Commit 41004748 authored by olivier.salaun's avatar olivier.salaun
Browse files

Fixed description of the module


git-svn-id: https://subversion.renater.fr/sympa/trunk@4189 05aa8bb8-cd2b-0410-b1d7-8918dfa770ce
parent 9ffd167f
# wwslib.pm - This module includes functions used by wwsympa.fcgi # Auth.pm - This module provides web authentication functions
# RCS Identication ; $Revision$ ; $Date$ # RCS Identication ; $Revision$ ; $Date$
# #
# Sympa - SYsteme de Multi-Postage Automatique # Sympa - SYsteme de Multi-Postage Automatique
...@@ -199,8 +199,6 @@ sub ldap_authentication { ...@@ -199,8 +199,6 @@ sub ldap_authentication {
# and this email address does not match the corresponding regexp # and this email address does not match the corresponding regexp
next if ($auth =~ /@/ && $auth !~ /$ldap->{'regexp'}/i); next if ($auth =~ /@/ && $auth !~ /$ldap->{'regexp'}/i);
foreach $host (split(/,/,$ldap->{'host'})){
my @alternative_conf = split(/,/,$ldap->{'alternative_email_attribute'}); my @alternative_conf = split(/,/,$ldap->{'alternative_email_attribute'});
my $attrs = $ldap->{'email_attribute'}; my $attrs = $ldap->{'email_attribute'};
my $filter = $ldap->{'get_dn_by_uid_filter'} if($whichfilter eq 'uid_filter'); my $filter = $ldap->{'get_dn_by_uid_filter'} if($whichfilter eq 'uid_filter');
...@@ -209,42 +207,14 @@ sub ldap_authentication { ...@@ -209,42 +207,14 @@ sub ldap_authentication {
##anonymous bind in order to have the user's DN ##anonymous bind in order to have the user's DN
my $ldap_anonymous; my $ldap_anonymous;
if ($ldap->{'use_ssl'}) { my $param = &tools::dup_var($ldap);
unless (eval "require Net::LDAPS") { my $ds = new Datasource('LDAP', $param);
do_log ('err',"Unable to use LDAPS library, Net::LDAPS required");
return undef;
}
require Net::LDAPS;
my %param;
$param{'timeout'} = $ldap->{'timeout'} if ($ldap->{'timeout'});
$param{'sslversion'} = $ldap->{'ssl_version'} if ($ldap->{'ssl_version'});
$param{'ciphers'} = $ldap->{'ssl_ciphers'} if ($ldap->{'ssl_ciphers'});
$ldap_anonymous = Net::LDAPS->new($host,%param);
}else {
$ldap_anonymous = Net::LDAP->new($host,timeout => $ldap->{'timeout'});
}
unless ($ldap_anonymous ){ unless (defined $ds && ($ldap_anonymous = $ds->connect())) {
do_log ('err','Unable to connect to the LDAP server %s',$host); &do_log('err',"Unable to connect to the LDAP server '%s'", $ldap->{'host'});
next; next;
} }
my $cnx;
## Not always anonymous...
if (defined ($ldap->{'bind_dn'}) && defined ($ldap->{'bind_password'})) {
$cnx = $ldap_anonymous->bind($ldap->{'bind_dn'}, password =>$ldap->{'bind_password'});
}else {
$cnx = $ldap_anonymous->bind;
}
unless(defined($cnx) && ($cnx->code() == 0)){
do_log('notice',"Can\'t bind to LDAP server $host");
last;
#do_log ('err','Ldap Error : %s, Ldap server error : %s',$cnx->error,$cnx->server_error);
#$ldap_anonymous->unbind;
}
$mesg = $ldap_anonymous->search(base => $ldap->{'suffix'}, $mesg = $ldap_anonymous->search(base => $ldap->{'suffix'},
filter => "$filter", filter => "$filter",
...@@ -252,49 +222,31 @@ sub ldap_authentication { ...@@ -252,49 +222,31 @@ sub ldap_authentication {
timeout => $ldap->{'timeout'}); timeout => $ldap->{'timeout'});
if ($mesg->count() == 0) { if ($mesg->count() == 0) {
do_log('notice','No entry in the Ldap Directory Tree of %s for %s',$host,$auth); do_log('notice','No entry in the Ldap Directory Tree of %s for %s',$ldap->{'host'},$auth);
$ldap_anonymous->unbind; $ds->disconnect();
last; last;
} }
my $refhash=$mesg->as_struct(); my $refhash=$mesg->as_struct();
my (@DN) = keys(%$refhash); my (@DN) = keys(%$refhash);
