Commit 0e057315 authored by Daniel STAN's avatar Daniel STAN

[lc_ldap] Passage à une auth par lc_ldap

Ceci est un commit d'adg à la base, mais comme il semble l'avoir
fait en deux parties et que je ne retrouve pas tout, ben j'ai préféré
reprendre les fichiers, pour être sûr :/
parent a2aab80a
#!/usr/bin/env python
#
# CONN_POOL.PY--
#
# Copyright (C) 2010 Antoine Durand-Gasselin
# Author: Antoine Durand-Gasselin <adg@crans.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
CONNS = {}
OBJECTS = {}
......@@ -5,6 +5,7 @@
#
# Copyright (C) 2009-2010 Nicolas Dandrimont
# Authors: Nicolas Dandrimont <olasd@crans.org>
# Censor: Antoine Durand-Gasselin <adg@crans.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -19,15 +20,23 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import settings
import settings, ldap
from django.contrib.auth.models import Group, User
from django.contrib.auth.backends import ModelBackend
from django.utils.importlib import import_module
# Pour se connecter à la base ldap
import sys
sys.path.append("/usr/scripts/lc_ldap")
from lc_ldap import lc_ldap
conn_pool = import_module('conn_pool', 'intranet')
class LDAPUserBackend(ModelBackend):
"""Authentifie un utilisateur à l'aide de la base LDAP"""
supports_anonymous_user = False
def authenticate(self, username=None, password=None):
"""Authentifie l'utilisateur sur la base LDAP. Crée un
utilisateur django s'il n'existe pas encore."""
......@@ -35,37 +44,31 @@ class LDAPUserBackend(ModelBackend):
if not username or not password:
return None
# Les clubs ont une méthode à part...
if "@club-" in username:
try:
user, club = username.split("@club-")
except ValueError:
return None
return self.authenticate_club(club, user, password)
try:
adherent = settings.db.search('uid=%s' % username)['adherent'][0]
conn = lc_ldap(user = username, cred = password)
ldap_user = conn.search(dn = conn.dn, scope = ldap.SCOPE_BASE)[0]
except IndexError:
return None
except ldap.INVALID_CREDENTIALS:
return None
if adherent.checkPassword(password):
# On stocke les utilisateurs dans la base django comme "uid@crans.org"
django_username = '%s@crans.org' % username
try:
user = User.objects.get(username=django_username)
except User.DoesNotExist:
user = User(username=django_username, password="LDAP Backend User!")
user.save()
self.refresh_droits(user, adherent)
self.refresh_fields(user, adherent)
return user
return None
# On stocke les utilisateurs dans la base django comme "uid@crans.org"
django_username = '%s@crans.org' % username
try:
user = User.objects.get(username=django_username)
except User.DoesNotExist:
user = User(username=django_username, password="LDAP Backend User!")
user.save()
conn_pool.CONNS[django_username] = conn
self.refresh_droits(user, ldap_user)
self.refresh_fields(user, ldap_user)
return user
def refresh_droits(self, user, cl_user):
"""Rafraîchit les droits de l'utilisateur django `user' depuis
l'utilisateur LDAP `cl_user'"""
cl_droits = cl_user.droits()
cl_droits = cl_user['droits']
if u"Nounou" in cl_droits:
user.is_staff = True
user.is_superuser = True
......@@ -75,6 +78,7 @@ class LDAPUserBackend(ModelBackend):
groups = []
for cl_droit in cl_droits:
cl_droit = cl_droit.value
group, created = Group.objects.get_or_create(name="crans_%s" % cl_droit.lower())
group.save()
groups.append(group)
......@@ -86,62 +90,15 @@ class LDAPUserBackend(ModelBackend):
"""Rafraîchit les champs correspondants à l'utilisateur (nom,
prénom, email)"""
user.first_name = cl_user.prenom()
user.last_name = cl_user.nom()
user.email = "%s@crans.org" % cl_user.mail()
user.first_name = unicode(cl_user['prenom'][0])
user.last_name = unicode(cl_user['nom'][0])
user.email = "%s@crans.org" % unicode(cl_user['mail'][0])
user.save()
def get_user(self, uid):
"""Récupère l'objet django correspondant à l'uid"""
try:
return User.objects.get(pk=uid)
except User.DoesNotExist:
return None
def authenticate_club(self, club=None, user=None, password=None):
"""Authentifie un utilisateur de club"""
if not club or not user or not password:
return None
try:
adherent = settings.db.search('uid=%s' % user)['adherent'][0]
club_obj = settings.db.search('uid=club-%s' % club)['club'][0]
except ValueError:
return None
if adherent.checkPassword(password):
# HACK
if club_obj.Nom().lower() == "crans":
droits = set(adherent.droits())
imprimeurs_crans = set((u'Bureau', u'Nounou'))
if droits.intersection(imprimeurs_crans):
domain = "club-crans.crans.org"
else:
return None
else:
aid = adherent.id()
if aid in club_obj.imprimeurs() or aid == club_obj.responsable().id():
domain = "club-%s.crans.org" % club
else:
return None
django_user = "%s@%s" % (user, domain)
try:
user = User.objects.get(username=django_user)
except User.DoesNotExist:
user = User(username=django_user, password="LDAP Backend User!")
user.set_unusable_password()
user.save()
return user
return user
return None
def get_user_club(self, club, user):
"""Récupère l'objet User correspondant à un utilisateur dans un club"""
try:
return User.objects.get(username="%s@club-%s.crans.org" % (club, user))
except User.DoesNotExist:
return None
......@@ -3,10 +3,7 @@
# Connexion à la base ldap
import sys
sys.path.append("/usr/scripts/gestion")
sys.path.append("/etc/crans/secrets")
from ldap_crans import crans_ldap
db = crans_ldap()
DEBUG = False
TEMPLATE_DEBUG = DEBUG
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment