summaryrefslogtreecommitdiffstats
path: root/pykolab/auth/ldap/__init__.py
Commit message (Collapse)AuthorAgeFilesLines
* Resolve %base_dn in kolab_user_base_dn, user_base_dn and resource_base_dnHEADmasterAleksander Machniak2021-10-011-17/+23
| | | | | | | | | | Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: #pykolab_developers Differential Revision: https://git.kolab.org/D2900
* A typoLiutauras Adomaitis2021-03-181-1/+1
|
* compare namingtext with basedn always in lowercaseDaniel Hoffend2020-02-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: When the hosted_domain_rootdn contains uppercase letters (only happens when crafting our own ldap naming context, or connecting with an existing ldap directory) kolabd doesn't match the namespace and therefore doesn't track changes and kolabd doesn't create or delete the mailboxes. Test Plan: Initial Situation mgmt_root_dn = dc=mgmt,dc=dotlan,dc=info hosted_root_dn = o=Hosting Starting kolabd via cli with debug enabled /usr/sbin/kolabd -l DEBUG -d 9 --user kolab --pid-file /run/kolabd/kolabd.pid Log messages about which domains / naming contexts to watch: 2020-01-17 23:29:35,260 pykolab.daemon DEBUG [8525] Domain 'mgmt.dotlan.info' naming context: 'dc=mgmt,dc=dotlan,dc=info', root dn: 'dc=mgmt,dc=dotlan,dc=info' 2020-01-17 23:29:35,268 pykolab.daemon DEBUG [8525] Domain 'hosting.com' naming context: None, root dn: 'o=Hosting' 2020-01-17 23:29:35,268 pykolab.daemon DEBUG [8525] Naming contexts to synchronize: [None, 'dc=mgmt,dc=dotlan,dc=info'] 2020-01-17 23:29:35,268 pykolab.daemon DEBUG [8525] Result set of domains: ['mgmt.dotlan.info'] Adding a Child domain (testdomain.com): 2020-01-17 23:36:16,505 pykolab.daemon DEBUG [9149] Domain 'mgmt.dotlan.info' naming context: 'dc=mgmt,dc=dotlan,dc=info', root dn: 'dc=mgmt,dc=dotlan,dc=info' 2020-01-17 23:36:16,513 pykolab.daemon DEBUG [9149] Domain 'hosting.com' naming context: None, root dn: 'o=Hosting' 2020-01-17 23:36:16,522 pykolab.daemon DEBUG [9149] Domain 'testdomain.com' naming context: None, root dn: 'ou=testdomain.com,o=Hosting' 2020-01-17 23:36:16,522 pykolab.daemon DEBUG [9149] Naming contexts to synchronize: [None, 'dc=mgmt,dc=dotlan,dc=info'] 2020-01-17 23:36:16,523 pykolab.daemon DEBUG [9149] Result set of domains: ['mgmt.dotlan.info'] Adding a user doesn't create the mailbox because kolabd isn't watching the naming context of o=Hosting After applying the patch: 2020-01-17 23:38:36,633 pykolab.daemon DEBUG [9499] Domain 'mgmt.dotlan.info' naming context: 'dc=mgmt,dc=dotlan,dc=info', root dn: 'dc=mgmt,dc=dotlan,dc=info' 2020-01-17 23:38:36,646 pykolab.daemon DEBUG [9499] Domain 'hosting.com' naming context: 'o=hosting', root dn: 'o=Hosting' 2020-01-17 23:38:36,655 pykolab.daemon DEBUG [9499] Domain 'testdomain.com' naming context: 'o=hosting', root dn: 'ou=testdomain.com,o=Hosting' 2020-01-17 23:38:36,656 pykolab.daemon DEBUG [9499] Naming contexts to synchronize: ['o=hosting', 'dc=mgmt,dc=dotlan,dc=info'] 2020-01-17 23:38:36,656 pykolab.daemon DEBUG [9499] Result set of domains: ['mgmt.dotlan.info', 'hosting.com'] Creating a user (to prove the patch works) 2020-01-17 23:41:13,756 pykolab.auth DEBUG [9502] LDAP Search Result Data Entry: 2020-01-17 23:41:13,756 pykolab.auth DEBUG [9502] DN: 'uid=jdoe,ou=People,ou=testdomain.com,o=Hosting' 2020-01-17 23:41:13,756 pykolab.auth DEBUG [9502] Entry: {'displayName': ['Doe, John'], 'cn': ['John Doe'], 'mailQuota': ['1048576'], 'preferredLanguage': ['de_DE'], 