changed:
-
The following example is an adaptation of LDAPLogin I just took the code and made it work with Active Directory.
Just like LDAPLogin create in the 'extensions' directory, a file 'ldap.py' with (NOTE this code is slightly different then LDAPLogin)::
import ldap
from roundup.cgi.actions import LoginAction
from roundup.i18n import _
class LdapLoginAction(LoginAction):
ldap_attrs = (
( 'realname', ['cn'] ),
( 'username', ['sAMAccountName'] ),
)
ldap_server = 'ldap://example.com'
ldap_base = 'dc=example, dc=com'
email_suffix = '@example.com'
intBindUser = "username"
intBindPasswd = "password"
def verifyLocalPassword(self, password):
''' Verify the password that the user has supplied '''
stored = self.db.user.get(self.client.userid, 'password')
if password == stored:
return 1
if not password and not stored:
return 1
return 0
def local_login (self, password):
''' Local authentication '''
# make sure the user exists
try:
self.client.userid = self.db.user.lookup(self.client.user)
except KeyError:
self.client.error_message.append(_('Unknown user "%s"')%self.client.user)
return 0
# verify the password
if not self.verifyLocalPassword(password):
self.client.error_message.append(_('Invalid password'))
return 0
return 1
def ldap_login (self, password):
''' Authentication via LDAP '''
try:
# connect to LDAP host
ldapcn = ldap.initialize(self.ldap_server)
ldapcn.protocol_version = ldap.VERSION3
ldapcn.simple_bind_s(self.intBindUser,self.intBindPasswd)
except ldap.LDAPError, e:
#self.client.error_message.append (_('Unknown LDAP account "%(name)s"')% locals())
self.client.error_message.append (_('LDAPError = %s"')% e)
return 0
# make sure that user exists
try:
ldaps = ldapcn.search_s(self.ldap_base, ldap.SCOPE_SUBTREE,'sAMAccountName=%s'%self.client.user)
self.ldapdn,self.attrs = ldaps[0][0],ldaps[0][1]
except ldap.LDAPError, e:
name = self.client.user
self.client.error_message.append (_('Unknown LDAP account "%(name)s"') % locals())
self.client.error_message.append (_('LDAPError = %s"')% e)
return 0
# verify the password
try:
ldapcn.bind_s (self.ldapdn, password)
except ldap.LDAPError, e:
self.client.error_message.append (_('Invalid password !'))
self.client.error_message.append (_('LDAPError = %s') % e)
return 0
return 1
def verifyLogin(self, username, password):
# try to login throught LDAP or with local account
ldap_ok = None
if not self.local_login(password):
ldap_ok = self.ldap_login(password)
if not ldap_ok:
self.client.make_user_anonymous ()
return
self.client.error_message = []
# reload user profile, or create it automatically if missing
try:
self.client.userid = self.db.user.lookup(self.client.user)
except:
if ldap_ok:
props = {}
for user_attr,ldap_attr in self.ldap_attrs:
props[user_attr] = ' '.join([self.attrs.get (attr,['',''])[0] for attr in ldap_attr])
props['address'] = self.attrs['sAMAccountName'][0]+self.email_suffix
self.journaltag = 'admin'
cl = self.db.user
props['roles'] = self.db.config.NEW_WEB_USER_ROLES
self.userid = cl.create (**props)
self.db.commit ()
self.client.userid = self.db.user.lookup(self.client.user)
else:
self.client.make_user_anonymous()
self.client.error_message.append(_("No account created without LDAP account"))
return
def init(instance):
instance.registerAction('login', LdapLoginAction)