diff --git a/conf/ldapcherry.ini b/conf/ldapcherry.ini index 7ec2ba2..3a4b32e 100644 --- a/conf/ldapcherry.ini +++ b/conf/ldapcherry.ini @@ -68,7 +68,7 @@ ldap.module = 'ldapcherry.backend.backendLdap' ldap.groupdn = 'ou=group,dc=example,dc=com' -ldap.people = 'ou=group,dc=example,dc=com' +ldap.userdn = 'ou=group,dc=example,dc=com' ldap.binddn = 'cn=ldapcherry,dc=example,dc=com' ldap.password = 'password' ldap.uri = 'ldaps://ldap.ldapcherry.org' diff --git a/ldapcherry/backend/backendLdap.py b/ldapcherry/backend/backendLdap.py index 9db3b75..618e296 100644 --- a/ldapcherry/backend/backendLdap.py +++ b/ldapcherry/backend/backendLdap.py @@ -17,10 +17,13 @@ self._logger = logger self.backend_name = name self.binddn = self.get_param('binddn') + self.bindpassword = self.get_param('password') self.ca = self.get_param('ca', False) self.checkcert = self.get_param('checkcert', 'on') self.starttls = self.get_param('starttls', 'off') self.uri = self.get_param('uri') + self.userdn = self.get_param('userdn') + self.groupdn = self.get_param('groupdn') self.user_filter_tmpl = self.get_param('user_filter_tmpl') def auth(self, username, password): @@ -57,22 +60,23 @@ ldap_client = self._connect() try: ldap_client.simple_bind_s(self.binddn, self.bindpassword) - except ldap.INVALID_CREDENTIALS: + except ldap.INVALID_CREDENTIALS as e: self._logger( logging.ERROR, "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'", ) - raise cherrypy.HTTPError("500", "Configuration Error, contact administrator") - except ldap.SERVER_DOWN: + #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator") + raise e + except ldap.SERVER_DOWN as e: self._logger( logging.ERROR, "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration", ) - return False + raise e - user_filter = self.user_filter_tmpl % { - 'login': username - } + user_filter = self.user_filter_tmpl % { + 'username': username + } r = ldap_client.search_s(self.userdn, ldap.SCOPE_SUBTREE, @@ -90,13 +94,16 @@ ldap_client.set_option(ldap.OPT_REFERRALS, 0) if self.starttls == 'on': ldap.set_option(ldap.OPT_X_TLS_DEMAND, True) - if self.ca: + else: + ldap.set_option(ldap.OPT_X_TLS_DEMAND, False) + if self.ca and self.checkcert == 'on': ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca) + #else: + # ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '') if self.checkcert == 'off': ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW) else: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND) - if self.starttls == 'on': try: ldap_client.start_tls_s() diff --git a/tests/cfg/ldapcherry.ini b/tests/cfg/ldapcherry.ini index e6a9d51..18a47ea 100644 --- a/tests/cfg/ldapcherry.ini +++ b/tests/cfg/ldapcherry.ini @@ -68,8 +68,8 @@ ldap.module = 'ldapcherry.backend.backendLdap' ldap.groupdn = 'ou=group,dc=example,dc=com' -ldap.people = 'ou=group,dc=example,dc=com' -ldap.binddn = 'cn=ldapcherry,dc=example,dc=com' +ldap.userdn = 'ou=group,dc=example,dc=com' +ldap.binddn = 'cn=dnscherry,dc=example,dc=org' ldap.password = 'password' ldap.uri = 'ldaps://ldap.ldapcherry.org' ldap.ca = '/etc/dnscherry/TEST-cacert.pem' diff --git a/tests/cfg/wrong_ca.crt b/tests/cfg/wrong_ca.crt new file mode 100644 index 0000000..b852d16 --- /dev/null +++ b/tests/cfg/wrong_ca.