freeipa/ipa_server/plugins/b_ldap.py

# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#   Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

"""
Backend plugin for LDAP.

This wraps the python-ldap bindings.
"""

import ldap as _ldap
from ipalib import api
from ipalib import errors
from ipalib.crud import CrudBackend
from ipa_server import servercore
from ipa_server import ipaldap


class ldap(CrudBackend):
    """
    LDAP backend plugin.
    """

    def __init__(self):
        self.dn = _ldap.dn

    def make_user_dn(self, uid):
        """
        Construct user dn from uid.
        """
        return 'uid=%s,%s,%s' % (
            self.dn.escape_dn_chars(uid),
            self.api.env.container_user,
            self.api.env.basedn,
        )

    def make_group_dn(self, cn):
        """
        Construct group dn from cn.
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(cn),
            self.api.env.container_group,
            self.api.env.basedn,
        )

    def make_service_dn(self, principal):
        """
        Construct service principal dn from principal name
        """
        return 'krbprincipalname=%s,%s,%s' % (
            self.dn.escape_dn_chars(principal),
            self.api.env.container_service,
            self.api.env.basedn,
        )

    def get_object_type(self, attribute):
        """
        Based on attribute, make an educated guess as to the type of
        object we're looking for.
        """
        attribute = attribute.lower()
        object_type = None
        if attribute == "uid": # User
            object_type = "person"
        elif attribute == "cn": # Group
            object_type = "posixGroup"
        elif attribute == "krbprincipalname": # Service
            object_type = "krbPrincipal"

        return object_type

    def find_entry_dn(self, key_attribute, primary_key, object_type=None):
        """
        Find an existing entry's dn from an attribute
        """
        key_attribute = key_attribute.lower()
        if not object_type:
            object_type = self.get_object_type(key_attribute)
        if not object_type:
            return None

        filter = "(&(%s=%s)(objectclass=%s))" % (
            key_attribute,
            self.dn.escape_dn_chars(primary_key),
            object_type
        )

        search_base = "%s, %s" % (self.api.env.container_accounts, self.api.env.basedn)

        entry = servercore.get_sub_entry(search_base, filter, ['dn', 'objectclass'])

        return entry.get('dn')

    def get_ipa_config(self):
        """Return a dictionary of the IPA configuration"""
        return servercore.get_ipa_config()

    def mark_entry_active(self, dn):
        return servercore.mark_entry_inactive(dn)

    def mark_entry_inactive(self, dn):
        return servercore.mark_entry_inactive(dn)

    def _generate_search_filters(self, **kw):
        """Generates a search filter based on a list of words and a list
           of fields to search against.

           Returns a tuple of two filters: (exact_match, partial_match)
        """

        # construct search pattern for a single word
        # (|(f1=word)(f2=word)...)
        exact_pattern = "(|"
        for field in kw.keys():
            exact_pattern += "(%s=%s)" % (field, kw[field])
        exact_pattern += ")"

        sub_pattern = "(|"
        for field in kw.keys():
            sub_pattern += "(%s=*%s*)" % (field, kw[field])
        sub_pattern += ")"

        # construct the giant match for all words
        exact_match_filter = "(&" + exact_pattern + ")"
        partial_match_filter = "(|" + sub_pattern + ")"

        return (exact_match_filter, partial_match_filter)

    def modify_password(self, dn, **kw):
        return servercore.modify_password(dn, kw.get('oldpass'), kw.get('newpass'))

    # The CRUD operations

    def create(self, **kw):
        if servercore.entry_exists(kw['dn']):
            raise errors.DuplicateEntry("entry already exists")

        entry = ipaldap.Entry(kw['dn'])

        # dn isn't allowed to be in the entry itself
        del kw['dn']

        # Fill in our new entry
        for k in kw:
            entry.setValues(k, kw[k])

        servercore.add_entry(entry)
        return self.retrieve(entry.dn)

    def retrieve(self, dn, attributes=None):
        return servercore.get_entry_by_dn(dn, attributes)

    def update(self, dn, **kw):
        result = self.retrieve(dn, ["*"])

        entry = ipaldap.Entry((dn, servercore.convert_scalar_values(result)))

        for k in kw:
            entry.setValues(k, kw[k])

        servercore.update_entry(entry.toDict())

        return self.retrieve(dn)

    def delete(self, dn):
        return servercore.delete_entry(dn)

    def search(self, **kw):
        objectclass = kw.get('objectclass')
        sfilter = kw.get('filter')
        if objectclass:
            del kw['objectclass']
        if sfilter:
            del kw['filter']
        (exact_match_filter, partial_match_filter) = self._generate_search_filters(**kw)
        if objectclass:
            exact_match_filter = "(&(objectClass=%s)%s)" % (objectclass, exact_match_filter)
            partial_match_filter = "(&(objectClass=%s)%s)" % (objectclass, partial_match_filter)
        if sfilter:
            exact_match_filter = "(%s%s)" % (sfilter, exact_match_filter)
            partial_match_filter = "(%s%s)" % (sfilter, partial_match_filter)

        search_base = "%s, %s" % (self.api.env.container_accounts, self.api.env.basedn)
        try:
            exact_results = servercore.search(search_base,
                    exact_match_filter, ["*"])
        except errors.NotFound:
            exact_results = [0]

        try:
            partial_results = servercore.search(search_base,
                    partial_match_filter, ["*"])
        except errors.NotFound:
            partial_results = [0]

        exact_counter = exact_results[0]
        partial_counter = partial_results[0]

        exact_results = exact_results[1:]
        partial_results = partial_results[1:]

        # Remove exact matches from the partial_match list
        exact_dns = set(map(lambda e: e.get('dn'), exact_results))
        partial_results = filter(lambda e: e.get('dn') not in exact_dns,
                                 partial_results)

        if (exact_counter == -1) or (partial_counter == -1):
            counter = -1
        else:
            counter = len(exact_results) + len(partial_results)

        results = [counter]
        for r in exact_results + partial_results:
            results.append(r)

        return results

api.register(ldap)
368: Added place holder ipa_server/plugins subpackage 2008-09-26 00:20:56 +00:00			`# Authors:`
Put Rob's name at top Author in b_ldap.py as he has written most of it 2008-10-18 01:15:59 -06:00			`# Rob Crittenden <rcritten@redhat.com>`
368: Added place holder ipa_server/plugins subpackage 2008-09-26 00:20:56 +00:00			`# Jason Gerard DeRose <jderose@redhat.com>`
			`#`
			`# Copyright (C) 2008 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License as`
			`# published by the Free Software Foundation; version 2 only`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write to the Free Software`
			`# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA`

			`"""`
Made package-level docstrings more consistent so they read better in generated documentation 2008-10-07 20:07:16 -06:00			`Backend plugin for LDAP.`
Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00
			`This wraps the python-ldap bindings.`
368: Added place holder ipa_server/plugins subpackage 2008-09-26 00:20:56 +00:00			`"""`
Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00
Added Object.get_dn() method; added corresponding unit tests 2008-10-13 23:26:24 -06:00			`import ldap as _ldap`
Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00			`from ipalib import api`
Move some functionality from user-add to the backend ldap create function 2008-10-14 17:46:36 -04:00			`from ipalib import errors`
More work on making user-add use Backend.ldap 2008-10-14 02:23:56 -06:00			`from ipalib.crud import CrudBackend`
Move some functionality from user-add to the backend ldap create function 2008-10-14 17:46:36 -04:00			`from ipa_server import servercore`
			`from ipa_server import ipaldap`
Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00

More work on making user-add use Backend.ldap 2008-10-14 02:23:56 -06:00			`class ldap(CrudBackend):`
Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00			`"""`
			`LDAP backend plugin.`
			`"""`

Changed ldap.dn class attribute (on backend plugin) to an instance attribute so epydoc doesn't document it 2008-10-17 22:33:03 -06:00			`def __init__(self):`
			`self.dn = _ldap.dn`
Added Object.get_dn() method; added corresponding unit tests 2008-10-13 23:26:24 -06:00
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00			`def make_user_dn(self, uid):`
Added ldap.get_user_dn() method 2008-10-14 00:38:17 -06:00			`"""`
			`Construct user dn from uid.`
			`"""`
			`return 'uid=%s,%s,%s' % (`
			`self.dn.escape_dn_chars(uid),`
			`self.api.env.container_user,`
			`self.api.env.basedn,`
			`)`

