GithubFollow/One-KVM
1
0
Fork 0
mirror of https://github.com/mofeng-git/One-KVM.git synced 2025-12-12 09:10:30 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

ldap auth: tls support

Browse Source
This commit is contained in:
Maxim Devaev 2023-04-20 17:27:02 +03:00
parent 1209ddeb8d
commit 5bb3488281
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
kvmd/plugins/auth/ldap.py
View File

@ -25,6 +25,7 @@ import ldap
from ...yamlconf import Option from ...yamlconf import Option
from ...validators.basic import valid_stripped_string_not_empty from ...validators.basic import valid_stripped_string_not_empty
from ...validators.basic import valid_bool
from ...validators.basic import valid_int_f1 from ...validators.basic import valid_int_f1
from ...logging import get_logger from ...logging import get_logger
@ -40,6 +41,7 @@ class Plugin(BaseAuthService):
def __init__( # pylint: disable=super-init-not-called def __init__( # pylint: disable=super-init-not-called
self, self,
url: str, url: str,
verify: bool,
base: str, base: str,
group: str, group: str,
user_domain: str, user_domain: str,
@ -47,6 +49,7 @@ class Plugin(BaseAuthService):
) -> None: ) -> None:
self.__url = url self.__url = url
self.__verify = verify
self.__base = base self.__base = base
self.__group = group self.__group = group
self.__user_domain = user_domain self.__user_domain = user_domain
@ -55,9 +58,10 @@ class Plugin(BaseAuthService):
@classmethod @classmethod
def get_plugin_options(cls) -> dict: def get_plugin_options(cls) -> dict:
return { return {
"url": Option("", type=valid_stripped_string_not_empty), "url": Option("", type=valid_stripped_string_not_empty),
"base": Option("", type=valid_stripped_string_not_empty), "verify": Option(True, type=valid_bool),
"group": Option("", type=valid_stripped_string_not_empty), "base": Option("", type=valid_stripped_string_not_empty),
"group": Option("", type=valid_stripped_string_not_empty),
"user_domain": Option(""), "user_domain": Option(""),
"timeout": Option(5, type=valid_int_f1), "timeout": Option(5, type=valid_int_f1),
} }
@ -73,6 +77,12 @@ class Plugin(BaseAuthService):
conn = ldap.initialize(self.__url) conn = ldap.initialize(self.__url)
conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_REFERRALS, 0)
conn.set_option(ldap.OPT_TIMEOUT, self.__timeout) conn.set_option(ldap.OPT_TIMEOUT, self.__timeout)
if self.__url.lower().startswith("ldaps://"):
conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
if not self.__verify:
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
conn.simple_bind_s(user, passwd) conn.simple_bind_s(user, passwd)
for (dn, attrs) in (conn.search_st( for (dn, attrs) in (conn.search_st(
base=self.__base, base=self.__base,
@ -85,8 +95,8 @@ class Plugin(BaseAuthService):
return True return True
except ldap.INVALID_CREDENTIALS: except ldap.INVALID_CREDENTIALS:
pass pass
except ldap.SERVER_DOWN: except ldap.SERVER_DOWN as err:
get_logger().error("LDAP server is down") get_logger().error("LDAP server is down: %s", tools.efmt(err))
except Exception as err: except Exception as err:
get_logger().error("Unexpected LDAP error: %s", tools.efmt(err)) get_logger().error("Unexpected LDAP error: %s", tools.efmt(err))
finally: finally: