%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python2.7/site-packages/salt/auth/
Upload File :
Create Path :
Current File : //usr/lib/python2.7/site-packages/salt/auth/ldap.pyc

�
���^c@@s�dZddlmZmZmZddlZddlZddlmZddl	m
Z
mZddlZ
ddlZ
eje�ZddlmZy.ddlZddlZddlZeZWnek
r�eZnXidd6dd	6d
d6dd
6ed6ed6ed6ed6dd6dd6dd6dd6dd6dd6ed6ed6gd 6Zedd!�Zd"�Zd#efd$��YZ edd%�Z!edd&�Z"d'�Z#d(�Z$dd)�Z%dd*�Z&dS(+uR
Provide authentication using simple LDAP binds

:depends:   - ldap Python module
i(tabsolute_importtprint_functiontunicode_literalsN(tsix(tCommandExecutionErrortSaltInvocationError(tEnvironmentuuauth.ldap.basednu
auth.ldap.uriu	localhostuauth.ldap.serveru389uauth.ldap.portuauth.ldap.starttlsu
auth.ldap.tlsuauth.ldap.no_verifyuauth.ldap.anonymousiuauth.ldap.scopeuGroupsuauth.ldap.groupouu	memberUiduauth.ldap.accountattributenameumemberOfuauth.ldap.groupattributeupersonuauth.ldap.persontypeu
posixGroupuauth.ldap.groupclassuauth.ldap.activedirectoryuauth.ldap.freeipauauth.ldap.minion_stripdomainscC@s�y3|r|dj|�}ntdj|�}Wnatk
r�ytdj|�}Wq�tk
r�|r�dj|�}t|��ntSXnX|S(uP
    Return a value for 'name' from master config file options or defaults.
    u
auth.ldap.{0}u&missing auth.ldap.{0} in master config(tformatt__opts__tKeyErrort__defopts__RtFalse(tkeyt	mandatorytoptstvaluetmsg((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt_config3s

	cC@s2t�}|j|�}i|d6}|j|�S(uD
    Render config template, substituting username where found.
    uusername(Rtfrom_stringtrender(tparamtusernametenvttemplatet	variables((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt_render_templateGs	
t_LDAPConnectioncB@seZdZed�ZRS(u#
    Setup an LDAP connection.
    cC@s�||_||_||_||_||_||_||_tsTtd��n|jru|jrutd��n|r�dnd}|jdkr�dj	||j|j�|_ny�|r�t
jt
jt
j
�nt
jdj	|j��|_
d|j
_|j
jt
jd	�|	s�|jd
ksCt|j�d
krRtd��n|jrk|j
j�n|j
j|j|j�nWn4tk
r�}
tdj	|j|j|
���nXd
S(uE
        Bind to an LDAP directory using passed credentials.
        uzLDAP connection could not be made, the python-ldap module is not installed. Install python-ldap to use LDAP external auth.uVCannot bind with both starttls and tls enabled.Please enable only one of the protocolsuldapsuldapuu
{0}://{1}:{2}u{0}iiiuWLDAP bind password is not set: password cannot be empty if auth.ldap.anonymous is Falseu-Failed to bind to LDAP server {0} as {1}: {2}N(turitservertporttstarttlsttlstbinddntbindpwtHAS_LDAPRRtldapt
set_optiontOPT_X_TLS_REQUIRE_CERTtOPT_X_TLS_NEVERt
initializetprotocol_versiont
OPT_REFERRALStNonetlentstart_tls_st
simple_bind_st	Exception(tselfRRRRRt	no_verifyR R!t	anonymoustaccountattributenametactivedirectorytschemat
ldap_error((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt__init__VsD							!
$	 (t__name__t
__module__t__doc__RR6(((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyRQsc
C@s>i}iddddddddd	g	d
6ddd
ddgd6}i}x(|d
D]}t|d|�||<qUWx.|dD]"}t|dtd|�||<q�W||d<|dr�|d|d<|dr�|d
jd�q�nx |d
D]}||||<q�W|ds:|dr:|dr:t|�jSndS(u�
    Bind with binddn and bindpw only for searching LDAP
    :param anonymous: Try binding anonymously
    :param opts: Pass in when __opts__ is not available
    :return: LDAPConnection object
    uuriuserveruportustarttlsutlsu	no_verifyu	anonymousuaccountattributenameuactivedirectoryu	mandatoryubinddnubindpwufilteru
groupclassuauth_by_group_membership_onlyu
additionalRR
N(RRtappendRR#(R1RtconnargstparamstparamvaluesRtname((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt_bind_for_search�s,

