""" This API is adapted for OpenLDAP. The file contains all LDAP classes and methods needed to: - Load the LDAP connection configuration file (login, address..) with LdapConfig - Connect to LDAP with ldap_co - Create a unique LDAP login and password for a user based on his email or last name and first name with LoginPassword. - Manage entries in LDAP using SFA records with LDAPapi (Search, Add, Delete, Modify) """ import random from passlib.hash import ldap_salted_sha1 as lssha from sfa.util.xrn import get_authority from sfa.util.sfalogging import logger from sfa.util.config import Config import ldap import ldap.modlist as modlist import os.path class LdapConfig(): """ Ldap configuration class loads the configuration file and sets the ldap IP address, password, people dn, web dn, group dn. All these settings were defined in a separate file ldap_config.py to avoid sharing them in the SFA git as it contains sensible information. """ def __init__(self, config_file='/etc/sfa/ldap_config.py'): """Loads configuration from file /etc/sfa/ldap_config.py and set the parameters for connection to LDAP. """ try: execfile(config_file, self.__dict__) self.config_file = config_file # path to configuration data self.config_path = os.path.dirname(config_file) except IOError: raise IOError, "Could not find or load the configuration file: %s" \ % config_file class ldap_co: """ Set admin login and server configuration variables.""" def __init__(self): """Fetch LdapConfig attributes (Ldap server connection parameters and defines port , version and subtree scope. """ #Iotlab PROD LDAP parameters self.ldapserv = None ldap_config = LdapConfig() self.config = ldap_config self.ldapHost = ldap_config.LDAP_IP_ADDRESS self.ldapPeopleDN = ldap_config.LDAP_PEOPLE_DN self.ldapGroupDN = ldap_config.LDAP_GROUP_DN self.ldapAdminDN = ldap_config.LDAP_WEB_DN self.ldapAdminPassword = ldap_config.LDAP_WEB_PASSWORD self.ldapPort = ldap.PORT self.ldapVersion = ldap.VERSION3 self.ldapSearchScope = ldap.SCOPE_SUBTREE def connect(self, bind=True): """Enables connection to the LDAP server. :param bind: Set the bind parameter to True if a bind is needed (for add/modify/delete operations). Set to False otherwise. :type bind: boolean :returns: dictionary with status of the connection. True if Successful, False if not and in this case the error message( {'bool', 'message'} ). :rtype: dict """ try: self.ldapserv = ldap.open(self.ldapHost) except ldap.LDAPError, error: return {'bool': False, 'message': error} # Bind with authentification if(bind): return self.bind() else: return {'bool': True} def bind(self): """ Binding method. :returns: dictionary with the bind status. True if Successful, False if not and in this case the error message({'bool','message'}) :rtype: dict """ try: # Opens a connection after a call to ldap.open in connect: self.ldapserv = ldap.initialize("ldap://" + self.ldapHost) # Bind/authenticate with a user with apropriate #rights to add objects self.ldapserv.simple_bind_s(self.ldapAdminDN, self.ldapAdminPassword) except ldap.LDAPError, error: return {'bool': False, 'message': error} return {'bool': True} def close(self): """Close the LDAP connection. Can throw an exception if the unbinding fails. :returns: dictionary with the bind status if the unbinding failed and in this case the dict contains an error message. The dictionary keys are : ({'bool','message'}) :rtype: dict or None """ try: self.ldapserv.unbind_s() except ldap.LDAPError, error: return {'bool': False, 'message': error} class LoginPassword(): """ Class to handle login and password generation, using custom login generation algorithm. """ def __init__(self): """ Sets password and login maximum length, and defines the characters that can be found in a random generated password. """ self.login_max_length = 8 self.length_password = 8 self.chars_password = ['!', '$', '(',')', '*', '+', ',', '-', '.', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '\''] @staticmethod def clean_user_names(record): """ Removes special characters such as '-', '_' , '[', ']' and ' ' from the first name and last name. :param record: user's record :type record: dict :returns: lower_first_name