$ldap_anonymous->unbind; $ds->disconnect();
## bind with the DN and the pwd ## bind with the DN and the pwd
my $ldap_passwd; my $ldap_passwd;
if ($ldap->{'use_ssl'}) {
unless (eval "require Net::LDAPS") {
do_log ('err',"Unable to use LDAPS library, Net::LDAPS required");
return undef;
}
require Net::LDAPS;
my %param;
$param{'timeout'} = $ldap->{'timeout'} if ($ldap->{'timeout'});
$param{'sslversion'} = $ldap->{'ssl_version'} if ($ldap->{'ssl_version'});
$param{'ciphers'} = $ldap->{'ssl_ciphers'} if ($ldap->{'ssl_ciphers'});
$ldap_passwd = Net::LDAPS->new($host,%param);
}else {
$ldap_passwd = Net::LDAP->new($host,timeout => $ldap->{'timeout'});
}
unless ($ldap_passwd) { ## Duplicate structure first
do_log('err','Unable to (re) connect to the LDAP server %s', $host); ## Then set the bind_dn and password according to the current user
do_log ('err','Ldap Error : %s, Ldap server error : %s',$ldap_passwd->error,$ldap_passwd->server_error); my $param = &tools::dup_var($ldap);
$param->{'ldap_bind_dn'} = $DN[0];
$param->{'ldap_bind_password'} = $pwd;
my $ds = new Datasource('LDAP', $param);
unless (defined $ds && ($ldap_passwd = $ds->connect())) {
do_log('err',"Unable to connect to the LDAP server '%s'", $param->{'host'});
next; next;
} }
$cnx = $ldap_passwd->bind($DN[0], password => $pwd);
unless(defined($cnx) && ($cnx->code() == 0)){
do_log('notice', 'Incorrect password for user %s ; host: %s',$auth, $host);
#do_log ('err','Ldap Error : %s, Ldap server error : %s',$cnx->error,$cnx->server_error);
$ldap_passwd->unbind;
last;
}
# this bind is anonymous and may return
# $ldap_passwd->bind($DN[0]);
$mesg= $ldap_passwd->search ( base => $ldap->{'suffix'}, $mesg= $ldap_passwd->search ( base => $ldap->{'suffix'},
filter => "$filter", filter => "$filter",
scope => $ldap->{'scope'}, scope => $ldap->{'scope'},
...@@ -302,8 +254,8 @@ sub ldap_authentication { ...@@ -302,8 +254,8 @@ sub ldap_authentication {
); );
if ($mesg->count() == 0) { if ($mesg->count() == 0) {
do_log('notice',"No entry in the Ldap Directory Tree of %s", $host); do_log('notice',"No entry in the Ldap Directory Tree of %s", $ldap->{'host'});
$ldap_passwd->unbind; $ds->disconnect();
last; last;
} }
...@@ -337,17 +289,15 @@ sub ldap_authentication { ...@@ -337,17 +289,15 @@ sub ldap_authentication {
$param->{'alt_emails'}{$alt} = $previous->{$alt}; $param->{'alt_emails'}{$alt} = $previous->{$alt};
} }
$ldap_passwd->unbind or do_log('notice', "unable to unbind"); $ds->disconnect() or &do_log('notice', "unable to unbind");
do_log('debug3',"canonic: $canonic_email[0]"); &do_log('debug3',"canonic: $canonic_email[0]");
return lc($canonic_email[0]); return lc($canonic_email[0]);
}
next unless ($ldap_anonymous); next unless ($ldap_anonymous);
next unless ($ldap_passwd); next unless ($ldap_passwd);
next unless (defined($cnx) && ($cnx->code() == 0)); next unless (defined($cnx) && ($cnx->code() == 0));
next if($mesg->count() == 0); next if($mesg->count() == 0);
next if($mesg->code() != 0); next if($mesg->code() != 0);
next unless ($host);
} }
} }
...@@ -372,75 +322,22 @@ sub get_email_by_net_id { ...@@ -372,75 +322,22 @@ sub get_email_by_net_id {
return $email; return $email;
} }
unless (eval "require Net::LDAP") { my $ldap = @{$Conf{'auth_services'}{$robot}}[$auth_id];
do_log ('err',"Unable to use LDAP library, Net::LDAP required, install perl-ldap (CPAN) first");
return undef;
}
require Net::LDAP;
unless (eval "require Net::LDAP::Entry") { my $param = &tools::dup_var($ldap);
do_log ('err',"Unable to use LDAP library,Net::LDAP::Entry required install perl-ldap (CPAN) first"); my $ds = new Datasource('LDAP', $param);
