sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method
This commit is contained in:
parent
44a3c7fa5f
commit
22c4fb1414
|
@ -1,5 +1,6 @@
|
|||
"""passbook LDAP Authentication Backend"""
|
||||
from django.contrib.auth.backends import ModelBackend
|
||||
from django.http import HttpRequest
|
||||
from structlog import get_logger
|
||||
|
||||
from passbook.sources.ldap.connector import Connector
|
||||
|
@ -11,11 +12,12 @@ LOGGER = get_logger()
|
|||
class LDAPBackend(ModelBackend):
|
||||
"""Authenticate users against LDAP Server"""
|
||||
|
||||
def authenticate(self, **kwargs):
|
||||
def authenticate(self, request: HttpRequest, **kwargs):
|
||||
"""Try to authenticate a user via ldap"""
|
||||
if 'password' not in kwargs:
|
||||
return None
|
||||
for source in LDAPSource.objects.filter(enabled=True):
|
||||
LOGGER.debug("LDAP Auth attempt", source=source)
|
||||
_ldap = Connector(source)
|
||||
user = _ldap.auth_user(**kwargs)
|
||||
if user:
|
||||
|
|
|
@ -1,19 +1,15 @@
|
|||
"""Wrapper for ldap3 to easily manage user"""
|
||||
from time import time
|
||||
from typing import Any, Dict, Optional
|
||||
|
||||
import ldap3
|
||||
import ldap3.core.exceptions
|
||||
from structlog import get_logger
|
||||
|
||||
from passbook.core.models import User
|
||||
from passbook.lib.config import CONFIG
|
||||
from passbook.core.models import Group, User
|
||||
from passbook.sources.ldap.models import LDAPSource
|
||||
|
||||
LOGGER = get_logger()
|
||||
|
||||
# USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName')
|
||||
# LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName')
|
||||
|
||||
|
||||
class Connector:
|
||||
"""Wrapper for ldap3 to easily manage user authentication and creation"""
|
||||
|
@ -24,178 +20,103 @@ class Connector:
|
|||
|
||||
def __init__(self, source: LDAPSource):
|
||||
self._source = source
|
||||
|
||||
if not self._source.enabled:
|
||||
LOGGER.debug("LDAP not Enabled")
|
||||
|
||||
self._server = ldap3.Server(source.server_uri) # Implement URI parsing
|
||||
|
||||
def bind(self):
|
||||
"""Bind using Source's Credentials"""
|
||||
self._connection = ldap3.Connection(self._server, raise_exceptions=True,
|
||||
user=source.bind_cn,
|
||||
password=source.bind_password)
|
||||
user=self._source.bind_cn,
|
||||
password=self._source.bind_password)
|
||||
|
||||
self._connection.bind()
|
||||
if source.start_tls:
|
||||
if self._source.start_tls:
|
||||
self._connection.start_tls()
|
||||
|
||||
@staticmethod
|
||||
def encode_pass(password: str) -> str:
|
||||
def encode_pass(password: str) -> bytes:
|
||||
"""Encodes a plain-text password so it can be used by AD"""
|
||||
return '"{}"'.format(password).encode('utf-16-le')
|
||||
|
||||
def generate_filter(self, **fields):
|
||||
"""Generate LDAP filter from **fields."""
|
||||
filters = []
|
||||
for item, value in fields.items():
|
||||
filters.append("(%s=%s)" % (item, value))
|
||||
ldap_filter = "(&%s)" % "".join(filters)
|
||||
LOGGER.debug("Constructed filter: '%s'", ldap_filter)
|
||||
return ldap_filter
|
||||
@property
|
||||
def base_dn_users(self) -> str:
|
||||
"""Shortcut to get full base_dn for user lookups"""
|
||||
return ','.join([self._source.additional_user_dn, self._source.base_dn])
|
||||
|
||||
def lookup(self, ldap_filter: str):
|
||||
"""Search email in LDAP and return the DN.
|
||||
Returns False if nothing was found."""
