OU=Users,DC=example,DC=com','secret_password')
+# }
 
 #------------------------------------------------------------------------------

indico/MaKaC/accessControl.py

@@ -123 +123 @@
         """grants read access for the related resource to the specified
             principal"""
-        if principal not in self.allowed and (isinstance(principal, MaKaC.user.Avatar) or isinstance(principal, MaKaC.user.CERNGroup) or isinstance(principal, MaKaC.user.Group)):
+
+        # TODO: make this extensible
+        if principal not in self.allowed and \
+               (isinstance(principal, MaKaC.user.Avatar) or \
+                isinstance(principal, MaKaC.user.CERNGroup) or \
+                isinstance(principal, MaKaC.user.Group) or \
+                isinstance(principal, MaKaC.user.LDAPGroup)):
             self.allowed.append( principal )
             self._p_changed = 1

indico/MaKaC/authentication/AuthenticationMgr.py

@@ -38 +38 @@
                 from MaKaC.authentication.NiceAuthentication import NiceAuthenticator
                 self.AuthenticatorList.append( NiceAuthenticator() )
+            if auth == "LDAP":
+                from MaKaC.authentication.LDAPAuthentication import LDAPAuthenticator
+                self.AuthenticatorList.append(LDAPAuthenticator())
         self.create = True
 

indico/MaKaC/common/Configuration.py

@@ -440 +440 @@
             'AuthenticatedEnforceSecure': 'yes',
 
+            # Authentication
+            'LDAPConfig': {'host': 'myldapserver.example.com',
+                           'peopleDNQuery': ('uid={0}', 'DC=example,DC=com'),
+                           'groupDNQuery': ('cn={0}',
+                                            'OU=Groups,DC=example,DC=com'),
+                           'membershipQuery': 'memberof={0}',
+                           'accessCredentials': ('CN=user,OU=Users,'
+                                                 'DC=example,DC=com',
+                                                 'secret_password')},
             # Room Booking Related
             'LightboxCssStylesheetName' : "lightbox/lightbox.css",
             'LightboxJavascriptName'    : "lightbox/lightbox.js"
             }
-
 
         if sys.platform == 'win32':

indico/MaKaC/common/ObjectHolders.py

@@ -52 +52 @@
             index.
     """
-    __allowedIdxs = ["conferences", "avatars", "groups", "counters", 
-                    "identities", "principals", "categories", 
-                    "localidentities", "niceidentities", "groupsregistration", 
-                    "fieldsregistration", "registrationform", "domains", "indexes",
-                    "trashcan", "roomsmapping", "deletedobject", "shorturl", "modules", "plugins"]
+    __allowedIdxs = ["conferences", "avatars", "groups", "counters",
+                     "identities", "principals", "categories",
+                     "localidentities", "niceidentities", "groupsregistration",
+                     "ldapidentities", "fieldsregistration", "registrationform",
+                     "domains", "indexes", "trashcan", "roomsmapping",
+                     "deletedobject", "shorturl", "modules", "plugins"]
     idxName = None
     counterName = None
 
-    def __init__(self): 
+    def __init__(self):
         """Class constructor. Gets an opened DB storage and initializes the 
            DB connection so it's available for later requests.

indico/MaKaC/externUsers.py

@@ -29 +29 @@
 from MaKaC.errors import MaKaCError
 from MaKaC.common.logger import Logger
+from MaKaC.authentication.LDAPAuthentication import LDAPAuthenticator, LDAPUser
+
 
 class ExtUserHolder:
     def __init__(self):
-        self.extUserList = {"Nice":NiceUser}
+        self.extUserList = {"Nice": NiceUser,
+                            LDAPAuthenticator.getId(): LDAPUser}
 
     def getById(self, id):

indico/MaKaC/user.py

@@ -19 +19 @@
 ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
 
+
 from MaKaC.fossils.user import IAvatarFossil, IAvatarAllDetailsFossil,\
                             IGroupFossil, IPersonalInfoFossil, IAvatarMinimalFossil
@@ -39 +40 @@
 import MaKaC.common.info as info
 from MaKaC.i18n import _
+from MaKaC.authentication.LDAPAuthentication import LDAPAuthenticator, ldapFindGroups, ldapUserInGroup
 
