
373 lines
10 KiB
Raw Normal View History

2007-01-27 18:41:51 -05:00
LDAP Backend Interface
This module is intended to be a thin wrapper around LDAP operations.
Methods on the connection object correspond in a straightforward way
to LDAP queries and updates.
A LDAP entry is the most important component of a CSC UNIX account.
The entry contains the username, user id number, real name, shell,
and other important information. All non-local UNIX accounts must
have an LDAP entry, even if the account does not log in directly.
This module makes use of python-ldap, a Python module with bindings
to libldap, OpenLDAP's native C client library.
import ldap.modlist
from subprocess import Popen, PIPE
2007-01-27 18:41:51 -05:00
class LDAPException(Exception):
"""Exception class for LDAP-related errors."""
class LDAPConnection(object):
Connection to the LDAP directory. All directory
queries and updates are made via this class.
Exceptions: (all methods)
LDAPException - on directory query failure
connection = LDAPConnection()
# make queries and updates, e.g.
def __init__(self):
self.ldap = None
2007-11-27 19:20:37 -05:00
def connect_anon(self, uri, user_base, group_base):
2007-01-27 18:41:51 -05:00
Establish a connection to the LDAP Server.
2007-11-27 19:20:37 -05:00
uri - connection string (e.g. ldap://, ldaps://
2007-01-27 18:41:51 -05:00
user_base - base of the users subtree
group_base - baes of the group subtree
Example: connect('ldaps:///', 'cn=ceo,dc=csclub,dc=uwaterloo,dc=ca',
'secret', 'ou=People,dc=csclub,dc=uwaterloo,dc=ca',
2007-11-27 19:20:37 -05:00
2007-01-27 18:41:51 -05:00
2007-11-27 19:20:37 -05:00
# open the connection
self.ldap = ldap.initialize(uri)
2007-01-27 18:41:51 -05:00
2007-11-27 19:20:37 -05:00
# authenticate
self.ldap.simple_bind_s('', '')
2007-01-27 18:41:51 -05:00
2007-11-27 19:20:37 -05:00
self.user_base = user_base
self.group_base = group_base
2007-01-27 18:41:51 -05:00
2007-12-12 00:39:44 -05:00
def connect_sasl(self, uri, mech, realm, user_base, group_base):
2007-01-27 18:41:51 -05:00
2007-11-27 19:20:37 -05:00
# open the connection
self.ldap = ldap.initialize(uri)
# authenticate
sasl = Sasl(mech, realm)
2007-12-06 02:04:43 -05:00
self.ldap.sasl_interactive_bind_s('', sasl)
2007-01-27 18:41:51 -05:00
self.user_base = user_base
self.group_base = group_base
def disconnect(self):
"""Close the connection to the LDAP server."""
if self.ldap:
# close connection
self.ldap = None
except ldap.LDAPError, e:
raise LDAPException("unable to disconnect: %s" % e)
def connected(self):
"""Determine whether the connection has been established."""
return self.ldap is not None
2007-01-27 18:41:51 -05:00
### Helper Methods ###
def lookup(self, dn, objectClass=None):
2007-01-27 18:41:51 -05:00
Helper method to retrieve the attributes of an entry.
dn - the distinguished name of the directory entry
Returns: a dictionary of attributes of the matched dn, or
None of the dn does not exist in the directory
if not self.connected(): raise LDAPException("Not connected!")
2007-01-27 18:41:51 -05:00
# search for the specified dn
if objectClass:
search_filter = '(objectClass=%s)' % self.escape(objectClass)
matches = self.ldap.search_s(dn, ldap.SCOPE_BASE, search_filter)
matches = self.ldap.search_s(dn, ldap.SCOPE_BASE)
2007-01-27 18:41:51 -05:00
except ldap.NO_SUCH_OBJECT:
return None
except ldap.LDAPError, e:
raise LDAPException("unable to lookup dn %s: %s" % (dn, e))
# this should never happen due to the nature of DNs
if len(matches) > 1:
raise LDAPException("duplicate dn in ldap: " + dn)
# dn was found, but didn't match the objectClass filter
elif len(matches) < 1:
return None
2007-01-27 18:41:51 -05:00
# return the attributes of the single successful match
match = matches[0]
match_dn, match_attributes = match
return match_attributes
2007-01-27 18:41:51 -05:00
### User-related Methods ###
def user_lookup(self, uid, objectClass=None):
2007-01-27 18:41:51 -05:00
Retrieve the attributes of a user.
uid - the uid to look up
2007-01-27 18:41:51 -05:00
Returns: attributes of user with uid
2007-01-27 18:41:51 -05:00
dn = 'uid=' + uid + ',' + self.user_base
return self.lookup(dn, objectClass)
2007-01-27 18:41:51 -05:00
def user_search(self, search_filter, params):
2007-01-27 18:41:51 -05:00
Search for users with a filter.