and lower_last_name if they were found in the user's record. Return None, none otherwise. :rtype: string, string or None, None. """ if 'first_name' in record and 'last_name' in record: #Remove all special characters from first_name/last name lower_first_name = record['first_name'].replace('-', '')\ .replace('_', '').replace('[', '')\ .replace(']', '').replace(' ', '')\ .lower() lower_last_name = record['last_name'].replace('-', '')\ .replace('_', '').replace('[', '')\ .replace(']', '').replace(' ', '')\ .lower() return lower_first_name, lower_last_name else: return None, None @staticmethod def extract_name_from_email(record): """ When there is no valid first name and last name in the record, the email is used to generate the login. Here, we assume the email is firstname.lastname@something.smthg. The first name and last names are extracted from the email, special charcaters are removed and they are changed into lower case. :param record: user's data :type record: dict :returns: the first name and last name taken from the user's email. lower_first_name, lower_last_name. :rtype: string, string """ email = record['email'] email = email.split('@')[0].lower() lower_first_name = None lower_last_name = None #Assume there is first name and last name in email #if there is a separator separator_list = ['.', '_', '-'] for sep in separator_list: if sep in email: mail = email.split(sep) lower_first_name = mail[0] lower_last_name = mail[1] break #Otherwise just take the part before the @ as the #lower_first_name and lower_last_name if lower_first_name is None: lower_first_name = email lower_last_name = email return lower_first_name, lower_last_name def get_user_firstname_lastname(self, record): """ Get the user first name and last name from the information we have in the record. :param record: user's information :type record: dict :returns: the user's first name and last name. .. seealso:: clean_user_names .. seealso:: extract_name_from_email """ lower_first_name, lower_last_name = self.clean_user_names(record) #No first name and last name check email if lower_first_name is None and lower_last_name is None: lower_first_name, lower_last_name = \ self.extract_name_from_email(record) return lower_first_name, lower_last_name # XXX JORDAN: This function writes an error in the log but returns normally :)) def choose_sets_chars_for_login(self, lower_first_name, lower_last_name): """ Algorithm to select sets of characters from the first name and last name, depending on the lenght of the last name and the maximum login length which in our case is set to 8 characters. :param lower_first_name: user's first name in lower case. :param lower_last_name: usr's last name in lower case. :returns: user's login :rtype: string """ length_last_name = len(lower_last_name) self.login_max_length = 8 #Try generating a unique login based on first name and last name if length_last_name >= self.login_max_length: login = lower_last_name[0:self.login_max_length] index = 0 logger.debug("login : %s index : %s" % (login, index)) elif length_last_name >= 4: login = lower_last_name index = 0 logger.debug("login : %s index : %s" % (login, index)) elif length_last_name == 3: login = lower_first_name[0:1] + lower_last_name index = 1 logger.debug("login : %s index : %s" % (login, index)) elif length_last_name == 2: if len(lower_first_name) >= 2: login = lower_first_name[0:2] + lower_last_name index = 2 logger.debug("login : %s index : %s" % (login, index)) else: logger.error("LoginException : \ Generation login error with \ minimum four characters") else: logger.error("LDAP LdapGenerateUniqueLogin failed : \ impossible to generate unique login for %s %s" % (lower_first_name, lower_last_name)) logger.debug("JORDAN choose_sets_chars_for_login %d %s" % (index, login)) return index, login def generate_password(self): """ Generate a password upon adding a new user in LDAP Directory (8 characters length). The generated password is composed of characters from the chars_password list. :returns: the randomly generated password :rtype: string """ password = str() length = len(self.chars_password) for index in range(self.length_password): char_index = random.randint(0, length - 1) password += self.chars_password[char_index] return password @staticmethod def encrypt_password(password): """ Use passlib library to make a RFC2307 LDAP encrypted password salt size is 8, use sha-1 algorithm. :param password: password not encrypted. :type password: string :returns: Returns encrypted password. :rtype: string """ #Keep consistency with Java Iotlab's LDAP API #RFC2307SSHAPasswordEncryptor so set the salt size to 8 bytes return lssha.encrypt(password, salt_size=8) class LDAPapi: """Defines functions to insert and search entries in the LDAP. .. note:: class supposes the unix schema is used """ def __init__(self): logger.setLevelDebug() #SFA related config config = Config() self.login_pwd = LoginPassword() self.authname = config.SFA_REGISTRY_ROOT_AUTH self.conn = ldap_co() self.ldapUserQuotaNFS = self.conn.config.LDAP_USER_QUOTA_NFS self.ldapUserUidNumberMin = self.conn.config.LDAP_USER_UID_NUMBER_MIN self.ldapUserGidNumber = self.conn.config.LDAP_USER_GID_NUMBER self.ldapUserHomePath = self.conn.config.LDAP_USER_HOME_PATH self.baseDN = self.conn.ldapPeopleDN self.ldapShell = '/bin/bash' def LdapGenerateUniqueLogin(self, record): """ Generate login for adding a new user in LDAP Directory (four characters minimum length). Get proper last name and first name so that the user's login can be generated. :param record: Record must contain first_name and last_name. :type record: dict :returns: the generated login for the user described with record if the login generation is successful, None if it fails. :rtype: string or None """ #For compatibility with other ldap func if 'mail' in record and 'email' not in record: record['email'] = record['mail'] lower_first_name, lower_last_name = \ self.login_pwd.get_user_firstname_lastname(record) index, login = self.login_pwd.choose_sets_chars_for_login( lower_first_name, lower_last_name) login_filter = '(uid=' + login + ')' get_attrs = ['uid'] try: #Check if login already in use while (len(self.LdapSearch(login_filter, get_attrs)) is not 0): index += 1 if index >= 9: logger.error("LoginException : Generation login error \ with minimum four characters") break else: try: login = \ lower_first_name[0:index] + \ lower_last_name[0: self.login_pwd.login_max_length - index] logger.debug("JORDAN trying login: %r" % login) login_filter = '(uid=' + login + ')' except KeyError: print "lower_first_name - lower_last_name too short" logger.debug("LDAP.API \t LdapGenerateUniqueLogin login %s" % (login)) return login except ldap.LDAPError, error: logger.log_exc("LDAP LdapGenerateUniqueLogin Error %s" % (error)) return None def find_max_uidNumber(self): """Find the LDAP max uidNumber (POSIX uid attribute). Used when adding a new user in LDAP Directory :returns: max uidNumber + 1 :rtype: string """ #First, get all the users in the LDAP get_attrs = "(uidNumber=*)" login_filter = ['uidNumber'] result_data = self.LdapSearch(get_attrs, login_filter) #It there is no user in LDAP yet, First LDAP user if result_data == []: max_uidnumber = self.ldapUserUidNumberMin #Otherwise, get the highest uidNumber else: uidNumberList = [int(r[1]['uidNumber'][0])for r in result_data] logger.debug("LDAPapi.py \tfind_max_uidNumber \ uidNumberList %s " % (uidNumberList)) max_uidnumber = max(uidNumberList) + 1 return str(max_uidnumber) def get_ssh_pkey(self, record): """TODO ; Get ssh public key from sfa record To be filled by N. Turro ? or using GID pl way? """ return 'A REMPLIR ' @staticmethod #TODO Handle OR filtering in the ldap query when #dealing with a list of records instead of doing a for loop in GetPersons def make_ldap_filters_from_record(record=None): """Helper function to make LDAP filter requests out of SFA records. :param record: user's sfa record. Should contain first_name,last_name, email or mail, and if the record is enabled or not. If the dict record does not have all of these, must at least contain the user's email. :type record: dict :returns: LDAP request :rtype: string """ logger.debug("JORDAN make_ldap_filters_from_record: %r" % record) req_ldap = '' req_ldapdict = {} if record : if 'first_name' in record and 'last_name' in record: if record['first_name'] != record['last_name']: req_ldapdict['cn'] = str(record['first_name'])+" "\ + str(record['last_name']) if 'uid' in record: req_ldapdict['uid'] = record['uid'] if 'email' in record: req_ldapdict['mail'] = record['email'] if 'mail' in record: req_ldapdict['mail'] = record['mail'] if 'enabled' in record: if record['enabled'] is True: req_ldapdict['shadowExpire'] = '-1' else: req_ldapdict['shadowExpire'] = '0' #Hrn should not be part of the filter because the hrn #presented by a certificate of a SFA user not imported in #Iotlab does not include the iotlab login in it #Plus, the SFA user may already have an account with iotlab #using another login. logger.debug("\r\n \t LDAP.PY make_ldap_filters_from_record \ record %s req_ldapdict %s" % (record, req_ldapdict)) for k in req_ldapdict: req_ldap += '(' + str(k) + '=' + str(req_ldapdict[k]) + ')' if len(req_ldapdict.keys()) >1 : req_ldap = req_ldap[:0]+"(&"+req_ldap[0:] size = len(req_ldap) req_ldap = req_ldap[:(size-1)] + ')' + req_ldap[(size-1):] else: req_ldap = "(cn=*)" return req_ldap def make_ldap_attributes_from_record(self, record): """ When adding a new user to Iotlab's LDAP, creates an attributes dictionnary from the SFA record understandable by LDAP. Generates the user's LDAP login.User is automatically validated (account enabled) and described as a SFA USER FROM OUTSIDE IOTLAB. :param record: must contain the following keys and values: first_name, last_name, mail, pkey (ssh key). :type record: dict :returns: dictionary of attributes using LDAP data structure model. :rtype: dict """ logger.debug("JORDAN make_ldap_attributes_from_record: %r" % record) attrs = {} attrs['objectClass'] = ["top", "person", "inetOrgPerson", "organizationalPerson", "posixAccount", "shadowAccount", "systemQuotas", "ldapPublicKey"] attrs['uid'] = self.LdapGenerateUniqueLogin(record) try: attrs['givenName'] = str(record['first_name']).lower().capitalize() attrs['sn'] = str(record['last_name']).lower().capitalize() attrs['cn'] = attrs['givenName'] + ' ' + attrs['sn'] attrs['gecos'] = attrs['givenName'] + ' ' + attrs['sn'] except KeyError: attrs['givenName'] = attrs['uid'] attrs['sn'] = attrs['uid'] attrs['cn'] = attrs['uid'] attrs['gecos'] = attrs['uid'] attrs['quota'] = self.ldapUserQuotaNFS attrs['homeDirectory'] = self.ldapUserHomePath + attrs['uid'] attrs['loginShell'] = self.ldapShell attrs['gidNumber'] = self.ldapUserGidNumber attrs['uidNumber'] = self.find_max_uidNumber() attrs['mail'] = record['mail'].lower() try: attrs['sshPublicKey'] = record['pkey'] except KeyError: attrs['sshPublicKey'] = self.get_ssh_pkey(record) #Password is automatically generated because SFA user don't go #through the Iotlab website used to register new users, #There is no place in SFA where users can enter such information #yet. #If the user wants to set his own password , he must go to the Iotlab #website. password = self.login_pwd.generate_password() attrs['userPassword'] = self.login_pwd.encrypt_password(password) #Account automatically validated (no mail request to admins) #Set to 0 to disable the account, -1 to enable it, attrs['shadowExpire'] = '-1' #Motivation field in Iotlab attrs['description'] = 'SFA USER FROM OUTSIDE SENSLAB' attrs['ou'] = 'SFA' #Optional: organizational unit #No info about those here: attrs['l'] = 'To be defined'#Optional: Locality. attrs['st'] = 'To be defined' #Optional: state or province (country). return attrs def LdapAddUser(self, record) : """Add SFA user to LDAP if it is not in LDAP yet. :param record: dictionnary with the user's data. :returns: a dictionary with the status (Fail= False, Success= True) and the uid of the newly added user if successful, or the error message it is not. Dict has keys bool and message in case of failure, and bool uid in case of success. :rtype: dict .. seealso:: make_ldap_filters_from_record """ filter_by = self.make_ldap_filters_from_record({'email' : record['email']}) user = self.LdapSearch(filter_by) if user: logger.debug("LDAPapi.py user ldap exist \t%s" % user) # user = [('uid=saint,ou=People,dc=senslab,dc=info', {'uid': ['saint'], 'givenName': ['Fred'], ...