Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pynslcd/pam.py
blob: 852830c67182c650df044049446663de7c255a91 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129


# pam.py - functions authentication, authorisation and session handling
#
# Copyright (C) 2010 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA

import constants
import common
import cfg

import logging
import ldap

import passwd

def try_bind(userdn, password):
    # open a new connection
    conn = ldap.initialize(cfg.ldap_uri)
    # bind using the specified credentials
    conn.simple_bind_s(userdn, password)
    # perform search for own object (just to do any kind of search)
    res = conn.search_s(userdn, ldap.SCOPE_BASE, '(objectClass=*)', [ 'dn', ])
    for entry in res:
        if entry[0] == userdn:
            return
    raise ldap.NO_SUCH_OBJECT()


class PAMRequest(common.Request):

    def validate_request(self):
        """This method checks the provided username for validity and fills
        in the DN if needed."""
        from passwd import PasswdRequest
        # check username for validity
        common.validate_name(self.username)
        # look up user DN if not known
        if not self.userdn:
            entry = passwd.uid2entry(self.conn, self.username)
            if not entry:
                raise ValueError('%r: user not found' % self.username)
            # save the DN
            self.userdn = entry[0]
            # get the "real" username
            value = common.get_rdn_value(entry, PasswdRequest.attmap_passwd_uid)
            if not value:
                # get the username from the uid attribute
                values = myldap_get_values(entry, PasswdRequest.attmap_passwd_uid)
                if not values or not values[0]:
                    logging.warn('%s: is missing a %s attribute', entry.dn, PasswdRequest.attmap_passwd_uid)
                value = values[0]
            # check the username
            if value and not common.isvalidname(value):
                raise ValueError('%s: has invalid %s attribute', entry.dn, PasswdRequest.attmap_passwd_uid)
            # check if the username is different and update it if needed
            if value != self.username:
                logging.info('username changed from %r to %r', self.username, value)
                self.username = value


class PAMAuthenticationRequest(PAMRequest):

    action = constants.NSLCD_ACTION_PAM_AUTHC

    def read_parameters(self):
        self.username = self.fp.read_string()
        self.userdn = self.fp.read_string()
        self.servicename = self.fp.read_string()
        self.password = self.fp.read_string()
        #self.validate_request()
        # TODO: log call with parameters

    def write(self, code=constants.NSLCD_PAM_SUCCESS, msg=''):
        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
        self.fp.write_string(self.username)
        self.fp.write_string(self.userdn)
        self.fp.write_int32(code)  # authc
        self.fp.write_int32(constants.NSLCD_PAM_SUCCESS)  # authz
        self.fp.write_string(msg) # authzmsg
        self.fp.write_int32(constants.NSLCD_RESULT_END)

    def handle_request(self):
        # if the username is blank and rootpwmoddn is configured, try to
        # authenticate as administrator, otherwise validate request as usual
        if not self.username and cfg.ldc_rootpwmoddn:
            # authenticate as rootpwmoddn
            self.userdn = cfg.ldc_rootpwmoddn
            # if the caller is root we will allow the use of rootpwmodpw
            if not self.password and self.calleruid == 0 and cfg.rootpwmodpw:
                self.password = cfg.rootpwmodpw
        else:
            self.validate_request()
        # try authentication
        try:
            try_bind(self.userdn, self.password)
            logging.debug('bind successful')
            self.write()
        except ldap.INVALID_CREDENTIALS, e:
            try:
                msg = e[0]['desc']
            except:
                msg = str(e)
            logging.debug('bind failed: %s', msg)
            self.write(constants.NSLCD_PAM_AUTH_ERR, msg)

#class PAMAuthorisationRequest(PAMRequest):

#    action = constants.NSLCD_ACTION_PAM_AUTHZ

#    def handle_request(self):


#NSLCD_ACTION_PAM_SESS_O
#NSLCD_ACTION_PAM_SESS_C
#NSLCD_ACTION_PAM_PWMOD