9 Jan
2013
9 Jan
'13
6:06 a.m.
Module: check_mk
Branch: master
Commit: 051d9b006faf0ef8589902c078f2755f94249925
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=051d9b006faf0e…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jan 9 12:06:41 2013 +0100
userdb: changed login API to return the logged-in username on success; usernames are now
case insensitiv on ldap login
---
web/htdocs/login.py | 7 ++++++-
web/htdocs/userdb.py | 13 +++++++------
web/htdocs/wato.py | 2 +-
web/plugins/userdb/htpasswd.py | 12 ++++++++----
web/plugins/userdb/ldap.py | 25 ++++++++++++++++---------
5 files changed, 38 insertions(+), 21 deletions(-)
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index f8d9ba7..d3ff0ce 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -161,7 +161,12 @@ def do_login():
if not origtarget or "logout.py" in origtarget:
origtarget = defaults.url_prefix + 'check_mk/'
- if userdb.hook_login(username, password):
+ # None -> User unknown, means continue with other connectors
+ # '<user_id>' -> success
+ # False -> failed
+ result = userdb.hook_login(username, password)
+ if result:
+ username = result
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index 51ca6b6..843994c 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -467,10 +467,11 @@ def hook_login(username, password):
continue
result = handler(username, password)
- # None -> User unknown, means continue with other connectors
- # True -> success
- # False -> failed
- if result == True:
+ # None -> User unknown, means continue with other connectors
+ # '<user_id>' -> success
+ # False -> failed
+ if result not in [ False, None ]:
+ username = result
# Check wether or not the user exists (and maybe create it)
create_non_existing_user(connector['id'], username)
@@ -481,8 +482,8 @@ def hook_login(username, password):
# a "!". But when using other conectors it might be neccessary
# to validate the user "locked" attribute.
lock_handler = connector.get('locked', None)
- if lock_handler:
- result = not lock_handler(username) # returns True if locked
+ if lock_handler and lock_handler(username):
+ return False # The account is locked
return result
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 334ea6d..943922a 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -7786,7 +7786,7 @@ def mode_users(phase):
if cgs:
html.write(", ".join(
[ '<a href="%s">%s</a>' %
(make_link([("mode", "edit_contact_group"), ("edit", c)]),
- contact_groups[c] and contact_groups[c] or c)
for c in cgs]))
+ c in contact_groups and contact_groups[c] or c)
for c in cgs]))
else:
html.write("<i>" + _("none") +
"</i>")
diff --git a/web/plugins/userdb/htpasswd.py b/web/plugins/userdb/htpasswd.py
index 2977b89..d1b386b 100644
--- a/web/plugins/userdb/htpasswd.py
+++ b/web/plugins/userdb/htpasswd.py
@@ -37,9 +37,9 @@
# to validate a login issued by a user.
# Gets parameters: username, password
# Has to return either:
-# True -> Login succeeded
-# False -> Login failed
-# None -> Unknown user
+# '<user_id>' -> Login succeeded
+# False -> Login failed
+# None -> Unknown user
# sync
# Optional: Hook function can be registered here to be executed
# to synchronize all users.
@@ -94,7 +94,11 @@ def htpasswd_login(username, password):
users = load_htpasswd()
if username not in users:
return None # not existing user, skip over
- return password_valid(users[username], password)
+
+ if password_valid(users[username], password):
+ return username
+ else:
+ return False
# Saves htpasswd connector managed users
def htpasswd_save(users):
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 1f9775f..3c99af3 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -239,10 +239,10 @@ def ldap_replace_macros(tmpl):
def ldap_user_id_attr():
return config.ldap_userspec.get('user_id', ldap_attr('user_id'))
-def ldap_get_user_dn(username, no_escape = False):
+def ldap_get_user(username, no_escape = False):
# Check wether or not the user exists in the directory
# It's only ok when exactly one entry is found.
- # Returns the DN in this case.
+ # Returns the DN and user_id as tuple in this case.
result = ldap_search(
ldap_replace_macros(config.ldap_userspec['dn']),
'(%s=%s)' % (ldap_user_id_attr(),
ldap.filter.escape_filter_chars(username)),
@@ -250,10 +250,12 @@ def ldap_get_user_dn(username, no_escape = False):
)
if result:
+ dn = result[0][0]
+ user_id = result[0][1][ldap_user_id_attr()][0]
if no_escape:
- return result[0][0]
+ return (dn, user_id)
else:
- return result[0][0].replace('\\', '\\\\')
+ return (dn.replace('\\', '\\\\'), user_id)
def ldap_get_users(add_filter = None):
columns = [
@@ -273,7 +275,9 @@ def ldap_get_users(add_filter = None):
return result
def ldap_user_groups(username, attr = 'cn'):
- user_dn = ldap_get_user_dn(username)
+ # The given username might be wrong case. The ldap search is case insensitive,
+ # so the username read from ldap might differ. Fix it here.
+ user_dn, username = ldap_get_user(username)
# Apply configured group ldap filter and only reply with groups
# having the current user as member
@@ -525,16 +529,19 @@ ldap_attribute_plugins['groups_to_roles'] = {
def ldap_login(username, password):
ldap_connect()
# Returns None when the user is not found or not uniq, else returns the
- # distinguished name of the user as string which is needed for the login.
- user_dn = ldap_get_user_dn(username, True)
- if not user_dn:
+ # distinguished name and the username as tuple which are both needed for
+ # the further login process.
+ result = ldap_get_user(username, True)
+ if not result:
return None # The user does not exist. Skip this connector.
+ user_dn, username = result
+
# Try to bind with the user provided credentials. This unbinds the default
# authentication which should be rebound again after trying this.
try:
ldap_bind(user_dn, password)
- result = True
+ result = username
except:
result = False