})] return {'bool': True, 'uid': user[0][1]['uid'][0]} else: self.conn.connect() user_ldap_attrs = self.make_ldap_attributes_from_record(record) logger.debug("LDAPapi.py user ldap doesn't exist \t%s" % user_ldap_attrs) # The dn of our new entry/object dn = 'uid=' + user_ldap_attrs['uid'] + "," + self.baseDN try: ldif = modlist.addModlist(user_ldap_attrs) self.conn.ldapserv.add_s(dn, ldif) except ldap.LDAPError, error: logger.log_exc("LDAP Add Error %s" % error) return {'bool': False, 'message': error} self.conn.close() return {'bool': True, 'uid': user_ldap_attrs['uid']} def LdapDelete(self, person_dn): """Deletes a person in LDAP. Uses the dn of the user. :param person_dn: user's ldap dn. :type person_dn: string :returns: dictionary with bool True if successful, bool False and the error if not. :rtype: dict """ #Connect and bind result = self.conn.connect() if(result['bool']): try: self.conn.ldapserv.delete_s(person_dn) self.conn.close() return {'bool': True} except ldap.LDAPError, error: logger.log_exc("LDAP Delete Error %s" % error) return {'bool': False, 'message': error} def LdapDeleteUser(self, record_filter): """Deletes a SFA person in LDAP, based on the user's hrn. :param record_filter: Filter to find the user to be deleted. Must contain at least the user's email. :type record_filter: dict :returns: dict with bool True if successful, bool False and error message otherwise. :rtype: dict .. seealso:: LdapFindUser docstring for more info on record filter. .. seealso:: LdapDelete for user deletion """ #Find uid of the person person = self.LdapFindUser(record_filter, []) logger.debug("LDAPapi.py \t LdapDeleteUser record %s person %s" % (record_filter, person)) if person: dn = 'uid=' + person['uid'] + "," + self.baseDN else: return {'bool': False} result = self.LdapDelete(dn) return result def LdapModify(self, dn, old_attributes_dict, new_attributes_dict): """ Modifies a LDAP entry, replaces user's old attributes with the new ones given. :param dn: user's absolute name in the LDAP hierarchy. :param old_attributes_dict: old user's attributes. Keys must match the ones used in the LDAP model. :param new_attributes_dict: new user's attributes. Keys must match the ones used in the LDAP model. :type dn: string :type old_attributes_dict: dict :type new_attributes_dict: dict :returns: dict bool True if Successful, bool False if not. :rtype: dict """ ldif = modlist.modifyModlist(old_attributes_dict, new_attributes_dict) # Connect and bind/authenticate result = self.conn.connect() if (result['bool']): try: self.conn.ldapserv.modify_s(dn, ldif) self.conn.close() return {'bool': True} except ldap.LDAPError, error: logger.log_exc("LDAP LdapModify Error %s" % error) return {'bool': False} def LdapModifyUser(self, user_record, new_attributes_dict): """ Gets the record from one user based on the user sfa recordand changes the attributes according to the specified new_attributes. Do not use this if we need to modify the uid. Use a ModRDN operation instead ( modify relative DN ). :param user_record: sfa user record. :param new_attributes_dict: new user attributes, keys must be the same as the LDAP model. :type user_record: dict :type new_attributes_dict: dict :returns: bool True if successful, bool False if not. :rtype: dict .. seealso:: make_ldap_filters_from_record for info on what is mandatory in the user_record. .. seealso:: make_ldap_attributes_from_record for the LDAP objectclass. """ if user_record is None: logger.error("LDAP \t LdapModifyUser Need user record ") return {'bool': False} #Get all the attributes of the user_uid_login #person = self.LdapFindUser(record_filter,[]) req_ldap = self.make_ldap_filters_from_record(user_record) person_list = self.LdapSearch(req_ldap, []) logger.debug("LDAPapi.py \t LdapModifyUser person_list : %s" % (person_list)) if person_list and len(person_list) > 1: logger.error("LDAP \t LdapModifyUser Too many users returned") return {'bool': False} if person_list is None: logger.error("LDAP \t LdapModifyUser User %s doesn't exist " % (user_record)) return {'bool': False} # The dn of our existing entry/object #One result only from ldapSearch person = person_list[0][1] dn = 'uid=' + person['uid'][0] + "," + self.baseDN if new_attributes_dict: old = {} for