Initial LDAP support

2025-10-31 15:23:02 +00:00 · 2019-01-10 23:51:01 +01:00
parent e1205b75cd
commit 30954cc27f
2 changed files with 26 additions and 1 deletions
--- a/cps/ub.py
+++ b/cps/ub.py
@@ -14,6 +14,7 @@ import json
 import datetime
 from binascii import hexlify
 import cli
+import ldap

 engine = create_engine('sqlite:///{0}'.format(cli.settingspath), echo=False)
 Base = declarative_base()
@@ -46,6 +47,8 @@ SIDEBAR_PUBLISHER = 4096
 DEFAULT_PASS = "admin123"
 DEFAULT_PORT = int(os.environ.get("CALIBRE_PORT", 8083))

+LDAP_PROVIDER_URL = 'ldap://localhost:389/'
+LDAP_PROTOCOL_VERSION = 3

 class UserBase:

@@ -152,6 +155,13 @@ class UserBase:
    def __repr__(self):
        return '<User %r>' % self.nickname

+    @staticmethod
+    def try_login(username, password):
+        conn = get_ldap_connection()
+        conn.simple_bind_s(
+             'uid={},ou=users,dc=yunohost,dc=org'.format(username),
+             password
+        )

 # Baseclass for Users in Calibre-Web, settings which are depending on certain users are stored here. It is derived from
 # User Base (all access methods are declared there)
@@ -778,6 +788,11 @@ else:
    migrate_Database()
    clean_database()

+#get LDAP connection
+def get_ldap_connection():
+    conn = ldap.initialize(LDAP_PROVIDER_URL)
+    return conn
+
 # Generate global Settings Object accessible from every file
 config = Config()
 searched_ids = {}
--- a/cps/web.py
+++ b/cps/web.py
@@ -57,6 +57,7 @@ from redirect import redirect_back
 import time
 import server
 from reverseproxy import ReverseProxied
+import ldap

 try:
    from googleapiclient.errors import HttpError
@@ -2342,7 +2343,16 @@ def login():
    if request.method == "POST":
        form = request.form.to_dict()
        user = ub.session.query(ub.User).filter(func.lower(ub.User.nickname) == form['username'].strip().lower()).first()
-        if user and check_password_hash(user.password, form['password']) and user.nickname is not "Guest":
+        try:
+            app.logger.info("Tryong LDAP connexion")
+            ub.User.try_login(form['username'], form['password'])
+            login_user(user, remember=True)
+            flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
+            return redirect_back(url_for("index"))
+        except ldap.INVALID_CREDENTIALS:
+            ipAdress = request.headers.get('X-Forwarded-For', request.remote_addr)
+            app.logger.info('LDAP Login failed for user "' + form['username'] + '" IP-adress: ' + ipAdress)
+        if user and check_password_hash(user.password, form['password']) and user.nickname is not "Guest" and not user.is_authenticated:
            login_user(user, remember=True)
            flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
            return redirect_back(url_for("index"))