return undef; my $ldap_anonymous;
}
require Net::LDAP::Entry;
unless (eval "require Net::LDAP::Message") { unless (defined $ds && ($ldap_anonymous = $ds->connect())) {
do_log ('err',"Unable to use LDAP library,Net::LDAP::Entry required install perl-ldap (CPAN) first"); &do_log('err',"Unable to connect to the LDAP server '%s'", $ldap->{'ldap_host'});
return undef; return undef;
} }
require Net::LDAP::Message;
my $ldap = @{$Conf{'auth_services'}{$robot}}[$auth_id];
my $filter = $ldap->{'ldap_get_email_by_uid_filter'} ; my $filter = $ldap->{'ldap_get_email_by_uid_filter'} ;
$filter =~ s/\[([\w-]+)\]/$attributes->{$1}/ig; $filter =~ s/\[([\w-]+)\]/$attributes->{$1}/ig;
foreach my $host (split(/,/,$ldap->{'ldap_host'})){
# my @alternative_conf = split(/,/,$ldap->{'alternative_email_attribute'}); # my @alternative_conf = split(/,/,$ldap->{'alternative_email_attribute'});
my $ldap_anonymous;
my %param;
$param{'timeout'} = $ldap->{'ldap_timeout'} || 3;
$param{'async'} = 1;
if ($ldap->{'ldap_use_ssl'}) {
$param{'sslversion'} = $ldap->{'ldap_ssl_version'} if ($ldap->{'ldap_ssl_version'});
$param{'ciphers'} = $ldap->{'ldap_ssl_ciphers'} if ($ldap->{'ldap_ssl_ciphers'});
unless (eval "require Net::LDAPS") {
do_log ('err',"Unable to use LDAPS library, Net::LDAPS required");
return undef;
}
require Net::LDAPS;
$ldap_anonymous = Net::LDAPS->new($host,%param);
}else {
$ldap_anonymous = Net::LDAP->new($host,%param);
}
unless ($ldap_anonymous ){
do_log ('err','Unable to connect to the LDAP server %s',$host);
next;
}
my $cnx;
## Not always anonymous...
if (defined ($ldap->{'ldap_bind_dn'}) && defined ($ldap->{'ldap_bind_password'})) {
$cnx = $ldap_anonymous->bind($ldap->{'ldap_bind_dn'}, password =>$ldap->{'ldap_bind_password'});
}else {
$cnx = $ldap_anonymous->bind;
}
unless(defined($cnx) && ($cnx->code() == 0)){
do_log('notice',"Can\'t bind to LDAP server $host");
last;
#do_log ('err','Ldap Error : %s, Ldap server error : %s',$cnx->error,$cnx->server_error);
#$ldap_anonymous->unbind;
}
do_log ('debug',"Binded to LDAP host $host, search base=$ldap->{'ldap_suffix'},filter=$filter,scope=$ldap->{'ldap_scope'},attrs=$ldap->{'ldap_email_attribute'}");
my $emails= $ldap_anonymous->search ( base => $ldap->{'ldap_suffix'}, my $emails= $ldap_anonymous->search ( base => $ldap->{'ldap_suffix'},
filter => $filter, filter => $filter,
scope => $ldap->{'ldap_scope'}, scope => $ldap->{'ldap_scope'},
...@@ -451,25 +348,18 @@ sub get_email_by_net_id { ...@@ -451,25 +348,18 @@ sub get_email_by_net_id {
if ($emails->count() == 0) { if ($emails->count() == 0) {
do_log('notice',"No entry in the Ldap Directory Tree of %s", $host); do_log('notice',"No entry in the Ldap Directory Tree of %s", $host);
$ldap_anonymous->unbind; $ds->disconnect();
last; return undef;
} }
$ds->disconnect();
## return only the first attribute
my @results = $emails->entries; my @results = $emails->entries;
foreach my $result (@results){ foreach my $result (@results){
return (lc($result->get_value($ldap->{'ldap_email_attribute'}))); return (lc($result->get_value($ldap->{'ldap_email_attribute'})));
} }
## return only the first attribute
my $entry = $emails->entry(0);
my @canonic_email = $entry->get_value($ldap->{'ldap_email_attribute'},alloptions);
foreach my $email (@canonic_email){
return(lc($email));
}
}
} }
# check trusted_application_name et trusted_application_password : return 1 or undef; # check trusted_application_name et trusted_application_password : return 1 or undef;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment