oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-09-30 21:12:05 +00:00
Code Wiki Activity
Radicale/radicale/auth/ldap.py

418 lines
21 KiB
Python
Raw Normal View History

Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
# This file is part of Radicale - CalDAV and CardDAV server
extend copyright
2024-12-14 09:02:36 +01:00
# Copyright © 2022-2024 Peter Varkoly
# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Radicale. If not, see <http://www.gnu.org/licenses/>.
"""
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
Authentication backend that checks credentials with a LDAP server.
LDAP auth: document all paramters at the top of the file
2025-08-31 17:51:23 +02:00
The following parameters are needed in the configuration:
ldap_uri URI to the LDAP server
ldap_base Base DN of the LDAP server
ldap_reader_dn DN of an LDAP user with read access to get the user accounts
ldap_secret Password of the 'ldap_reader_dn'
Better: use 'ldap_secret_file'!
ldap_secret_file Path of the file containing the password of the 'ldap_reader_dn'
ldap_filter Search filter to find the user DN to authenticate
The following parameters control TLS connections:
ldap_use_ssl Use ssl on the ldap connection.
Deprecated, use 'ldap_security' instead!
ldap_security Encryption mode to be used,
one of: *none* | tls | starttls
ldap_ssl_verify_mode Certificate verification mode for tls and starttls;
one of: *REQUIRED* | OPTIONAL | NONE
ldap_ssl_ca_file Path to the CA file in PEM format to certify the server certificate
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
The following parameters are optional:
LDAP auth: document all paramters at the top of the file
2025-08-31 17:51:23 +02:00
ldap_user_attribute Attribute to be used as username after authentication, e.g. cn;
if not given, the name used to logon is used.
ldap_groups_attribute Attribute in the user entry to read the user's group memberships from,
e.g. memberof, groupMememberShip. This may even be a non-DN attribute!
ldap_group_base Base DN to search for groups;
only if it differs from 'ldap_base' and if 'ldap_group_members_attribute' is set
ldap_group_filter Search filter to search for groups having the user DN found as member;
only if 'ldap_group_members_attribute' is set
ldap_group_members_attribute Attribute in the group entries to read the group's members from,
e.g. member.
The following parameters are for LDAP servers with oddities
ldap_ignore_attribute_create_modify_timestamp
Ignore modifyTimestamp and createTimestamp attributes. Needed for Authentik LDAP server
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
Implementing ssl connection for ldap auth
2024-09-23 10:19:50 +02:00
"""
import ssl
Enhance docomentation. Fix imports
2024-09-23 15:46:08 +02:00
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
from radicale import auth, config
from radicale.log import logger
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
class Auth(auth.BaseAuth):
_ldap_uri: str
_ldap_base: str
_ldap_reader_dn: str
_ldap_secret: str
_ldap_filter: str
LDAP auth: only ask for memberOf if ldap_load_groups = True Ask for the 'memberOf' attribute to be returned in the user query only if 'ldap_load_groups' is set to True. This fixes the issue that currently LDAP authentication can only be used on LDAP servers that know this non-standard (it's an Active Directory extension) attribute. Other LDAP servers either do not necessarily have the group memberships stored in the user object (e.g. OpenLDAP), or use different attributes for this purpose (e.g. Novell eDirectory uses 'groupMembership')
2024-12-29 20:43:14 +01:00
_ldap_attributes: list[str] = []
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
_ldap_user_attr: str
LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation.
2025-01-01 20:52:55 +01:00
_ldap_groups_attr: str
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
_ldap_group_base: str
_ldap_group_filter: str
_ldap_group_members_attr: str
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
_ldap_module_version: int = 3
Standardize LDAP security configuration naming
2025-04-21 21:26:58 +02:00
_ldap_security: str = "none"
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
_ldap_ssl_verify_mode: str = "REQUIRED"
Implementing ssl connection for ldap auth
2024-09-23 10:19:50 +02:00
_ldap_ssl_ca_file: str = ""
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
def __init__(self, configuration: config.Configuration) -> None:
super().__init__(configuration)
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
try:
import ldap3
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
self.ldap3 = ldap3
except ImportError:
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
try:
import ldap
LDAP auth: fix _login2() by importing ldap.filter
2025-09-06 10:46:35 +02:00
import ldap.filter
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
self._ldap_module_version = 2
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
self.ldap = ldap
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
except ImportError as e:
LDAP auth: support TLS & start_tls also with python-ldap Until now, every connection to the LDAP server was silently unencryptedr when using Python's ldap module instead of the ldap3 module. I.e. using Python's ldap module was inherently insecure, as there was not even a hint that the config settings for encryption were ignored. This commit changes this and brings LDAP authentication based on the ldap module feature-wise on par with the one based on the ldap3 module.
2025-09-14 13:57:36 +02:00
raise RuntimeError("LDAP authentication requires the ldap3 or ldap module") from e
fixed flake8 errors
2025-03-24 22:14:29 +01:00
Update ldap.py
2025-03-24 20:10:53 +01:00
self._ldap_ignore_attribute_create_modify_timestamp = configuration.get("auth", "ldap_ignore_attribute_create_modify_timestamp")
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
self._ldap_uri = configuration.get("auth", "ldap_uri")
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
self._ldap_base = configuration.get("auth", "ldap_base")
self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn")
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
self._ldap_secret = configuration.get("auth", "ldap_secret")
self._ldap_filter = configuration.get("auth", "ldap_filter")
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute")
LDAP auth: introduce config option 'ldap_groups_attribute' This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'.
2025-01-01 20:41:55 +01:00
self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
self._ldap_group_base = configuration.get("auth", "ldap_group_base")
self._ldap_group_filter = configuration.get("auth", "ldap_group_filter")
self._ldap_group_members_attr = configuration.get("auth", "ldap_group_members_attribute")
Support loading ldap secret from file
2024-07-30 00:22:07 -07:00
ldap_secret_file_path = configuration.get("auth", "ldap_secret_file")
if ldap_secret_file_path:
with open(ldap_secret_file_path, 'r') as file:
self._ldap_secret = file.read().rstrip('\n')
LDAP auth: load SSL/TLS config unconditionally Currently it is not used by _login2(), but it does not hurt to have it available. It is a preparation for supporting encrypted connections in _login2().
2025-09-07 19:03:56 +02:00
self._ldap_security = configuration.get("auth", "ldap_security")
LDAP auth: fail on illegal values for config settings Thr config settings 'ldap_security' and 'ldap_ssl_verify_mode' only accept a specific set of values: fail if other values are provided.
2025-09-28 10:44:33 +02:00
if self._ldap_security not in ("none", "tls", "starttls"):
raise RuntimeError("Illegal value for config setting ´ldap_security'")
LDAP auth: refactor dealing with 'ldap_use_ssl' * stop treating it as class property * refactor to consolidate logic into one big 'if' statement (for easier removal when the config option gets removed in the future) * make deprecation warning for 'ldap_use_ssl' more urgent * raise error if conflicting settings 'ldap_security' = "starttls" and 'ldap_use_ssl' = True are set together * if not set, infer 'ldap_security' = "tls" from 'ldap_use_ssl' = True, logging a warning for the admin to update the config
2025-09-14 09:50:46 +02:00
ldap_use_ssl = configuration.get("auth", "ldap_use_ssl")
if ldap_use_ssl:
logger.warning("Configuration uses deprecated 'ldap_use_ssl': use 'ldap_security' ('none', 'tls', 'starttls') instead.")
if self._ldap_security == "starttls":
raise RuntimeError("Deprecated config setting 'ldap_use_ssl = True' conflicts with 'ldap_security' = 'starttls'")
elif self._ldap_security != "tls":
logger.warning("Update configuration: set 'ldap_security = tls' instead of deprecated 'ldap_use_ssl = True'")
self._ldap_security = "tls"
LDAP auth: load SSL/TLS config unconditionally Currently it is not used by _login2(), but it does not hurt to have it available. It is a preparation for supporting encrypted connections in _login2().
2025-09-07 19:03:56 +02:00
self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file")
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
self._ldap_ssl_verify_mode = configuration.get("auth", "ldap_ssl_verify_mode")
if self._ldap_ssl_verify_mode not in ("NONE", "OPTIONAL", "REQUIRED"):
LDAP auth: fail on illegal values for config settings Thr config settings 'ldap_security' and 'ldap_ssl_verify_mode' only accept a specific set of values: fail if other values are provided.
2025-09-28 10:44:33 +02:00
raise RuntimeError("Illegal value for config setting ´ldap_ssl_verify_mode'")
Add support for start_tls
2025-04-19 17:02:45 +02:00
LDAP auth: infer 'ldap_security = tls' from the URL prefix: ldaps:// => LDAPS LDAP URIs starting with the scheme 'ldaps' are - by definition - meant to use LDAPS instead of plain LDAP: infer 'ldap_security' = "tls" if it is not set.
2025-09-14 10:04:22 +02:00
if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
self._ldap_security = "tls"
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
LDAP auth: warn on unset ldap_ssl_ca_file when certificate verification is wanted
2025-09-14 10:27:26 +02:00
logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")
LDAP auth: warn if 'ldap_ssl_ca_file' is set without LDAP encryption
2025-09-14 11:41:10 +02:00
if self._ldap_ssl_ca_file and self._ldap_security not in ("tls", "starttls"):
logger.warning("Config setting 'ldap_ssl_ca_file' useless without encrypted LDAP connection")
LDAP auth: warn on unset ldap_ssl_ca_file when certificate verification is wanted
2025-09-14 10:27:26 +02:00
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_uri : %r" % self._ldap_uri)
logger.info("auth.ldap_base : %r" % self._ldap_base)
logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn)
logger.info("auth.ldap_filter : %r" % self._ldap_filter)
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
if self._ldap_user_attr:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr)
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
else:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_user_attribute : (not provided)")
LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation.
2025-01-01 20:52:55 +01:00
if self._ldap_groups_attr:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_groups_attribute : %r" % self._ldap_groups_attr)
LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation.
2025-01-01 20:52:55 +01:00
else:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_groups_attribute : (not provided)")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
if self._ldap_group_base:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_group_base : %r" % self._ldap_group_base)
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
else:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_group_base : (not provided, using ldap_base)")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
self._ldap_group_base = self._ldap_base
if self._ldap_group_filter:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_group_filter : %r" % self._ldap_group_filter)
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
else:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_group_filter : (not provided)")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
if self._ldap_group_members_attr:
logger.info("auth.ldap_group_members_attr: %r" % self._ldap_group_members_attr)
else:
logger.info("auth.ldap_group_members_attr: (not provided)")
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
if ldap_secret_file_path:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_secret_file_path : %r" % ldap_secret_file_path)
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
if self._ldap_secret:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_secret : (from file)")
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
else:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_secret_file_path : (not provided)")
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
if self._ldap_secret:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_secret : (from config)")
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
if self._ldap_reader_dn and not self._ldap_secret:
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.error("auth.ldap_secret : (not provided)")
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn")
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("auth.ldap_use_ssl : %s" % ldap_use_ssl)
logger.info("auth.ldap_security : %s" % self._ldap_security)
logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode)
if self._ldap_ssl_ca_file:
logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file)
else:
logger.info("auth.ldap_ssl_ca_file : (not provided)")
LDAP auth: move evaluation of quirk for Authentik where it belongs The evaluation of the quirk for the Authentik LDAP server changes the behaviour of Python's `ldap3` module, and that module only. Evaluating the quirk in `__init__` which is used for both, `ldap` and `ldap3` is thus wrong, and may lead to errors when this setting is used together with the `ldap` module. Signed-off-by: Peter Marschall <peter@adpm.de>
2025-09-19 18:06:50 +02:00
if self._ldap_ignore_attribute_create_modify_timestamp:
logger.info("auth.ldap_ignore_attribute_create_modify_timestamp applied (relevant for ldap3 only)")
LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__().
2025-01-01 18:09:00 +01:00
"""Extend attributes to to be returned in the user query"""
LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation.
2025-01-01 20:52:55 +01:00
if self._ldap_groups_attr:
LDAP auth: introduce config option 'ldap_groups_attribute' This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'.
2025-01-01 20:41:55 +01:00
self._ldap_attributes.append(self._ldap_groups_attr)
LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__().
2025-01-01 18:09:00 +01:00
if self._ldap_user_attr:
self._ldap_attributes.append(self._ldap_user_attr)
LDAP auth: align values when logging config options In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-28 10:24:20 +02:00
logger.info("ldap_attributes : %r" % self._ldap_attributes)
Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user
2024-12-14 09:04:15 +01:00
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
def _login2(self, login: str, password: str) -> str:
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
try:
"""Bind as reader dn"""
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
logger.debug(f"_login2 {self._ldap_uri}, {self._ldap_reader_dn}")
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
conn = self.ldap.initialize(self._ldap_uri)
LDAP auth: support TLS & start_tls also with python-ldap Until now, every connection to the LDAP server was silently unencryptedr when using Python's ldap module instead of the ldap3 module. I.e. using Python's ldap module was inherently insecure, as there was not even a hint that the config settings for encryption were ignored. This commit changes this and brings LDAP authentication based on the ldap module feature-wise on par with the one based on the ldap3 module.
2025-09-14 13:57:36 +02:00
conn.protocol_version = self.ldap.VERSION3
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
conn.set_option(self.ldap.OPT_REFERRALS, 0)
LDAP auth: support TLS & start_tls also with python-ldap Until now, every connection to the LDAP server was silently unencryptedr when using Python's ldap module instead of the ldap3 module. I.e. using Python's ldap module was inherently insecure, as there was not even a hint that the config settings for encryption were ignored. This commit changes this and brings LDAP authentication based on the ldap module feature-wise on par with the one based on the ldap3 module.
2025-09-14 13:57:36 +02:00
if self._ldap_security in ("tls", "starttls"):
"""certificate validation mode"""
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
verifyMode = {"NONE": self.ldap.OPT_X_TLS_NEVER,
"OPTIONAL": self.ldap.OPT_X_TLS_ALLOW,
"REQUIRED": self.ldap.OPT_X_TLS_DEMAND}
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, verifyMode[self._ldap_ssl_verify_mode])
LDAP auth: support TLS & start_tls also with python-ldap Until now, every connection to the LDAP server was silently unencryptedr when using Python's ldap module instead of the ldap3 module. I.e. using Python's ldap module was inherently insecure, as there was not even a hint that the config settings for encryption were ignored. This commit changes this and brings LDAP authentication based on the ldap module feature-wise on par with the one based on the ldap3 module.
2025-09-14 13:57:36 +02:00
"""CA file to validate certificate against"""
if self._ldap_ssl_ca_file:
conn.set_option(self.ldap.OPT_X_TLS_CACERTFILE, self._ldap_ssl_ca_file)
"""create TLS context- this must be the last TLS setting"""
conn.set_option(self.ldap.OPT_X_TLS_NEWCTX, self.ldap.OPT_ON)
if self._ldap_security == "starttls":
conn.start_tls_s()
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret)
"""Search for the dn of user to authenticate"""
LDAP auth: escape values used in LDAP filters to avoid possible injection of malicious code.
2024-12-29 08:29:27 +01:00
escaped_login = self.ldap.filter.escape_filter_chars(login)
logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}")
LDAP auth: harmonize _login2() and _login3() methods
2024-12-29 17:18:00 +01:00
res = conn.search_s(
self._ldap_base,
self.ldap.SCOPE_SUBTREE,
LDAP auth: escape values used in LDAP filters to avoid possible injection of malicious code.
2024-12-29 08:29:27 +01:00
filterstr=self._ldap_filter.format(escaped_login),
LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__().
2025-01-01 18:09:00 +01:00
attrlist=self._ldap_attributes
LDAP auth: harmonize _login2() and _login3() methods
2024-12-29 17:18:00 +01:00
)
LDAP auth: require exactly one result when searching for the LDAP user DN This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3()
2024-12-29 07:16:27 +01:00
if len(res) != 1:
"""User could not be found unambiguously"""
logger.debug(f"_login2 no unique DN found for '{login}'")
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
return ""
LDAP auth: harmonize _login2() and _login3() methods
2024-12-29 17:18:00 +01:00
user_entry = res[0]
user_dn = user_entry[0]
logger.debug(f"_login2 found LDAP user DN {user_dn}")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
"""Let's collect the groups of the user."""