|
||||
try:
|
||||
self._connection.search(self._source.search_base, ldap_filter)
|
||||
results = self._connection.response
|
||||
if len(results) >= 1:
|
||||
if 'dn' in results[0]:
|
||||
return str(results[0]['dn'])
|
||||
except ldap3.core.exceptions.LDAPNoSuchObjectResult as exc:
|
||||
LOGGER.warning(exc)
|
||||
return False
|
||||
except ldap3.core.exceptions.LDAPInvalidDnError as exc:
|
||||
LOGGER.warning(exc)
|
||||
return False
|
||||
return False
|
||||
@property
|
||||
def base_dn_groups(self) -> str:
|
||||
"""Shortcut to get full base_dn for group lookups"""
|
||||
return ','.join([self._source.additional_group_dn, self._source.base_dn])
|
||||
|
||||
def _get_or_create_user(self, user_data):
|
||||
"""Returns a Django user for the given LDAP user data.
|
||||
If the user does not exist, then it will be created."""
|
||||
attributes = user_data.get("attributes")
|
||||
if attributes is None:
|
||||
LOGGER.warning("LDAP user attributes empty")
|
||||
return None
|
||||
# Create the user data.
|
||||
field_map = {
|
||||
'username': '%(' + ')s',
|
||||
'name': '%(givenName)s %(sn)s',
|
||||
'email': '%(mail)s',
|
||||
def sync_groups(self):
|
||||
"""Iterate over all LDAP Groups and create passbook_core.Group instances"""
|
||||
attributes = [
|
||||
'objectSid', # Used as unique Identifier
|
||||
'name',
|
||||
'dn',
|
||||
]
|
||||
groups = self._connection.extend.standard.paged_search(
|
||||
search_base=self.base_dn_groups,
|
||||
search_filter=self._source.group_object_filter,
|
||||
search_scope=ldap3.SUBTREE,
|
||||
attributes=ldap3.ALL_ATTRIBUTES)
|
||||
for group in groups:
|
||||
attributes = group.get('attributes', {})
|
||||
_, created = Group.objects.update_or_create(
|
||||
attributes__objectSid=attributes.get('objectSid', ''),
|
||||
defaults=self._build_object_properties(attributes),
|
||||
)
|
||||
LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created)
|
||||
|
||||
def sync_users(self):
|
||||
"""Iterate over all LDAP Users and create passbook_core.User instances"""
|
||||
users = self._connection.extend.standard.paged_search(
|
||||
search_base=self.base_dn_users,
|
||||
search_filter=self._source.user_object_filter,
|
||||
search_scope=ldap3.SUBTREE,
|
||||
attributes=ldap3.ALL_ATTRIBUTES)
|
||||
for user in users:
|
||||
attributes = user.get('attributes', {})
|
||||
_, created = User.objects.update_or_create(
|
||||
attributes__objectSid=attributes.get('objectSid', ''),
|
||||
defaults=self._build_object_properties(attributes),
|
||||
)
|
||||
LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created)
|
||||
|
||||
def sync_membership(self):
|
||||
"""Iterate over all Users and assign Groups using memberOf Field"""
|
||||
pass
|
||||
|
||||
def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]:
|
||||
properties = {
|
||||
'attributes': {}
|
||||
}
|
||||
user_fields = {}
|
||||
for dj_field, ldap_field in field_map.items():
|
||||
user_fields[dj_field] = ldap_field % attributes
|
||||
for mapping in self._source.property_mappings.all().select_subclasses():
|
||||
properties[mapping.object_field] = attributes.get(mapping.ldap_property, '')
|
||||
if 'objectSid' in attributes:
|
||||
properties['attributes']['objectSid'] = attributes.get('objectSid')
|
||||
properties['attributes']['distinguishedName'] = attributes.get('distinguishedName')
|
||||
return properties
|
||||
|
||||
# Update or create the user.
|
||||
user, created = User.objects.update_or_create(
|
||||
defaults=user_fields,
|
||||
username=user_fields.pop('username', "")
|
||||
)
|
||||
|
||||
# Update groups
|
||||
# if 'memberOf' in attributes:
|
||||
# applicable_groups = LDAPGroupMapping.objects.f
|
||||
# ilter(ldap_dn__in=attributes['memberOf'])
|
||||
# for group in applicable_groups:
|
||||
# if group.group not in user.groups.all():
|
||||
# user.groups.add(group.group)
|
||||
# user.save()
|
||||
|
||||
# If the user was created, set them an unusable password.
|
||||
if created:
|
||||
user.set_unusable_password()
|
||||
user.save()
|
||||
# All done!
|
||||
LOGGER.debug("LDAP user lookup succeeded")
|
||||
return user
|
||||
|
||||
def auth_user(self, password, **filters):
|
||||
def auth_user(self, password: str, **filters: Dict[str, str]) -> Optional[User]:
|
||||
"""Try to bind as either user_dn or mail with password.