k in new_attributes_dict: if k not in person: old[k] = '' else: old[k] = person[k] logger.debug(" LDAPapi.py \t LdapModifyUser new_attributes %s" % (new_attributes_dict)) result = self.LdapModify(dn, old, new_attributes_dict) return result else: logger.error("LDAP \t LdapModifyUser No new attributes given. ") return {'bool': False} def LdapMarkUserAsDeleted(self, record): """ Sets shadowExpire to 0, disabling the user in LDAP. Calls LdapModifyUser to change the shadowExpire of the user. :param record: the record of the user who has to be disabled. Should contain first_name,last_name, email or mail, and if the record is enabled or not. If the dict record does not have all of these, must at least contain the user's email. :type record: dict :returns: {bool: True} if successful or {bool: False} if not :rtype: dict .. seealso:: LdapModifyUser, make_ldap_attributes_from_record """ new_attrs = {} #Disable account new_attrs['shadowExpire'] = '0' logger.debug(" LDAPapi.py \t LdapMarkUserAsDeleted ") ret = self.LdapModifyUser(record, new_attrs) return ret def LdapResetPassword(self, record): """Resets password for the user whose record is the parameter and changes the corresponding entry in the LDAP. :param record: user's sfa record whose Ldap password must be reset. Should contain first_name,last_name, email or mail, and if the record is enabled or not. If the dict record does not have all of these, must at least contain the user's email. :type record: dict :returns: return value of LdapModifyUser. True if successful, False otherwise. .. seealso:: LdapModifyUser, make_ldap_attributes_from_record """ password = self.login_pwd.generate_password() attrs = {} attrs['userPassword'] = self.login_pwd.encrypt_password(password) logger.debug("LDAP LdapResetPassword encrypt_password %s" % (attrs['userPassword'])) result = self.LdapModifyUser(record, attrs) return result def LdapSearch(self, req_ldap=None, expected_fields=None): """ Used to search directly in LDAP, by using ldap filters and return fields. When req_ldap is None, returns all the entries in the LDAP. :param req_ldap: ldap style request, with appropriate filters, example: (cn=*). :param expected_fields: Fields in the user ldap entry that has to be returned. If None is provided, will return 'mail', 'givenName', 'sn', 'uid', 'sshPublicKey', 'shadowExpire'. :type req_ldap: string :type expected_fields: list .. seealso:: make_ldap_filters_from_record for req_ldap format. """ logger.debug("JORDAN LdapSearch, req_ldap=%r, expected_fields=%r" % (req_ldap, expected_fields)) result = self.conn.connect(bind=False) if (result['bool']): return_fields_list = [] if expected_fields is None: return_fields_list = ['mail', 'givenName', 'sn', 'uid', 'sshPublicKey', 'shadowExpire'] else: return_fields_list = expected_fields #No specifc request specified, get the whole LDAP if req_ldap is None: req_ldap = '(cn=*)' logger.debug("LDAP.PY \t LdapSearch req_ldap %s \ return_fields_list %s" \ %(req_ldap, return_fields_list)) try: msg_id = self.conn.ldapserv.search( self.baseDN, ldap.SCOPE_SUBTREE, req_ldap, return_fields_list) #Get all the results matching the search from ldap in one #shot (1 value) result_type, result_data = \ self.conn.ldapserv.result(msg_id, 1) self.conn.close() logger.debug("LDAP.PY \t LdapSearch result_data %s" % (result_data)) return result_data except ldap.LDAPError, error: logger.log_exc("LDAP LdapSearch Error %s" % error) return [] else: logger.error("LDAP.PY \t Connection Failed") return def _process_ldap_info_for_all_users(self, result_data): """Process the data of all enabled users in LDAP. :param result_data: Contains information of all enabled users in LDAP and is coming from LdapSearch. :param result_data: list .. seealso:: LdapSearch """ results = [] logger.debug(" LDAP.py _process_ldap_info_for_all_users result_data %s " % (result_data)) for ldapentry in result_data: logger.debug(" LDAP.py _process_ldap_info_for_all_users \ ldapentry name : %s " % (ldapentry[1]['uid'][0])) tmpname = ldapentry[1]['uid'][0] hrn = self.authname + "." + tmpname tmpemail = ldapentry[1]['mail'][0] if ldapentry[1]['mail'][0] == "unknown": tmpemail = None try: results.append({ 'type': 'user', 'pkey': ldapentry[1]['sshPublicKey'][0], #'uid': ldapentry[1]['uid'][0], 'uid': tmpname , 'email':tmpemail, #'email': ldapentry[1]['mail'][0], 'first_name': ldapentry[1]['givenName'][0], 'last_name': ldapentry[1]['sn'][0], #'phone': 'none', 'serial': 'none', 'authority': self.authname, 'peer_authority': '', 'pointer': -1, 'hrn': hrn, }) except KeyError, error: logger.log_exc("LDAPapi.PY \t LdapFindUser EXCEPTION %s" % (error)) return return results def _process_ldap_info_for_one_user(self, record, result_data): """ Put the user's ldap data into shape. Only deals with one user record and one user data from ldap. :param record: user record :param result_data: Raw ldap data coming from LdapSearch :returns: user's data dict with 'type','pkey','uid', 'email', 'first_name' 'last_name''serial''authority''peer_authority' 'pointer''hrn' :type record: dict :type result_data: list :rtype :dict """ #One entry only in the ldap data because we used a filter #to find one user only ldapentry = result_data[0][1] logger.debug("LDAP.PY \t LdapFindUser ldapentry %s" % (ldapentry)) tmpname = ldapentry['uid'][0] tmpemail = ldapentry['mail'][0] if ldapentry['mail'][0] == "unknown": tmpemail = None parent_hrn = None peer_authority = None # If the user is coming from External authority (e.g. OneLab) # Then hrn is None, it should be filled in by the creation of Ldap User # XXX LOIC !!! What if a user email is in 2 authorities? if 'hrn' in record and record['hrn'] is not None: hrn = record['hrn'] parent_hrn = get_authority(hrn) if parent_hrn != self.authname: peer_authority = parent_hrn #In case the user was not imported from Iotlab LDAP #but from another federated site, has an account in #iotlab but currently using his hrn from federated site #then the login is different from the one found in its hrn if tmpname != hrn.split('.')[1]: hrn = None else: hrn = None if hrn is None: results = { 'type': 'user', 'pkey': ldapentry['sshPublicKey'], #'uid': ldapentry[1]['uid'][0], 'uid': tmpname, 'email': tmpemail, #'email': ldapentry[1]['mail'][0], 'first_name': ldapentry['givenName'][0], 'last_name': ldapentry['sn'][0], #'phone': 'none', 'serial': 'none', 'authority': parent_hrn, 'peer_authority': peer_authority, 'pointer': -1, } else: #hrn = None results = { 'type': 'user', 'pkey': ldapentry['sshPublicKey'], #'uid': ldapentry[1]['uid'][0], 'uid': tmpname, 'email': tmpemail, #'email': ldapentry[1]['mail'][0], 'first_name': ldapentry['givenName'][0], 'last_name': ldapentry['sn'][0], #'phone': 'none', 'serial': 'none', 'authority': parent_hrn, 'peer_authority': peer_authority, 'pointer': -1, 'hrn': hrn, } return results def LdapFindUser(self, record=None, is_user_enabled=None, expected_fields=None): """ Search a SFA user with a hrn. User should be already registered in Iotlab LDAP. :param record: sfa user's record. Should contain first_name,last_name, email or mail. If no record is provided, returns all the users found in LDAP. :type record: dict :param is_user_enabled: is the user's iotlab account already valid. :type is_user_enabled: Boolean. :returns: LDAP entries from ldap matching the filter provided. Returns a single entry if one filter has been given and a list of entries otherwise. :rtype: dict or list """ logger.debug("JORDAN LdapFindUser record=%r, is_user_enabled=%r, expected_fields=%r" % (record, is_user_enabled, expected_fields)) custom_record = {} if is_user_enabled: custom_record['enabled'] = is_user_enabled if record: custom_record.update(record) req_ldap = self.make_ldap_filters_from_record(custom_record) return_fields_list = [] if expected_fields is None: return_fields_list = ['mail', 'givenName', 'sn', 'uid', 'sshPublicKey'] else: return_fields_list = expected_fields result_data = self.LdapSearch(req_ldap, return_fields_list) logger.debug("LDAP.PY \t LdapFindUser result_data %s" % (result_data)) if len(result_data) == 0: return None #Asked for a specific user if record is not None: logger.debug("LOIC - record = %s" % record) results = self._process_ldap_info_for_one_user(record, result_data) else: #Asked for all users in ldap results = self._process_ldap_info_for_all_users(result_data) return results