'userPassword': ['{PBKDF2_SHA256}AAAIABAeq5TwN6vcCAtBi+jspdlAXeGX5v5FV76uVIWxC5cQ4+23wbfR40aYr+SPzT2AP+Pg17N2hFxXDh3OI9qe/j5bE3A4Nz5utCJahvmorowGTIUA0DJrT6kz8Hy2X7PA8wjeZzedKvjdsqODIYDMdDm4DMNMbwU0pVFKgqWYBf7pNCAa/ZZ7lPPIxVXBC3z7Xhmi0mhxzVbY3TjNptxT9lGJ1Z4JCjID8B+BEqpPSKPJzW5sozgqTUYC8EH37bIn+JsmyMbukepz/0DU3oAKcda0j3VOdnfNE3lQ4tBS9e1CrjRVhzx+7H2ehAdu3olq7xHBRW9Po59hP3+X7nvU9C1lwt5stfv7hnEJ15jyy1JXDzoABUUIYxTxGz+uhP1oyuMHAxqxPDrJikdbCBx4ucGLnTnfFXwtAeuMefRsctMl'], 'nsuniqueid': ['6f0ae601-397a11ea-9892ad7b-e428d0cf'], 'objectClass': ['inetorgperson', 'inetuser', 'kolabinetorgperson', 'mailrecipient', 'organizationalperson', 'person', 'top'], 'sn': ['Doe'], 'mail': ['john.doe@testdomain.com'], 'givenName': ['John'], 'modifytimestamp': ['20200117224113Z'], 'uid': ['jdoe']} 2020-01-17 23:41:13,756 pykolab.auth DEBUG [9502] Entry Change Notification attributes: 2020-01-17 23:41:13,757 pykolab.auth DEBUG [9502] Change Type: 1 ('add') 2020-01-17 23:41:13,757 pykolab.auth DEBUG [9502] Previous DN: None Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Differential Revision: https://git.kolab.org/D913
* Fix moddn on shared folder entries (Bifrost TT324146)Jeroen van Meeuwen (Kolab Systems)2020-02-231-1/+33
|
* encode_page_control() must have a 2nd argument T5734Daniel Hoffend2020-01-131-2/+2
| | | | | | | | | | | | | Summary: As reported in T5734 kolab sync and kolabd are crashing with a trackback that encode_page_control must have 2 arguments. Adding the empty cookie attribute to the server_page_controls removed the error. Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Differential Revision: https://git.kolab.org/D895
* ldap/timeout: always convert to float, fix argumentsDaniel Hoffend2019-11-261-3/+3
| | | | | | | | | | | | | | Summary: Fixes issue T5692 Reviewers: #pykolab_developers, sicherha Reviewed By: sicherha Subscribers: sicherha Maniphest Tasks: T5692 Differential Revision: https://git.kolab.org/D871
* Ignore changes to objects with an nstombstone objectclass (Bifrost #T252995)Jeroen van Meeuwen (Kolab Systems)2019-11-181-0/+11
|
* More linting and compatibilityJeroen van Meeuwen (Kolab Systems)2019-10-251-223/+192
|
* More linting and syntax issues resolvedJeroen van Meeuwen (Kolab Systems)2019-10-251-12/+18
|
* Make sure that config functions do take and honor the default value passed alongJeroen van Meeuwen (Kolab Systems)2019-10-251-2/+2
|
* Introduce a configurable timeout for simple search and authentication requests.Jeroen van Meeuwen (Kolab Systems)2019-10-251-932/+1001
| | | | | Fix linting issues Increase Python3 compatibility
* Ensure a missing setting isn't treated as a stringJeroen van Meeuwen (Kolab Systems)2019-08-261-6/+11
|
* Fix resolving referralsJeroen van Meeuwen (Kolab Systems)2019-06-131-1/+1
|
* Let auth cache expire by not updating existing entriesJeroen van Meeuwen (Kolab Systems)2019-05-291-2/+0
|
* Changes required for pykolab to work with ADLiutauras Adomaitis2019-04-031-14/+28
| | | | | | | | | | | | | | Summary: These changes basically are to remove referrals from the ldapsearch results. The change is cache sqlite DB schema is required to allow objectGUID AD attribute to work as unique attribute to track LDAP objects. Reviewers: vanmeeuwen, machniak, mollekopf Reviewed By: machniak Subscribers: #pykolab_developers Tags: #pykolab Differential Revision: https://git.kolab.org/D720
* With this patch I'm trying to introduce a file-type object in logger, which ↵Liutauras Adomaitis2018-05-171-12/+14