|
||||
Returns True on success, otherwise False"""
|
||||
filters.pop('request')
|
||||
if not self._source.enabled:
|
||||
users = User.objects.filter(**filters)
|
||||
if not users.exists():
|
||||
return None
|
||||
# FIXME: Adapt user_uid
|
||||
# email = filters.pop(CONFIG.y('passport').get('ldap').get, '')
|
||||
email = filters.pop('email')
|
||||
user_dn = self.lookup(self.generate_filter(**{'email': email}))
|
||||
if not user_dn:
|
||||
user = users.first()
|
||||
if 'distinguishedName' not in user.attributes:
|
||||
LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user)
|
||||
return None
|
||||
# Try to bind as new user
|
||||
LOGGER.debug("Binding as '%s'", user_dn)
|
||||
LOGGER.debug("Attempting Binding as user", user=user)
|
||||
try:
|
||||
temp_connection = ldap3.Connection(self._server, user=user_dn,
|
||||
temp_connection = ldap3.Connection(self._server,
|
||||
user=user.attributes.get('distinguishedName'),
|
||||
password=password, raise_exceptions=True)
|
||||
temp_connection.bind()
|
||||
if self._connection.search(
|
||||
search_base=self._source.search_base,
|
||||
search_filter=self.generate_filter(**{'email': email}),
|
||||
search_scope=ldap3.SUBTREE,
|
||||
attributes=[ldap3.ALL_ATTRIBUTES, ldap3.ALL_OPERATIONAL_ATTRIBUTES],
|
||||
get_operational_attributes=True,
|
||||
size_limit=1,
|
||||
):
|
||||
response = self._connection.response[0]
|
||||
# If user has no email set in AD, use UPN
|
||||
if 'mail' not in response.get('attributes'):
|
||||
response['attributes']['mail'] = response['attributes']['userPrincipalName']
|
||||
return self._get_or_create_user(response)
|
||||
LOGGER.warning("LDAP user lookup failed")
|
||||
return None
|
||||
return user
|
||||
except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
|
||||
LOGGER.debug("User '%s' failed to login (Wrong credentials)", user_dn)
|
||||
LOGGER.debug("LDAPInvalidCredentialsResult", user=user)
|
||||
except ldap3.core.exceptions.LDAPException as exception:
|
||||
LOGGER.warning(exception)
|
||||
return None
|
||||
|
||||
def _do_modify(self, diff, **fields):
|
||||
"""Do the LDAP modification itself"""
|
||||
user_dn = self.lookup(self.generate_filter(**fields))
|
||||
try:
|
||||
self._connection.modify(user_dn, diff)
|
||||
except ldap3.core.exceptions.LDAPException as exception:
|
||||
LOGGER.warning("Failed to modify %s ('%s'), saved to DB", user_dn, exception)
|
||||
# Connector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff)
|
||||
LOGGER.debug("modified account '%s' [%s]", user_dn, ','.join(diff.keys()))
|
||||
return 'result' in self._connection.result and self._connection.result['result'] == 0
|
||||
|
||||
def disable_user(self, **fields):
|
||||
"""Disables LDAP user based on mail or user_dn.
|
||||
Returns True on success, otherwise False"""
|
||||
diff = {
|
||||
'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66050)])],
|
||||
}
|
||||
return self._do_modify(diff, **fields)
|
||||
|
||||
def enable_user(self, **fields):
|
||||
"""Enables LDAP user based on mail or user_dn.
|
||||
Returns True on success, otherwise False"""
|
||||
diff = {
|
||||
'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66048)])],
|
||||
}
|
||||
return self._do_modify(diff, **fields)
|
||||
|
||||
def change_password(self, new_password, **fields):
|
||||
"""Changes LDAP user's password based on mail or user_dn.
