2010-01-12 09:40:09 -06:00
|
|
|
# Authors:
|
|
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2009 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
2010-12-09 06:59:11 -06:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
2010-01-12 09:40:09 -06:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2010-12-09 06:59:11 -06:00
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2010-01-12 09:40:09 -06:00
|
|
|
"""
|
|
|
|
Password migration script
|
|
|
|
"""
|
|
|
|
|
2011-02-15 13:11:27 -06:00
|
|
|
import cgi
|
2010-10-29 08:38:17 -05:00
|
|
|
import errno
|
2011-02-15 13:11:27 -06:00
|
|
|
import glob
|
2010-01-12 09:40:09 -06:00
|
|
|
import ldap
|
2010-10-29 08:38:17 -05:00
|
|
|
import wsgiref
|
2011-11-15 13:39:31 -06:00
|
|
|
from ipapython.ipa_log_manager import *
|
2011-09-26 21:19:57 -05:00
|
|
|
from ipapython.ipautil import get_ipa_basedn
|
2010-01-12 09:40:09 -06:00
|
|
|
|
|
|
|
BASE_DN = ''
|
2011-02-15 13:11:27 -06:00
|
|
|
LDAP_URI = 'ldaps://localhost:636'
|
2010-01-12 09:40:09 -06:00
|
|
|
|
2011-09-26 21:19:57 -05:00
|
|
|
def convert_exception(error):
|
|
|
|
"""
|
|
|
|
Convert an LDAP exception into something more readable.
|
|
|
|
"""
|
|
|
|
if not isinstance(error, ldap.TIMEOUT):
|
|
|
|
desc = error.args[0]['desc'].strip()
|
|
|
|
info = error.args[0].get('info', '').strip()
|
|
|
|
else:
|
|
|
|
desc = ''
|
|
|
|
info = ''
|
|
|
|
|
|
|
|
return '%s (%s)' % (desc, info)
|
|
|
|
|
2010-10-29 08:38:17 -05:00
|
|
|
def wsgi_redirect(start_response, loc):
|
|
|
|
start_response('302 Found', [('Location', loc)])
|
|
|
|
return []
|
|
|
|
|
|
|
|
def get_ui_url(environ):
|
|
|
|
full_url = wsgiref.util.request_uri(environ)
|
|
|
|
index = full_url.rfind(environ.get('SCRIPT_NAME',''))
|
|
|
|
if index == -1:
|
|
|
|
raise ValueError('Cannot strip the script URL from full URL "%s"' % full_url)
|
|
|
|
return full_url[:index] + "/ipa/ui"
|
2010-01-12 09:40:09 -06:00
|
|
|
|
|
|
|
def get_base_dn():
|
|
|
|
"""
|
|
|
|
Retrieve LDAP server base DN.
|
|
|
|
"""
|
2011-09-26 21:19:57 -05:00
|
|
|
global BASE_DN
|
|
|
|
|
2010-01-12 09:40:09 -06:00
|
|
|
if BASE_DN:
|
|
|
|
return BASE_DN
|
|
|
|
try:
|
|
|
|
conn = ldap.initialize(LDAP_URI)
|
|
|
|
conn.simple_bind_s('', '')
|
2011-09-26 21:19:57 -05:00
|
|
|
BASE_DN = get_ipa_basedn(conn)
|
|
|
|
except ldap.LDAPError, e:
|
2011-11-15 13:39:31 -06:00
|
|
|
root_logger.error('migration context search failed: %s' % e)
|
2010-01-12 09:40:09 -06:00
|
|
|
return ''
|
2011-09-26 21:19:57 -05:00
|
|
|
finally:
|
|
|
|
conn.unbind_s()
|
|
|
|
|
|
|
|
return BASE_DN
|
2010-01-12 09:40:09 -06:00
|
|
|
|
2010-10-29 08:38:17 -05:00
|
|
|
def bind(username, password):
|
2010-01-12 09:40:09 -06:00
|
|
|
base_dn = get_base_dn()
|
|
|
|
if not base_dn:
|
2011-11-15 13:39:31 -06:00
|
|
|
root_logger.error('migration unable to get base dn')
|
2010-10-29 08:38:17 -05:00
|
|
|
raise IOError(errno.EIO, 'Cannot get Base DN')
|
2010-01-12 09:40:09 -06:00
|
|
|
bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn)
|
|
|
|
try:
|
|
|
|
conn = ldap.initialize(LDAP_URI)
|
|
|
|
conn.simple_bind_s(bind_dn, password)
|
|
|
|
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM,
|
2011-09-26 21:19:57 -05:00
|
|
|
ldap.NO_SUCH_OBJECT), e:
|
2011-11-15 13:39:31 -06:00
|
|
|
root_logger.error('migration invalid credentials for %s: %s' % (bind_dn, convert_exception(e)))
|
2010-10-29 08:38:17 -05:00
|
|
|
raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
|
2011-09-26 21:19:57 -05:00
|
|
|
except ldap.LDAPError, e:
|
2011-11-15 13:39:31 -06:00
|
|
|
root_logger.error('migration bind failed: %s' % convert_exception(e))
|
2010-10-29 08:38:17 -05:00
|
|
|
raise IOError(errno.EIO, 'Bind error')
|
2011-09-26 21:19:57 -05:00
|
|
|
finally:
|
|
|
|
conn.unbind_s()
|
2010-10-29 08:38:17 -05:00
|
|
|
|
|
|
|
def application(environ, start_response):
|
2011-09-26 21:19:57 -05:00
|
|
|
global LDAP_URI
|
|
|
|
|
2010-10-29 08:38:17 -05:00
|
|
|
if environ.get('REQUEST_METHOD', None) != 'POST':
|
|
|
|
return wsgi_redirect(start_response, 'index.html')
|
|
|
|
|
|
|
|
form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
|
|
|
|
if not form_data.has_key('username') or not form_data.has_key('password'):
|
|
|
|
return wsgi_redirect(start_response, 'invalid.html')
|
|
|
|
|
2011-02-15 13:11:27 -06:00
|
|
|
slapd_sockets = glob.glob('/var/run/slapd-*.socket')
|
|
|
|
if slapd_sockets:
|
|
|
|
LDAP_URI = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
|
|
|
|
|
2010-10-29 08:38:17 -05:00
|
|
|
try:
|
|
|
|
bind(form_data['username'].value, form_data['password'].value)
|
|
|
|
except IOError as err:
|
|
|
|
if err.errno == errno.EPERM:
|
|
|
|
return wsgi_redirect(start_response, 'invalid.html')
|
|
|
|
if err.errno == errno.EIO:
|
|
|
|
return wsgi_redirect(start_response, 'error.html')
|
|
|
|
|
|
|
|
ui_url = get_ui_url(environ)
|
|
|
|
return wsgi_redirect(start_response, ui_url)
|