0001-ldap-log-controls-on-authenticate-and-enable-ppolicy.patch

Loïc Dachary, 09 février 2021 08:56

Voir les différences: en ligne côte à côte

Subject: [PATCH] ldap: log controls on authenticate and enable ppolicy

 src/authentic2/backends/ldap_backend.py |  9 ++--
 tests/test_ldap.py                      | 66 +++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 3 deletions(-)

         from ldap.filter import filter_format
         from ldap.dn import escape_dn_chars
         from ldap.ldapobject import ReconnectLDAPObject as NativeLDAPObject
         from ldap.controls import SimplePagedResultsControl
         from ldap.controls import SimplePagedResultsControl, DecodeControlTuples
         from ldap.controls.ppolicy import PasswordPolicyControl
         PYTHON_LDAP3 = [int(x) for x in ldap.__version__.split('.')] >= [3]
         LDAPObject = NativeLDAPObject
     except ImportError:
-...
                             if failed:
                                 continue
                             try:
                                 conn.simple_bind_s(authz_id, password)
                                 conn.simple_bind_s(authz_id, password, serverctrls=[PasswordPolicyControl()])
                                 user_login_success(authz_id)
                                 if not block['connect_with_user_credentials']:
                                     try:
-...
                                         log.exception(u'rebind failure after login bind')
                                         raise ldap.SERVER_DOWN
                                 break
                             except ldap.INVALID_CREDENTIALS:
                             except ldap.INVALID_CREDENTIALS as e:
                                 if len(e.args) > 0 and 'ctrls' in e.args[0]:
                                     log.info('ctrls=%s' % DecodeControlTuples(e.args[0]['ctrls']))
                                 user_login_failure(authz_id)
                                 pass
                         else:

             yield s
     @pytest.fixture
     def slapd_ppolicy():
         with create_slapd() as slapd:
             conn = slapd.get_connection_admin()
             conn.modify_s(
                 'cn=module{0},cn=config',
+                [
                     (ldap.MOD_ADD, 'olcModuleLoad', [
                         force_bytes('ppolicy')
                     ])
                 ])
             slapd.add_ldif(open('/etc/ldap/schema/ppolicy.ldif').read())
             slapd.add_ldif('''
     dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
     objectclass: olcOverlayConfig
     objectclass: olcPPolicyConfig
     olcoverlay: {0}ppolicy
     olcppolicydefault: cn=default,ou=ppolicies,o=ôrga
     olcppolicyforwardupdates: FALSE
     olcppolicyhashcleartext: TRUE
     olcppolicyuselockout: FALSE
     ''')
             slapd.add_ldif('''
     dn: ou=ppolicies,o=ôrga
     objectclass: organizationalUnit
     ou: ppolicies
     ''')
             slapd.add_ldif('''
     dn: cn=default,ou=ppolicies,o=ôrga
     cn: default
     objectclass: top
     objectclass: device
     objectclass: pwdPolicy
     objectclass: pwdPolicyChecker
     pwdAttribute: userPassword
     pwdMinAge: 0
     pwdMaxAge: 0
     pwdInHistory: 0
     pwdCheckQuality: 1
     pwdMinLength: 8
     pwdExpireWarning: 0
     pwdGraceAuthnLimit: 0
     pwdLockout: FALSE
     pwdLockoutDuration: 0
     pwdMaxFailure: 0
     pwdMaxRecordedFailure: 0
     pwdFailureCountInterval: 0
     pwdMustChange: FALSE
     pwdAllowUserChange: FALSE
     pwdSafeModify: FALSE
     ''')
             yield slapd
     @pytest.fixture
     def tls_slapd():
         tcp_port = utils.find_free_tcp_port()
-...
         assert user.pk == user2.pk
     def test_authenticate_ppolicy(slapd_ppolicy, settings, db, caplog):
         settings.LDAP_AUTH_SETTINGS = [{
             'url': [slapd_ppolicy.ldap_url],
             'basedn': u'o=ôrga',
             'use_tls': False,
         }]
         assert authenticate(username=u'etienne.michu', password='incorrect') is None
         assert "failed to login" in caplog.text
     def test_ou_selector(slapd, settings, app, ou1):
         settings.LDAP_AUTH_SETTINGS = [{
             'url': [slapd.ldap_url],
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-ldap-log-controls-on-authenticate-and-enable-ppolicy.patch