|
||||
Returns True on success, otherwise False"""
|
||||
diff = {
|
||||
'unicodePwd': [(ldap3.MODIFY_REPLACE, [Connector.encode_pass(new_password)])],
|
||||
}
|
||||
return self._do_modify(diff, **fields)
|
||||
|
||||
def add_to_group(self, group_dn, **fields):
|
||||
"""Adds mail or user_dn to group_dn
|
||||
Returns True on success, otherwise False"""
|
||||
user_dn = self.lookup(**fields)
|
||||
diff = {
|
||||
'member': [(ldap3.MODIFY_ADD), [user_dn]]
|
||||
}
|
||||
return self._do_modify(diff, user_dn=group_dn)
|
||||
|
||||
def remove_from_group(self, group_dn, **fields):
|
||||
"""Removes mail or user_dn from group_dn
|
||||
Returns True on success, otherwise False"""
|
||||
user_dn = self.lookup(**fields)
|
||||
diff = {
|
||||
'member': [(ldap3.MODIFY_DELETE), [user_dn]]
|
||||
}
|
||||
return self._do_modify(diff, user_dn=group_dn)
|
||||
|
|
|
@ -5,7 +5,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
|
|||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from passbook.admin.forms.source import SOURCE_FORM_FIELDS
|
||||
from passbook.sources.ldap.models import LDAPSource
|
||||
from passbook.sources.ldap.models import LDAPPropertyMapping, LDAPSource
|
||||
|
||||
|
||||
class LDAPSourceForm(forms.ModelForm):
|
||||
|
@ -26,6 +26,7 @@ class LDAPSourceForm(forms.ModelForm):
|
|||
'group_object_filter',
|
||||
'sync_groups',
|
||||
'sync_parent_group',
|
||||
'property_mappings',
|
||||
]
|
||||
widgets = {
|
||||
'name': forms.TextInput(),
|
||||
|
@ -37,7 +38,8 @@ class LDAPSourceForm(forms.ModelForm):
|
|||
'additional_group_dn': forms.TextInput(),
|
||||
'user_object_filter': forms.TextInput(),
|
||||
'group_object_filter': forms.TextInput(),
|
||||
'policies': FilteredSelectMultiple(_('policies'), False)
|
||||
'policies': FilteredSelectMultiple(_('policies'), False),
|
||||
'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
|
||||
}
|
||||
labels = {
|
||||
'server_uri': _('Server URI'),
|
||||
|
@ -47,3 +49,17 @@ class LDAPSourceForm(forms.ModelForm):
|
|||
'additional_user_dn': _('Addition User DN'),
|
||||
'additional_group_dn': _('Addition Group DN'),
|
||||
}
|
||||
|
||||
|
||||
class LDAPPropertyMappingForm(forms.ModelForm):
|
||||
"""LDAP Property Mapping form"""
|
||||
|
||||
class Meta:
|
||||
|
||||
model = LDAPPropertyMapping
|
||||
fields = ['name', 'ldap_property', 'object_field']
|
||||
widgets = {
|
||||
'name': forms.TextInput(),
|
||||
'ldap_property': forms.TextInput(),
|
||||
'object_field': forms.TextInput(),
|
||||
}
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Generated by Django 2.2.6 on 2019-10-11 08:25
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_sources_ldap', '0001_initial'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='ldappropertymapping',
|
||||
options={'verbose_name': 'LDAP Property Mapping', 'verbose_name_plural': 'LDAP Property Mappings'},
|
||||
),
|
||||
]
|
|
@ -0,0 +1,32 @@
|
|||
# Generated by Django 2.2.6 on 2019-10-11 08:25
|
||||
|
||||
from django.apps.registry import Apps
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
def create_default_ad_property_mappings(apps: Apps, schema_editor):
|
||||
LDAPPropertyMapping = apps.get_model('passbook_sources_ldap', 'LDAPPropertyMapping')
|
||||
mapping = {
|
||||
'name': 'name',
|
||||
'givenName': 'first_name',
|
||||
'sn': 'last_name',
|
||||
'sAMAccountName': 'username',
|
||||
'mail': 'email'
|
||||
}
|
||||
for ldap_property, object_field in mapping.items():
|
||||
LDAPPropertyMapping.objects.get_or_create(
|
||||
ldap_property=ldap_property,
|
||||
object_field=object_field,
|
||||
defaults={
|
||||
'name': f"Autogenerated LDAP Mapping: {ldap_property} -> {object_field}"
|
||||
})