 



c
C@s�tdd|�}tdd|�}i}idddddd	d
ddg	d
6dddddgd6}i}x(|d
D]}	t|	d|�||	<qyWx.|dD]"}	t|	dtd|�||	<q�W||d
<|drt|d|�|d<tjj|d�|d<n|drHtjj|�}
t|d|
�|d<n|dr�|d|d<|dr�|d
jd�q�nx |d
D]}||||<q�W|d
s�|dr�|dr�t|�j}tj	d|d||�|j
|t|�|d�}
t|
�dkr0tj
d|�tSt|
�dkr�g|
D]}|d^qI}td�|D��}|dkr�tjd|�tS|dkr�tjd|�tSn|
dd|d<n|dr|dr|d|d<qn&|dr|dr|d|d<n||d<|d
r@tj	d�ntj	d|d�yt|�j}WnEtk
r�|jdd"�tjd|�tj	dd t�tSXtj	d!|d�|S(#u'
    Authenticate via an LDAP bind
    ubasednRuscopeuuriuserveruportustarttlsutlsu	no_verifyu	anonymousuaccountattributenameuactivedirectoryu	mandatoryubinddnubindpwufilteru
groupclassuauth_by_group_membership_onlyu
additionalR
u;Running LDAP user dn search with filter:%s, dn:%s, scope:%siuUnable to find user %sics@s!|]}|dk	rdVqdS(iN(R*(t.0tc((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pys	<genexpr>su.LDAP lookup found multiple results for user %su/LDAP lookup--unable to find CN matching user %suAttempting anonymous LDAP bindu%Attempting LDAP bind with user dn: %su+Failed to authenticate user dn via LDAP: %su&Error authenticating user dn via LDAP:texc_infou/Successfully authenticated user dn via LDAP: %sN(RRRR#tfiltertescape_filter_charsR:Rtlogtdebugtsearch_stintR+twarningtsumterrorR.tpopR*tTrue(RtpasswordR1RtbasedntscopeR;R<R=Rtescaped_usernameR>t_ldaptresultttuptcnsttotal_not_nonet	ldap_conn((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt_bind�s�

 








cC@ststjd�tSd
}tddt�r�tddt�r�tdtddt��}|r�|r�|r�t||dtddt�o�tddt��}q�n3t||dtddt�o�tddt��}|r�tjd�|Stjd	�tS(u
    Simple LDAP auth
    u/LDAP authentication requires python-ldap moduleubinddnR
ubindpwR1u	anonymousuauth_by_group_membership_onlyuLDAP authentication successfulu LDAP _bind authentication FAILEDN(	R"RERKRR*RR?RXRF(RRNtbindtsearch_bind((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pytauth%s$
$

cK@sg}tddt�rHtddt�rHtdtddt��}n?t||jdd�dtddt�o�tddt��}|rtjd	�td
�rEyOdjtd�|td
��}|jtd�t	j
|td�g�}Wn$tk
r}tj
d|�|SX|s6tj
d|�|St	jj|dd�}dj|td��}tjd|�yF|jtd�t	j
|tjjjtd��td�g�}	Wn$tk
r�}tj
d|�|SXxG|	D]?\}
}d|kr�|jtjjj|dd��q�q�Wtjd||�qtd�r�t	jj|�}td�}
ttd�|�}|j|
t	j
|tjjjtd��tjjjtd��td�g�}	x�|	D]�\}}x�tj|jtd�g�|jtd�g��D]e}|tjjj|�jd�djd�dkr"|j|jd�djd�d�q"q"Wq�Wtjd||�t||d�s�tj
d �gSqtd!�r�d"jtd!�td��}
nd#jtd��}
djtd�|td��}|j|
t	j
|tjjjtd��td�tjjjtd��g�}	x`|	D]X\}
}|tjjj|td��kr�|jtjjj|dd��q�q�Wx�|	D]�\}}|tjjj|�jd�djd�dkr�x`tjjj|td��D]<}|jtjjj|�jd�djd�d�qKWq�q�Wtjd||�d$|krt||jd�dtddt�o�tddt��rtj
d �gSn
tj
d%�|S(&u�
    Authenticate against an LDAP group

    Behavior is highly dependent on if Active Directory is in use.

    AD handles group membership very differently than OpenLDAP.
    See the :ref:`External Authentication <acl-eauth>` documentation for a thorough
    discussion of available parameters for customizing the search.

    OpenLDAP allows you to search for all groups in the directory
    and returns members of those groups.  Then we check against
    the username entered.

    ubinddnR
ubindpwR1u	anonymousupassworduuauth_by_group_membership_onlyu2ldap bind to determine group membership succeeded!uactivedirectoryu(&({0}={1})(objectClass={2}))uaccountattributenameu
persontypeubasednudistinguishedNameu3Exception thrown while looking up user DN in AD: %su,Could not get distinguished name for user %siu (&(member={0})(objectClass={1}))u
groupclassu(Running LDAP group membership search: %sucnu<Exception thrown while retrieving group membership in AD: %su!User %s is a member of groups: %sufreeipaugroup_basednugroup_filterugroupattributeu,u=i����u'LDAP username and password do not matchugroupouu
ou={0},{1}u{0}ushow_jidu/ldap bind to determine group membership FAILED!(RRR?RXtgetRERFRRGR#t
SCOPE_SUBTREEtstrR.RKRCRDtsalttutilststringutilstto_strR:t
to_unicodeRt	itertoolstchaintsplitR[tdatatdecode(Rtkwargst
group_listRYtget_user_dn_searchtuser_dn_resultstetdntldap_search_stringtsearch_resultst_tentryRQtsearch_baset
search_stringRStusertgroup((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pytgroupsEs�$
.+	B52
!		!%+5&A!

cC@s�td|�}g}x�|D]�}t|t�sD|j|�qnx}tj|�D]l\}}|}g}|jd�r�|jd�jd�}	d}
y�|j	|	t
j|
td�g�}x�|D]�}yw|dddj
�}
|jdd�r6x9|dD]*}|
j|�r|
t|� }
PqqWn|j|
�Wq�tk
rWq�Xq�Wx"|D]}
|ji||
6�qcWtjd	|�Wq�t
jk
r�q�XqT|ji||6�qTWqWtjd
|�|S(u�

    :param entries: ldap subtree in external_auth config option
    :param opts: Opts to use when __opts__ not defined
    :return: Dictionary with all allowed operations

    Takes the ldap subtree in the external_auth config option and expands it
    with actual minion names

    webadmins%:  <all users in the AD 'webadmins' group>
      - server1
          - .*
      - ldap(OU=webservers,dc=int,dc=bigcompany,dc=com)
        - test.ping
        - service.restart
      - ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com)
        - allowed_fn_list_attribute^

    This function only gets called if auth.ldap.activedirectory = True
    Ruldap(u)u(objectClass=computer)ucniiuauth.ldap.minion_stripdomainsuExpanded acl_tree is: %su__expand_ldap_entries: %sN(R?t
isinstancetdictR:Rt	iteritemst
startswithtlstriptrstripRGR#R]R^tlowerR\R*tendswithR+t	TypeErrorREttracetNO_SUCH_OBJECT(tentriesRRYtacl_treetuser_or_group_dicttminion_or_outmatcherstpermissionstretrieved_minion_idsRsRtRpt
ldap_matcht	minion_idtdomain((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt__expand_ldap_entries�sH

	


cC@s�g}x[|D]S}t|tj�r+q
n|jg|j�D]}|jd�r>|^q>�q
W|r|t||�}n|S(u+
    Query LDAP, retrieve list of minion_ids from an OU or other search.
    For each minion_id returned from the LDAP search, copy the perms
    matchers into the auth dictionary
    :param auth_list:
    :param opts: __opts__ for when __opts__ is not injected
    :return: Modified auth list.
    uldap((RxRtstring_typestextendtkeysR{R�(t	auth_listRtou_namestitemtpotential_ou((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pytprocess_acl�s	
9('R9t
__future__RRRtloggingRdtsalt.extRtsalt.exceptionsRRtsalt.utils.stringutilsR_tsalt.utils.datat	getLoggerR7REtjinja2RR#tldap.modlisttldap.filterRMR"tImportErrorRR
R*RRtobjectRR?RXR[RwR�R�(((s2/usr/lib/python2.7/site-packages/salt/auth/ldap.pyt<module>sT




	
;.k	 	rF

Zerion Mini Shell 1.0