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEpDCCA4ygAwIBAgIJAJPjqWBPSpcrMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD +VQQGEwJGUjELMAkGA1UECBMCRlIxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVQ +YXJpczERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYD +VQQpEwhjaGFuZ2VtZTEdMBsGCSqGSIb3DQEJARYOa2Frd2FAa2Frd2EuZnIwHhcN +MTIwNzIxMTgwMzExWhcNMjIwNzE5MTgwMzExWjCBkjELMAkGA1UEBhMCRlIxCzAJ +BgNVBAgTAkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNV +BAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdl +bWUxHTAbBgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA2JAYpMeudhVLgUOCdnA4a4R+sGv7dNxcrBTK9Eh3 +PHbCwBtAfX8J2NXjKiSNlZLw2xc5A7wEks7JxieynBfClL3kruZ2pj9yxT4BH4ro +fY560b887miofiqKjB1dEnpoOfQNxUwUKVdKlOU0U8oteHwEnet8EbJ3Th4bkftz +Bk8PYDOCt2x+SK6mHJz8yOsezsLfsrNdOLlY+dDrgZFmIGekTdo7okGaiPIndr1s +OYcDLlow188oHnUZ8I9uPQW6Tk6gveh65sDc4ThpdrF8dV7UQxOrP+lBTcbrQNf0 +dMy2UDuA4TauIA6o6JsxtBbsBRph4vmgGXc1AGfmC2QXqwIDAQABo4H6MIH3MB0G +A1UdDgQWBBTS1NffwUVvC47DSsSh5WCPGXMvxDCBxwYDVR0jBIG/MIG8gBTS1Nff +wUVvC47DSsSh5WCPGXMvxKGBmKSBlTCBkjELMAkGA1UEBhMCRlIxCzAJBgNVBAgT +AkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNVBAsTCGNo +YW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHTAb +BgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyggkAk+OpYE9KlyswDAYDVR0TBAUw +AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATGrU92RcniJ5QkOPLR/Zy2850jtknHKq +VynTH5+smoRqDm6MJNSXb4Hy437qRFZdIyPcIXLgn+C31z0yfkSxW6MoGvYsWo86 +SKjow/OG4XQcHiOr0ydOSqdWL9EXWq+0DwnwWcmaFpuRhN2pK4fZmIcokRBiIbv0 +xnuyFvCTpsEOJHaYRQdE71omb47OBFhSA+ytGihmD6FycNqP9mriA0fPw2o/oVSd +WC55yNfi9JqimfH/AN2ApMXD6TQD9JyyNJ2Qciwf7WsU+h3I/qIS15RsG+VUFm5E +D62QGIMu6rRj06GO4e7+0+doiHvV9b8rk37aMOEhWmTw2v6aHJcGHw== +-----END CERTIFICATE----- diff --git a/tests/test_BackendLdap.py b/tests/test_BackendLdap.py index 2ce2a8e..201c725 100644 --- a/tests/test_BackendLdap.py +++ b/tests/test_BackendLdap.py @@ -11,15 +11,16 @@ from ldapcherry import syslog_error from ldapcherry.exceptions import * import cherrypy +from ldap import SERVER_DOWN cfg = { 'module' : 'ldapcherry.backend.ldap', -'groupdn' : 'ou=group,dc=example,dc=com', -'people' : 'ou=group,dc=example,dc=com', -'binddn' : 'cn=ldapcherry,dc=example,dc=com', +'groupdn' : 'ou=group,dc=example,dc=org', +'userdn' : 'ou=People,dc=example,dc=org', +'binddn' : 'cn=dnscherry,dc=example,dc=org', 'password' : 'password', -'uri' : 'ldaps://ldap.ldapcherry.org', -'ca' : '/etc/dnscherry/TEST-cacert.pem', +'uri' : 'ldap://ldap.ldapcherry.org:390', +'ca' : './tests/test_env/etc/ldapcherry/TEST-cacert.pem', 'starttls' : 'off', 'checkcert' : 'off', 'user_filter_tmpl' : '(uid=%(username)s)', @@ -36,16 +37,37 @@ def testConnect(self): inv = Backend(cfg, cherrypy.log, 'ldap') - inv._connect() + ldap = inv._connect() + ldap.simple_bind_s(inv.binddn, inv.bindpassword) return True def testConnectSSL(self): - inv = Backend(cfg, cherrypy.log, 'ldap') - return True + cfg2 = cfg.copy() + cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637' + cfg2['checkcert'] = 'on' + inv = Backend(cfg2, cherrypy.log, 'ldap') + ldap = inv._connect() + ldap.simple_bind_s(inv.binddn, inv.bindpassword) - def testConnectSSLNoCheck(self): - inv = Backend(cfg, cherrypy.log, 'ldap') - return True + def testConnectSSLWrongCA(self): + cfg2 = cfg.copy() + cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637' + cfg2['checkcert'] = 'on' + cfg2['ca'] = './cfg/wrong_ca.crt' + inv = Backend(cfg2, cherrypy.log, 'ldap') + ldapc = inv._connect() + try: + ldapc.simple_bind_s(inv.binddn, inv.bindpassword) + except SERVER_DOWN as e: + assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate' + +# def testConnectSSLNoCheck(self): +# cfg2 = cfg.copy() +# cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637' +# cfg2['checkcert'] = 'off' +# inv = Backend(cfg2, cherrypy.log, 'ldap') +# ldap = inv._connect() +# ldap.simple_bind_s(inv.binddn, inv.bindpassword) def testAuthSuccess(self): inv = Backend(cfg, cherrypy.log, 'ldap')