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_sources_ldap', '0002_auto_20191011_0825'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.RunPython(create_default_ad_property_mappings)
|
||||
]
|
|
@ -0,0 +1,25 @@
|
|||
# Generated by Django 2.2.6 on 2019-10-11 08:39
|
||||
|
||||
import django.core.validators
|
||||
import django.db.models.deletion
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_sources_ldap', '0003_auto_20191011_0825'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterField(
|
||||
model_name='ldapsource',
|
||||
name='server_uri',
|
||||
field=models.TextField(validators=[django.core.validators.URLValidator(schemes=['ldap', 'ldaps'])]),
|
||||
),
|
||||
migrations.AlterField(
|
||||
model_name='ldapsource',
|
||||
name='sync_parent_group',
|
||||
field=models.ForeignKey(blank=True, default=None, null=True, on_delete=django.db.models.deletion.SET_DEFAULT, to='passbook_core.Group'),
|
||||
),
|
||||
]
|
|
@ -10,7 +10,7 @@ from passbook.core.models import Group, PropertyMapping, Source
|
|||
class LDAPSource(Source):
|
||||
"""LDAP Authentication source"""
|
||||
|
||||
server_uri = models.URLField(validators=[URLValidator(schemes=['ldap', 'ldaps'])])
|
||||
server_uri = models.TextField(validators=[URLValidator(schemes=['ldap', 'ldaps'])])
|
||||
bind_cn = models.TextField()
|
||||
bind_password = models.TextField()
|
||||
start_tls = models.BooleanField(default=False)
|
||||
|
@ -23,7 +23,7 @@ class LDAPSource(Source):
|
|||
group_object_filter = models.TextField()
|
||||
|
||||
sync_groups = models.BooleanField(default=True)
|
||||
sync_parent_group = models.ForeignKey(Group, blank=True,
|
||||
sync_parent_group = models.ForeignKey(Group, blank=True, null=True,
|
||||
default=None, on_delete=models.SET_DEFAULT)
|
||||
|
||||
form = 'passbook.sources.ldap.forms.LDAPSourceForm'
|
||||
|
@ -39,6 +39,17 @@ class LDAPSource(Source):
|
|||
|
||||
|
||||
class LDAPPropertyMapping(PropertyMapping):
|
||||
"""Map LDAP Property to User or Group object"""
|
||||
|
||||
ldap_property = models.TextField()
|
||||
object_field = models.TextField()
|
||||
|
||||
form = 'passbook.sources.ldap.forms.LDAPPropertyMappingForm'
|
||||
|
||||
def __str__(self):
|
||||
return f"LDAP Property Mapping {self.ldap_property} -> {self.object_field}"
|
||||
|
||||
class Meta:
|
||||
|
||||
verbose_name = _('LDAP Property Mapping')
|
||||
verbose_name_plural = _('LDAP Property Mappings')
|
||||
|
|
|
@ -1,5 +1,13 @@
|
|||
"""LDAP Settings"""
|
||||
from celery.schedules import crontab
|
||||
|
||||
AUTHENTICATION_BACKENDS = [
|
||||
'passbook.sources.ldap.auth.LDAPBackend',
|
||||
]
|
||||
|
||||
CELERY_BEAT_SCHEDULE = {
|
||||
'sync': {
|
||||
'task': 'passbook.sources.ldap.tasks.sync',
|
||||
'schedule': crontab(minute=0) # Run every hour
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
from passbook.root.celery import CELERY_APP
|
||||
from passbook.sources.ldap.connector import Connector
|
||||
from passbook.sources.ldap.models import LDAPSource
|
||||
|
||||
|
||||
@CELERY_APP.task()
|
||||
def sync_groups(source_pk: int):
|
||||
"""Sync LDAP Groups on background worker"""
|
||||
source = LDAPSource.objects.get(pk=source_pk)
|
||||
connector = Connector(source)
|
||||
connector.bind()
|
||||
connector.sync_groups()
|
||||
|
||||
@CELERY_APP.task()
|
||||
def sync_users(source_pk: int):
|
||||
"""Sync LDAP Users on background worker"""
|
||||
source = LDAPSource.objects.get(pk=source_pk)
|
||||
connector = Connector(source)
|
||||
connector.bind()
|
||||
connector.sync_users()
|
||||
|
||||
@CELERY_APP.task()
|
||||
def sync():
|
||||
"""Sync all sources"""
|
||||
for source in LDAPSource.objects.filter(enabled=True):
|
||||
connector = Connector(source)
|
||||
connector.bind()
|
||||
connector.sync_users()
|
||||
connector.sync_groups()
|
||||
connector.sync_membership()
|
Reference in New Issue