2007-01-27 18:41:51 -05:00
search_filter - LDAP filter string to match users against
2007-01-27 18:41:51 -05:00
Returns: a dictionary mapping uids to attributes
2007-01-27 18:41:51 -05:00
if not self.connected(): raise LDAPException("Not connected!")
search_filter = search_filter % tuple(self.escape(x) for x in params)
2007-01-27 18:41:51 -05:00
# search for entries that match the filter
matches = self.ldap.search_s(self.user_base, ldap.SCOPE_SUBTREE, search_filter)
2007-01-27 18:41:51 -05:00
except ldap.LDAPError, e:
raise LDAPException("user search failed: %s" % e)
results = {}
2007-01-27 18:41:51 -05:00
for match in matches:
dn, attrs = match
uid = attrs['uid'][0]
results[uid] = attrs
2007-01-27 18:41:51 -05:00
return results
def user_modify(self, uid, attrs):
Update user attributes in the directory.
uid - username of the user to modify
attrs - dictionary as returned by user_lookup() with changes to make.
omitted attributes are DELETED.
Example: user = user_lookup('mspang')
user['uidNumber'] = [ '0' ]
connection.user_modify('mspang', user)
# distinguished name of the entry to modify
dn = 'uid=' + uid + ',' + self.user_base
# retrieve current state of user
old_user = self.user_lookup(uid)
# build list of modifications to make
changes = ldap.modlist.modifyModlist(old_user, attrs)
# apply changes
self.ldap.modify_s(dn, changes)
except ldap.LDAPError, e:
raise LDAPException("unable to modify: %s" % e)
2007-01-27 18:41:51 -05:00
### Group-related Methods ###
def group_lookup(self, cn):
Retrieves the attributes of a group.
cn - the UNIX group name to lookup
Returns: attributes of the group's LDAP entry
2007-01-27 18:41:51 -05:00
Example: connection.group_lookup('office') -> {
'cn': 'office',
'gidNumber', '1001',
2007-01-27 18:41:51 -05:00
dn = 'cn=' + cn + ',' + self.group_base
return self.lookup(dn, 'posixGroup')
2007-01-27 18:41:51 -05:00
### Member-related Methods ###
def member_lookup(self, uid):
Retrieve the attributes of a member. This method will only return
results that have the objectClass 'member'.
uid - the username to look up
Returns: attributes of member with uid
Example: connection.member_lookup('mspang') ->
{ 'uid': 'mspang', 'uidNumber': 21292 ...}
if not self.connected(): raise LDAPException("Not connected!")
dn = 'uid=' + uid + ',' + self.user_base
return self.lookup(dn, 'member')
def member_search_name(self, name):
Retrieves a list of members with the specified name (fuzzy).
Returns: a dictionary mapping uids to attributes
search_filter = '(&(objectClass=member)(cn~=%s))'
return self.user_search(search_filter, [ name ] )
def member_search_term(self, term):
Retrieves a list of members who were registered in a certain term.
Returns: a dictionary mapping uids to attributes
search_filter = '(&(objectClass=member)(term=%s))'
return self.user_search(search_filter, [ term ])
def member_search_program(self, program):
Retrieves a list of members in a certain program (fuzzy).
Returns: a dictionary mapping uids to attributes
search_filter = '(&(objectClass=member)(program~=%s))'
return self.user_search(search_filter, [ program ])
2007-09-16 00:50:32 -04:00
def member_add(self, uid, cn, program=None, description=None):
Adds a member to the directory.
uid - the UNIX username for the member
cn - the real name of the member
program - the member's program of study
description - a description for the entry
dn = 'uid=' + uid + ',' + self.user_base
attrs = {
'objectClass': [ 'top', 'account', 'member' ],
'uid': [ uid ],
'cn': [ cn ],
if program:
attrs['program'] = [ program ]
if description:
attrs['description'] = [ description ]
modlist = ldap.modlist.addModlist(attrs)
self.ldap.add_s(dn, modlist)
except ldap.LDAPError, e:
raise LDAPException("unable to add: %s" % e)
2007-01-27 18:41:51 -05:00
### Miscellaneous Methods ###
def escape(self, value):
Escapes special characters in a value so that it may be safely inserted
into an LDAP search filter.
value = str(value)
value = value.replace('\\', '\\5c').replace('*', '\\2a')
value = value.replace('(', '\\28').replace(')', '\\29')
value = value.replace('\x00', '\\00')
return value
2007-11-15 05:28:58 -05:00
def make_modlist(self, old, new):
keys = set(old.keys()).union(set(new))
mlist = []
for key in keys:
if key in old and not key in new:
mlist.append((ldap.MOD_DELETE, key, list(set(old[key]))))
elif key in new and not key in old:
mlist.append((ldap.MOD_ADD, key, list(set(new[key]))))
to_add = list(set(new[key]) - set(old[key]))
if len(to_add) > 0:
mlist.append((ldap.MOD_ADD, key, to_add))
to_del = list(set(old[key]) - set(new[key]))
if len(to_del) > 0:
mlist.append((ldap.MOD_DELETE, key, to_del))
return mlist
2007-01-27 18:41:51 -05:00
2007-11-27 19:20:37 -05:00
class Sasl:
def __init__(self, mech, realm):
2007-11-27 19:20:37 -05:00
self.mech = mech
self.realm = realm
2007-11-27 19:20:37 -05:00
def callback(self, id, challenge, prompt, defresult):
2007-12-06 02:04:43 -05:00
return ''