| | | | | | | | | | | | | | | | | | could swallow everything thrown to stderr (and possibly stdout) and redirect to python logger. Python smtplib debug mode prints everything to stderr, but when wallace runs... Summary: ...in fork mode stderr is not available (Bad file descriptor error) and thus wallace traceback when it tries to send emails Test Plan: none Reviewers: vanmeeuwen, machniak, petersen Reviewed By: vanmeeuwen Subscribers: petersen, machniak, vanmeeuwen Maniphest Tasks: T2498, T2163, T3751 Differential Revision: https://git.kolab.org/D577
* In some cases kolabd fails to cleanly update IMAP mailbox after LDAP ↵Liutauras Adomaitis2018-03-121-6/+1
| | | | | | | | | | | | | | | | | | | changes. That is usual when result_attribute value is in upper case. Mailbox modification seems to follow slightly different code path, by shortcutting to IMAP pykolab function... Summary: ..."has_folder()" instead of going via "user_mailbox_exists()", which has a code to downcase mailbox name. Do not shortcut to "has_folder()" function, use "user_mailbox_exists()" to downcase mailbox name before checking if it exists. Test Plan: none Reviewers: vanmeeuwen, machniak Reviewed By: machniak Subscribers: adomaitis, petersen, machniak, vanmeeuwen Differential Revision: https://git.kolab.org/D571
* Fix typoJeroen van Meeuwen (Kolab Systems)2018-01-241-1/+1
|
* Catch additional exceptions we know the cause ofJeroen van Meeuwen (Kolab Systems)2018-01-241-0/+18
|
* Include what we fail on, when we fail on somethingJeroen van Meeuwen (Kolab Systems)2018-01-241-4/+27
|
* LDAP remove referrals for correct handling in Samba 4Jeroen van Meeuwen (Kolab Systems)2017-07-221-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: LDAP user authentication does not work when using Samba 4 as LDAP backend. Samba 4 (as well as MS AD) returns referrals (search continuations) for some objects. LDAPv3 does not specify which credentials should be used for the search continuations. **libldap** tries to anonymous bind and do the search continuations, which fails with Samba 4 (as well as MS AD). Kolab 16 will fail while authenticating with **ldap.OPERATIONS_ERROR** and the error message //00002020: Operation unavailable without authentication// The submitted patch is supposed to be used with ``` REFERRALS off ``` in /etc/ldap.conf and should not affect any other situations. Eventually setting LDAP option via ``` ldap.OPT_REFERRALS, 0 ``` would be an option too, but i can't test at the moment, if there is any impact on non Samba 4 setups. The change in wallace addresses the same problem, as i got ``` 2017-07-05 12:27:28,566 pykolab.wallace ERROR Module resources.heartbeat() failed with error: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/wallace/__init__.py", line 89, in modules_heartbeat modules.heartbeat(module, lastrun) File "/usr/lib/python2.7/dist-packages/wallace/modules.py", line 128, in heartbeat return modules[name]['heartbeat'](*args, **kw) File "/usr/lib/python2.7/dist-packages/wallace/module_resources.py", line 438, in heartbeat resource_dns = [dn for dn in resource_dns if resource_base_dn in dn] TypeError: argument of type 'NoneType' is not iterable ``` Test Plan: Use Kolab 16 with Samba 4. Try to authenticate user. Should fail. Disable Referrals in /etc/ldap.conf with ``` REFERRALS off ``` and try again. Now you should no longer see the **ldap.OPERATIONS_ERROR** but an auth fail because of 4 (or at least more than one) results returned. The referrals no longer will be automatically queried, but returned as part of the results containing //None// on the position 0 (result-type) of the result tuple. Apply the patch now, which will remove those //None// result-type results. The Authentication should succeed. Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: #pykolab_developers Tags: #kolab_16 Differential Revision: https://git.kolab.org/D467