Port group-add to use LDAP backend Have create and update return the record that was just added/modified 2008-10-15 17:46:01 -04:00			`def make_group_dn(self, cn):`
			`"""`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`Construct group dn from cn.`
Port group-add to use LDAP backend Have create and update return the record that was just added/modified 2008-10-15 17:46:01 -04:00			`"""`
			`return 'cn=%s,%s,%s' % (`
			`self.dn.escape_dn_chars(cn),`
			`self.api.env.container_group,`
			`self.api.env.basedn,`
			`)`

Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`def make_service_dn(self, principal):`
			`"""`
			`Construct service principal dn from principal name`
			`"""`
			`return 'krbprincipalname=%s,%s,%s' % (`
			`self.dn.escape_dn_chars(principal),`
			`self.api.env.container_service,`
			`self.api.env.basedn,`
			`)`

Use the search fields from the configuration when searching Generalize the attribute -> objectclass search helper 2008-10-16 15:00:30 -04:00			`def get_object_type(self, attribute):`
			`"""`
			`Based on attribute, make an educated guess as to the type of`
			`object we're looking for.`
			`"""`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`attribute = attribute.lower()`
Use the search fields from the configuration when searching Generalize the attribute -> objectclass search helper 2008-10-16 15:00:30 -04:00			`object_type = None`
			`if attribute == "uid": # User`
			`object_type = "person"`
			`elif attribute == "cn": # Group`
			`object_type = "posixGroup"`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`elif attribute == "krbprincipalname": # Service`
Use the search fields from the configuration when searching Generalize the attribute -> objectclass search helper 2008-10-16 15:00:30 -04:00			`object_type = "krbPrincipal"`

			`return object_type`

Port user-mod to use ldap update() method 2008-10-15 09:58:29 -04:00			`def find_entry_dn(self, key_attribute, primary_key, object_type=None):`
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00			`"""`
			`Find an existing entry's dn from an attribute`
			`"""`
			`key_attribute = key_attribute.lower()`
			`if not object_type:`
Use the search fields from the configuration when searching Generalize the attribute -> objectclass search helper 2008-10-16 15:00:30 -04:00			`object_type = self.get_object_type(key_attribute)`
			`if not object_type:`
			`return None`
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00
			`filter = "(&(%s=%s)(objectclass=%s))" % (`
			`key_attribute,`
			`self.dn.escape_dn_chars(primary_key),`
			`object_type`
			`)`

			`search_base = "%s, %s" % (self.api.env.container_accounts, self.api.env.basedn)`

Port user-mod to use ldap update() method 2008-10-15 09:58:29 -04:00			`entry = servercore.get_sub_entry(search_base, filter, ['dn', 'objectclass'])`
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00
Use the search fields from the configuration when searching Generalize the attribute -> objectclass search helper 2008-10-16 15:00:30 -04:00			`return entry.get('dn')`
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00
Remove all references to ipa_server.* from user plugin 2008-10-16 10:32:20 -04:00			`def get_ipa_config(self):`
			`"""Return a dictionary of the IPA configuration"""`
			`return servercore.get_ipa_config()`

			`def mark_entry_active(self, dn):`
			`return servercore.mark_entry_inactive(dn)`

			`def mark_entry_inactive(self, dn):`
			`return servercore.mark_entry_inactive(dn)`

			`def _generate_search_filters(self, **kw):`
Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00			`"""Generates a search filter based on a list of words and a list`
			`of fields to search against.`

			`Returns a tuple of two filters: (exact_match, partial_match)`
			`"""`

			`# construct search pattern for a single word`
			`# (\|(f1=word)(f2=word)...)`
			`exact_pattern = "(\|"`
			`for field in kw.keys():`
			`exact_pattern += "(%s=%s)" % (field, kw[field])`
			`exact_pattern += ")"`

			`sub_pattern = "(\|"`
			`for field in kw.keys():`
			`sub_pattern += "(%s=%s)" % (field, kw[field])`
			`sub_pattern += ")"`

			`# construct the giant match for all words`
			`exact_match_filter = "(&" + exact_pattern + ")"`
			`partial_match_filter = "(\|" + sub_pattern + ")"`

			`return (exact_match_filter, partial_match_filter)`

Framework for doing password changes Need mechanism to prompt for new password twice and verify they are the same 2008-10-20 22:41:53 -04:00			`def modify_password(self, dn, **kw):`
			`return servercore.modify_password(dn, kw.get('oldpass'), kw.get('newpass'))`