LDAP auth: stop giving type hints for local list variables
2025-09-07 14:35:58 +02:00
groupDNs = []
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
if self._ldap_groups_attr:
groupDNs = user_entry[1][self._ldap_groups_attr]
"""Search for all groups having the user_dn found as member."""
if self._ldap_group_members_attr:
groupDNs = []
res = conn.search_s(
self._ldap_group_base,
self.ldap.SCOPE_SUBTREE,
filterstr="(&{0}({1}={2}))".format(
self._ldap_group_filter,
self._ldap_group_members_attr,
self.ldap.filter.escape_filter_chars(user_dn)),
attrlist=['1.1']
)
"""Fill groupDNs with DNs of groups found"""
if len(res) > 0:
groupDNs = []
LDAP auth: make flake8 happy "fix" small lint to keep flake8 happy.
2025-08-31 20:43:10 +02:00
for dn, entry in res:
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
groupDNs.append(dn)
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
except Exception as e:
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
raise RuntimeError(f"Invalid LDAP configuration:{e}")
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
try:
"""Bind as user to authenticate"""
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
conn.simple_bind_s(user_dn, password)
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
if self._ldap_user_attr:
if user_entry[1][self._ldap_user_attr]:
LDAP auth: decode UTF-8 byte sequences to strings only if necessary
2025-09-07 14:38:56 +02:00
login = user_entry[1][self._ldap_user_attr][0]
if isinstance(login, bytes):
login = login.decode('utf-8')
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
logger.debug(f"_login2 user set to: '{login}'")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
"""Get RDNs of groups' DNs"""
LDAP auth: stop giving type hints for local list variables
2025-09-07 14:35:58 +02:00
tmp = []
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
for g in groupDNs:
try:
rdns = self.ldap.dn.explode_dn(g, notypes=True)
tmp.append(rdns[0])
except Exception:
LDAP auth: decode UTF-8 byte sequences to strings only if necessary
2025-09-07 14:38:56 +02:00
if isinstance(g, bytes):
g = g.decode('utf-8')
tmp.append(g)
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
self._ldap_groups = set(tmp)
logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups))
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
conn.unbind()
LDAP auth: harmonize _login2() and _login3() methods
2024-12-29 17:18:00 +01:00
logger.debug(f"_login2 {login} successfully authenticated")
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
return login
Fix the problems found by flake8.
2024-09-11 08:12:08 +02:00
except self.ldap.INVALID_CREDENTIALS:
Initial version of ldap authentication backend.
2022-02-19 11:57:58 +01:00
return ""
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
def _login3(self, login: str, password: str) -> str:
move evaluation of quirk for Authentik where it belongs, superseeds https://github.com/Kozea/Radicale/pull/1877
2025-09-25 15:29:04 +02:00
if self._ldap_ignore_attribute_create_modify_timestamp:
self.ldap3.utils.config._ATTRIBUTES_EXCLUDED_FROM_CHECK.extend(['createTimestamp', 'modifyTimestamp'])
LDAP auth: move evaluation of quirk for Authentik where it belongs The evaluation of the quirk for the Authentik LDAP server changes the behaviour of Python's `ldap3` module, and that module only. Evaluating the quirk in `__init__` which is used for both, `ldap` and `ldap3` is thus wrong, and may lead to errors when this setting is used together with the `ldap` module. Signed-off-by: Peter Marschall <peter@adpm.de>
2025-09-19 18:06:50 +02:00
"""Connect the server"""
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
try:
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
logger.debug(f"_login3 {self._ldap_uri}, {self._ldap_reader_dn}")
LDAP auth: get rid of helper property '_use_encryption' Inferring 'ldap_security' in earlier commits, allows us to get rid of the helper property '_use_encryption', streamlining the code.
