def authenticate(login, password):
"""
Attempt to authenticate the login name with password against the
configured LDAP server. If the user is authenticated, required
group memberships are also verified.
"""
lconn = open_ldap()
server = _config.get('ldap', 'server')
user = LDAPUser(login, lconn)
# Bind to user using the supplied password
try:
user.bind(password)
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR):
_logger.exception("LDAP server is down")
raise NoAnswerError(server)
except ldap.INVALID_CREDENTIALS:
_logger.warning("Server %s reported invalid credentials for user %s",
server, login)
return False
except ldap.TIMEOUT as error:
_logger.error("Timed out waiting for LDAP bind operation")
raise TimeoutError(error)
except ldap.LDAPError:
_logger.exception("An LDAP error occurred when authenticating user %s "
"against server %s", login, server)
return False
except UserNotFound:
_logger.exception("Username %s was not found in the LDAP catalog %s",
login, server)
return False
_logger.debug("LDAP authenticated user %s", login)
# If successful so far, verify required group memberships before
# the final verdict is made
group_dn = _config.get('ldap', 'require_group')
if group_dn:
if user.is_group_member(group_dn):
_logger.info("%s is verified to be a member of %s",
login, group_dn)
return user
else:
_logger.warning("Could NOT verify %s as a member of %s",
login, group_dn)
return False
# If no group matching was needed, we are already authenticated,
# so return that.
return user
评论列表
文章目录