 from datetime import datetime, timedelta
@@ -325 +327 @@
 
 
+class LDAPGroup(Group):
+    groupType = "LDAP"
+
+    def __str__(self):
+        return "<LDAPGroup id: %s name: %s desc: %s>" % (self.getId(),
+                                                         self.getName(),
+                                                         self.getDescription())
+
+    def addMember(self, newMember):
+        pass
+
+    def removeMember(self, member):
+        pass
+
+    def getMemberList(self):
+        uidList = ldapFindGroupMemberUids(self.getName())
+        avatarLists = []
+        for uid in uidList:
+            # First, try locally (fast)
+            lst = AvatarHolder().match({'login': uid }, exact=1,
+                                       forceWithoutExtAuth=True)
+            if not lst:
+                # If not found, try external
+                lst = AvatarHolder().match({'login': uid}, exact=1)
+            avatarLists.append(lst)
+        return [avList[0] for avList in avatarLists if avList]
+
+    def containsUser(self, avatar):
+
+        # used when checking acces to private events restricted for certain groups
+        if not avatar:
+            return False
+        login = None
+        for aid in avatar.getIdentityList():
+            if aid.getAuthenticatorTag() == 'LDAP':
+                login = aid.getLogin()
+        if not login:
+            return False
+        return ldapUserInGroup(login, self.getName())
+
+    def containsMember(self, avatar):
+        return 0
+
+
 class GroupHolder(ObjectHolder):
     """
@@ -384 +430 @@
         if "Nice" in Config.getInstance().getAuthenticatorList() and not forceWithoutExtAuth:
             self.updateCERNGroupMatch(crit["name"][0],exact)
+        if "LDAP" in Config.getInstance().getAuthenticatorList() and not forceWithoutExtAuth:
+            self.updateLDAPGroupMatch(crit["name"][0],exact)
         match = self.getIndex().matchGroup(crit["name"][0], exact=exact)
 
@@ -392 +440 @@
                     result.append(gr)
         return result
+
+    def updateLDAPGroupMatch(self, name, exact=False):
+        logger.Logger.get('GroupHolder').debug(
+            "updateLDAPGroupMatch(name=" + name + ")")
+
+        for grDict in ldapFindGroups(name, exact):
+            grName = grDict['cn']
+            if not self.hasKey(grName):
+                gr = LDAPGroup()
+                gr.setId(grName)
+                gr.setName(grName)
+                gr.setDescription('LDAP group: ' + grDict['description'])
+                self.add(gr)
+                logger.Logger.get('GroupHolder').debug(
+                    "updateLDAPGroupMatch() added" + str(gr))
 
     def updateCERNGroupMatch(self, name, exact=False):
@@ -1395 +1458 @@
             euh = ExtUserHolder()
             from MaKaC.authentication import NiceAuthentication
+            from MaKaC.authentication import LDAPAuthentication
             for authId in Config.getInstance().getAuthenticatorList():
                 if not authId == "Local":
                     dict = euh.getById(authId).match(criteria, exact=exact)
-                    auth = NiceAuthentication.NiceAuthenticator()
-
-
+                    if authId == "Nice":
+                        auth = NiceAuthentication.NiceAuthenticator()
+                    elif authId == "LDAP":
+                        auth = LDAPAuthentication.LDAPAuthenticator()
+                    else:
+                       raise MaKaCError(
+                           _("Authentication type " + authId + " is not known."))
                     for email in dict.keys():
                         # TODO and TOSTUDY: result.keys should be replace it with

indico/MaKaC/webinterface/pages/admins.py

@@ -1843 +1843 @@
             self.__setGroupVars( self._group, vars )
             vars["locator"] = self._group.getLocator().getWebForm()
-            if isinstance(self._group, CERNGroup):
+            if isinstance(self._group, CERNGroup) or \
+                   isinstance(self._group, user.LDAPGroup):
                 vars["allowModif"] = False
         return vars

indico/MaKaC/webinterface/rh/base.py

@@ -495 +495 @@
                         self._reqParams = copy.copy( params )
                         self._checkParams( self._reqParams )
+
                         self._checkProtection()
                         security.Sanitization.sanitizationCheck(self._target,

indico/MaKaC/webinterface/rh/conferenceDisplay.py

@@ -390 +390 @@
 
     def _checkProtection( self ):
+
         from MaKaC.webinterface.rh.collaboration import RCCollaborationAdmin, RCCollaborationPluginAdmin
         if not RCCollaborationAdmin.hasRights(self, None) and \