2025-09-14 12:22:18 +02:00
if self._ldap_security in ("tls", "starttls"):
Add support for start_tls
2025-04-19 17:02:45 +02:00
logger.debug("_login3 using encryption (reader)")
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
verifyMode = {"NONE": ssl.CERT_NONE,
"OPTIONAL": ssl.CERT_OPTIONAL,
"REQUIRED": ssl.CERT_REQUIRED}
tls = self.ldap3.Tls(validate=verifyMode[self._ldap_ssl_verify_mode])
Implementing ssl connection for ldap auth
2024-09-23 10:19:50 +02:00
if self._ldap_ssl_ca_file != "":
LDAP auth: re-factor handling of 'ldap_ssl_verify_mode' * treat 'ldap_ssl_verify_mode' as string * perform check for accepted values; fail on illegal ones * translate to the values nbeeded by the respective LDAP module when doing the login, based on a module specific dictionary
2025-09-28 12:31:10 +02:00
tls = self.ldap3.Tls(validate=verifyMode[self._ldap_ssl_verify_mode], ca_certs_file=self._ldap_ssl_ca_file)
LDAP auth: refactor dealing with 'ldap_use_ssl' * stop treating it as class property * refactor to consolidate logic into one big 'if' statement (for easier removal when the config option gets removed in the future) * make deprecation warning for 'ldap_use_ssl' more urgent * raise error if conflicting settings 'ldap_security' = "starttls" and 'ldap_use_ssl' = True are set together * if not set, infer 'ldap_security' = "tls" from 'ldap_use_ssl' = True, logging a warning for the admin to update the config
2025-09-14 09:50:46 +02:00
if self._ldap_security == "tls":
Add support for start_tls
2025-04-19 17:02:45 +02:00
logger.debug("_login3 using ssl (reader)")
server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)
else:
server = self.ldap3.Server(self._ldap_uri, use_ssl=False, tls=tls)
Implementing ssl connection for ldap auth
2024-09-23 10:19:50 +02:00
else:
Add support for start_tls
2025-04-19 17:02:45 +02:00
logger.debug("_login3 not using encryption (reader)")
Implementing ssl connection for ldap auth
2024-09-23 10:19:50 +02:00
server = self.ldap3.Server(self._ldap_uri)
Add support for start_tls
2025-04-19 17:02:45 +02:00
try:
conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret, auto_bind=False, raise_exceptions=True)
Standardize LDAP security configuration naming
2025-04-21 21:26:58 +02:00
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (reader)")
Add support for start_tls
2025-04-19 17:02:45 +02:00
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
except self.ldap3.core.exceptions.LDAPSocketOpenError:
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
raise RuntimeError("Unable to reach LDAP server")
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
except Exception as e:
Add support for start_tls
2025-04-19 17:02:45 +02:00
logger.debug(f"_login3 error 1 {e} (reader)")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
pass
Do not read server info by bind to avoid needless network trafic.
2025-05-31 13:36:59 +02:00
if not conn.bind(read_server_info=False):
Add support for start_tls
2025-04-19 17:02:45 +02:00
logger.debug("_login3 cannot bind (reader)")
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
raise RuntimeError("Unable to read from LDAP server")
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
logger.debug(f"_login3 bind as {self._ldap_reader_dn}")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
"""Search the user dn"""
LDAP auth: escape values used in LDAP filters to avoid possible injection of malicious code.
2024-12-29 08:29:27 +01:00
escaped_login = self.ldap3.utils.conv.escape_filter_chars(login)
logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}")
LDAP auth: protect LDAP search with a try: .. except clause Make sure to catch exceptions when searching for the user in LDAP, log as error and fail gracefully by declining login.
2025-07-20 13:58:37 +02:00
try:
conn.search(
search_base=self._ldap_base,
search_filter=self._ldap_filter.format(escaped_login),
search_scope=self.ldap3.SUBTREE,
attributes=self._ldap_attributes
)
except Exception as e:
logger.error(f"_login3 LDAP search for {login} failed: {e}")
return ""
LDAP auth: require exactly one result when searching for the LDAP user DN This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3()
2024-12-29 07:16:27 +01:00
if len(conn.entries) != 1:
"""User could not be found unambiguously"""
logger.debug(f"_login3 no unique DN found for '{login}'")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
return ""
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
user_entry = conn.response[0]
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
user_dn = user_entry['dn']
LDAP auth: harmonize _login2() and _login3() methods
2024-12-29 17:18:00 +01:00
logger.debug(f"_login3 found LDAP user DN {user_dn}")
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
"""Let's collect the groups of the user."""
