Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

avoid duplicating ldaptor code in LDAPServerWithUPNBind #161

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 31 additions & 65 deletions docs/source/examples/ldaptor_with_upn_bind.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,78 +20,44 @@

from ldaptor import interfaces
from ldaptor.protocols import pureldap
from ldaptor.protocols.ldap import distinguishedname, ldaperrors
from twisted.internet import defer
from ldaptor.protocols.ldap.ldapserver import LDAPServer


class LDAPServerWithUPNBind(LDAPServer):
class LDAPServerWithUPNBind(LDAPServer, object):
"""
An LDAP server which support BIND using UPN similar to AD.
"""
_loginAttribute = b'userPrincipalName'

def handle_LDAPBindRequest(self, request, controls, reply):
if request.version != 3:
raise ldaperrors.LDAPProtocolError(
'Version %u not supported' % request.version)
_loginAttribute = b"userPrincipalName"

self.checkControls(controls)

if request.dn == b'':
# anonymous bind
self.boundUser = None
return pureldap.LDAPBindResponse(resultCode=0)

root = interfaces.IConnectedLDAPEntry(self.factory)

def _gotUPNResult(results):
if len(results) != 1:
# Not exactly one result, so this might not be an UNP.
return distinguishedname.DistinguishedName(request.dn)

# A single result, so the UPN might exist.
return results[0].dn

if b'@' in request.dn and b',' not in request.dn:
@defer.inlineCallbacks
def handle_LDAPBindRequest(self, request, *args, **kwargs):
@defer.inlineCallbacks
def _request():
if not (b"@" in request.dn and b"," not in request.dn):
defer.returnValue(request)
Comment on lines +37 to +39
Copy link
Member

@adiroiban adiroiban Feb 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe something like this

Suggested change
def _request():
if not (b"@" in request.dn and b"," not in request.dn):
defer.returnValue(request)
def _resolveUPNBindDN():
"""
See if we have an MS UPN style BIND DN request and resolve it to the
actual LDAP BindDN.
UPN bind is in the form of User.Name@ad.example.tld
"""
if b"@" not in request.dn or b"," in request.dn:
# This is not an UPN bind request.
defer.returnValue(request)

root = interfaces.IConnectedLDAPEntry(self.factory)
# This might be an UPN request.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# This might be an UPN request.
# The the LDAP DN associated with the UPN request.

filterText = b'(' + self._loginAttribute + b'=' + request.dn + b')'
d = root.search(filterText=filterText)
d.addCallback(_gotUPNResult)
else:
d = defer.succeed(distinguishedname.DistinguishedName(request.dn))

# Once the BIND DN is known, search for the LDAP entry.
d.addCallback(lambda dn: root.lookup(dn))

def _noEntry(fail):
"""
Called when the requested BIND DN was not found.
"""
fail.trap(ldaperrors.LDAPNoSuchObject)
return None
d.addErrback(_noEntry)

def _gotEntry(entry, auth):
"""
Called when the requested BIND DN was found.
"""
if entry is None:
raise ldaperrors.LDAPInvalidCredentials()

d = entry.bind(auth)

def _cb(entry):
"""
Called when BIND operation was successful.
"""
self.boundUser = entry
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=entry.dn.getText())
return msg
d.addCallback(_cb)
return d
d.addCallback(_gotEntry, request.auth)

return d
filter_text = b"(" + self._loginAttribute + b"=" + request.dn + b")"
results = yield root.search(filterText=filter_text)
if len(results) != 1:
defer.returnValue(request)
Comment on lines +44 to +45
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if len(results) != 1:
defer.returnValue(request)
if len(results) != 1:
# We could not find an exact UPN match so we go with the
# requested Bind DN.
defer.returnValue(request)


defer.returnValue(
pureldap.LDAPBindRequest(
version=request.version,
dn=results[0].dn.getText(),
auth=request.auth,
tag=request.tag,
sasl=request.sasl,
)
)

defer.returnValue(
(
yield super(LDAPServerWithUPNBind, self).handle_LDAPBindRequest(
(yield _request()), *args, **kwargs
)
)
)