Remove all references to ipa_server.* from user plugin 2008-10-16 10:32:20 -04:00			`# The CRUD operations`

More work on making user-add use Backend.ldap 2008-10-14 02:23:56 -06:00			`def create(self, **kw):`
Move some functionality from user-add to the backend ldap create function 2008-10-14 17:46:36 -04:00			`if servercore.entry_exists(kw['dn']):`
			`raise errors.DuplicateEntry("entry already exists")`

			`entry = ipaldap.Entry(kw['dn'])`

			`# dn isn't allowed to be in the entry itself`
			`del kw['dn']`

			`# Fill in our new entry`
			`for k in kw:`
			`entry.setValues(k, kw[k])`

Port group-add to use LDAP backend Have create and update return the record that was just added/modified 2008-10-15 17:46:01 -04:00			`servercore.add_entry(entry)`
			`return self.retrieve(entry.dn)`
More work on making user-add use Backend.ldap 2008-10-14 02:23:56 -06:00
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00			`def retrieve(self, dn, attributes=None):`
			`return servercore.get_entry_by_dn(dn, attributes)`

Port user-mod to use ldap update() method 2008-10-15 09:58:29 -04:00			`def update(self, dn, **kw):`
			`result = self.retrieve(dn, ["*"])`

			`entry = ipaldap.Entry((dn, servercore.convert_scalar_values(result)))`

			`for k in kw:`
			`entry.setValues(k, kw[k])`

Port group-add to use LDAP backend Have create and update return the record that was just added/modified 2008-10-15 17:46:01 -04:00			`servercore.update_entry(entry.toDict())`

			`return self.retrieve(dn)`
Port user-mod to use ldap update() method 2008-10-15 09:58:29 -04:00
Port user-show to new CrudBackend framework 2008-10-14 22:22:01 -04:00			`def delete(self, dn):`
			`return servercore.delete_entry(dn)`

Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00			`def search(self, **kw):`
			`objectclass = kw.get('objectclass')`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`sfilter = kw.get('filter')`
Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00			`if objectclass:`
			`del kw['objectclass']`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`if sfilter:`
			`del kw['filter']`
Remove all references to ipa_server.* from user plugin 2008-10-16 10:32:20 -04:00			`(exact_match_filter, partial_match_filter) = self._generate_search_filters(**kw)`
Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00			`if objectclass:`
			`exact_match_filter = "(&(objectClass=%s)%s)" % (objectclass, exact_match_filter)`
			`partial_match_filter = "(&(objectClass=%s)%s)" % (objectclass, partial_match_filter)`
Port f_service to LDAP backend Add new keyword, 'filter', that can be passed to the search function. This is globbed onto the filter that is auto-created. 2008-10-17 19:20:23 -04:00			`if sfilter:`
			`exact_match_filter = "(%s%s)" % (sfilter, exact_match_filter)`
			`partial_match_filter = "(%s%s)" % (sfilter, partial_match_filter)`
Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00
			`search_base = "%s, %s" % (self.api.env.container_accounts, self.api.env.basedn)`
			`try:`
Changed ldap.dn class attribute (on backend plugin) to an instance attribute so epydoc doesn't document it 2008-10-17 22:33:03 -06:00			`exact_results = servercore.search(search_base,`
Initial implementation of a generic search routine. 2008-10-15 16:11:34 -04:00			`exact_match_filter, ["*"])`
			`except errors.NotFound:`
			`exact_results = [0]`

			`try:`
			`partial_results = servercore.search(search_base,`
			`partial_match_filter, ["*"])`
			`except errors.NotFound:`
			`partial_results = [0]`

			`exact_counter = exact_results[0]`
			`partial_counter = partial_results[0]`

			`exact_results = exact_results[1:]`
			`partial_results = partial_results[1:]`

			`# Remove exact matches from the partial_match list`
			`exact_dns = set(map(lambda e: e.get('dn'), exact_results))`
			`partial_results = filter(lambda e: e.get('dn') not in exact_dns,`
			`partial_results)`

			`if (exact_counter == -1) or (partial_counter == -1):`
			`counter = -1`
			`else:`
			`counter = len(exact_results) + len(partial_results)`

			`results = [counter]`
			`for r in exact_results + partial_results:`
			`results.append(r)`

			`return results`

Added skeleton for kerberos backend 2008-10-01 15:50:04 -06:00			`api.register(ldap)`