LDAP auth: stop giving type hints for local list variables
2025-09-07 14:35:58 +02:00
groupDNs = []
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
if self._ldap_groups_attr:
if user_entry['attributes'][self._ldap_groups_attr]:
if isinstance(user_entry['attributes'][self._ldap_groups_attr], list):
groupDNs = user_entry['attributes'][self._ldap_groups_attr]
else:
groupDNs.append(user_entry['attributes'][self._ldap_groups_attr])
"""Search for all groups having the user_dn found as member."""
if self._ldap_group_members_attr:
try:
conn.search(
search_base=self._ldap_group_base,
search_filter="(&{0}({1}={2}))".format(
self._ldap_group_filter,
self._ldap_group_members_attr,
self.ldap3.utils.conv.escape_filter_chars(user_dn)),
search_scope=self.ldap3.SUBTREE,
attributes=['1.1']
)
except Exception as e:
"""LDAP search failed: consider it as non-fatal - only groups missing"""
logger.debug(f"_ldap3: LDAP group search failed: {e}")
else:
"""Fill groupDNs with DNs of groups found"""
groupDNs = []
for group in conn.response:
groupDNs.append(group['dn'])
"""Close LDAP connection"""
conn.unbind()
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
try:
"""Try to bind as the user itself"""
Add support for start_tls
2025-04-19 17:02:45 +02:00
try:
conn = self.ldap3.Connection(server, user_dn, password=password, auto_bind=False)
Standardize LDAP security configuration naming
2025-04-21 21:26:58 +02:00
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (user)")
Add support for start_tls
2025-04-19 17:02:45 +02:00
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")
Do not read server info by bind to avoid needless network trafic.
2025-05-31 13:36:59 +02:00
if not conn.bind(read_server_info=False):
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
logger.debug(f"_login3 user '{login}' cannot be found")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
return ""
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
"""Get RDNs of groups' DNs"""
LDAP auth: stop giving type hints for local list variables
2025-09-07 14:35:58 +02:00
tmp = []
LDAP auth: allow finding groups based on separate search Instead of searching for the membership attribute on the user side (usually AD: memberOf, Novell eDirectory: groupMembership) to determine the groups the user loging on is a member of, allow performing a separate search for the groups having the user as member and use the found groups' DNs. The group search is performed in the context of 'ldap_reader_dn', after the user DN has been found in the directory, but before the authentication has been performed by doing an LDAP bind in the user's context. Although this may - in the case of unsuccessful login attempts - double the number of queries to the LDAP server, it has been done this way to keep the number of LDAP contexts minimal. Doing the group search in the context of the user logging on is no viable option, because there are known implementations where regular users do not have the necessary permissions to query the groups they are a member in.
2025-07-21 21:11:32 +02:00
for g in groupDNs:
try:
rdns = self.ldap3.utils.dn.parse_dn(g)
tmp.append(rdns[0][1])
except Exception:
tmp.append(g)
self._ldap_groups = set(tmp)
logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups))
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
if self._ldap_user_attr:
if user_entry['attributes'][self._ldap_user_attr]:
fix(auth/ldap): Extract user attribute from list in _login3 This commit modifies `_login3` to check if the attribute value is a list and, if so, extracts the first element (`[0]`) as the login identifier. If the value is not a list, it's used directly (fallback).
2025-04-17 13:59:39 +08:00
if isinstance(user_entry['attributes'][self._ldap_user_attr], list):
login = user_entry['attributes'][self._ldap_user_attr][0]
else:
login = user_entry['attributes'][self._ldap_user_attr]
LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them)
2024-12-29 08:05:42 +01:00
logger.debug(f"_login3 user set to: '{login}'")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
conn.unbind()
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
logger.debug(f"_login3 {login} successfully authenticated")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
return login
Fix issue #197 [ERROR] An exception occurred during GET request on '/.web/': string indices must be integers, not 'str' when using LDAP Enhance logging
2024-09-17 09:25:38 +02:00
except Exception as e:
logger.debug(f"_login3 error 2 {e}")
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
pass
return ""
Disable overloading BaseAuth login method
2024-12-25 21:56:04 +03:00
def _login(self, login: str, password: str) -> str:
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
"""Validate credentials.
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
In first step we make a connection to the LDAP server with the ldap_reader_dn credential.
Now ldap auth can use ldap and ldap3 also.
2024-08-26 14:16:40 +02:00
In next step the DN of the user to authenticate will be searched.
In the last step the authentication of the user will be proceeded.
"""
LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version
2024-12-29 17:02:39 +01:00
if self._ldap_module_version == 2:
Apply suggestions of mypy
2024-09-11 09:13:26 +02:00
return self._login2(login, password)
return self._login3(login, password)
Copy permalink