* More detailed verbosity when not able to set_entry_attributes()Jeroen van Meeuwen (Kolab Systems)2016-12-021-2/+4
|
* T1417: Fix so sync-mailhost-attr uses result_attribute not mail_attributesAleksander Machniak2016-10-061-6/+9
| | | | | | | | | | | | Summary: Fixes T1417 Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Maniphest Tasks: T1417 Differential Revision: https://git.kolab.org/D209
* T1414: Set LDAP TIMEOUT option only on "immediate" connectionAleksander Machniak2016-10-061-2/+3
| | | | | | | | | | | | | | | | | Summary: Fixes T1414. Shouldn't we handle ldap.TIMEOUT exception in authenticate()? Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: pokorra, thozie Maniphest Tasks: T1414 Differential Revision: https://git.kolab.org/D208
* Resolve finding no entries, too many entries, and ensure that LDAP failures ↵Jeroen van Meeuwen (Kolab Systems)2016-07-221-21/+172
| | | | | | | | | | | | | | | | | | | | | are triggered immediately Summary: Resolve T1171 and T1318 Test Plan: Authenticate with attribute values configured, duplicate and non-existent, correct and incorrect passwords. Expect the corresponding successes and failures. Reviewers: #pykolab_developers, machniak Reviewed By: machniak Subscribers: machniak Maniphest Tasks: T1171, T1318 Differential Revision: https://git.kolab.org/D199
* Fix issue with re-binding to an LDAP connection (T1318)Aleksander Machniak2016-06-271-26/+39
| | | | | | | | | | | | | | | Summary: Fixes T1318 Note that set_entry_attributes() will now use two LDAP connections, which may or may not be what we want. I didn't find a simple way of using ldap_priv connection in entry_dn() and get_entry_attributes(). Reviewers: #pykolab_developers Maniphest Tasks: T1318 Differential Revision: https://git.kolab.org/D188
* Set no quota if the quota for the root folder is 0Jeroen van Meeuwen (Kolab Systems)2016-06-201-0/+4
|
* Determine shared folder resource using kolabTargetFolder attribute (#5337)Aleksander Machniak2016-05-181-0/+72
| | | | | | | | | | | | | | Summary: It's supposed to fix #5337. WARNING: Untested!!!!!!!! Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Subscribers: vanmeeuwen Differential Revision: https://git.kolab.org/D130
* Fix binding current user after LDAP reconnection (T1171)Jeroen van Meeuwen (Kolab Systems)2016-05-071-44/+45
| | | | | | | | | | Summary: Fixes T1171 Reviewers: #pykolab_developers, vanmeeuwen Maniphest Tasks: T1171 Differential Revision: https://git.kolab.org/D126
* Fix removing shared folder ACL entries (#5002)Aleksander Machniak2016-05-041-108/+41
| | | | | | | | | | | | Summary: With small refactoring and cleanup. Note: This will remove IMAP ACL entries that do not exist in LDAP. Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Differential Revision: https://git.kolab.org/D145
* Revert "Fix binding current user after LDAP reconnection (T1171)"Jeroen van Meeuwen (Kolab Systems)2016-05-041-22/+33
| | | | This reverts commit a97671344872a40308ce709b2a8810bee37b4d83.
* Fix binding current user after LDAP reconnection (T1171)Aleksander Machniak2016-04-141-33/+22
| | | | | | | | | | | | Summary: Fixes T1171 Reviewers: #pykolab_developers, vanmeeuwen Reviewed By: #pykolab_developers, vanmeeuwen Maniphest Tasks: T1171 Differential Revision: https://git.kolab.org/D126
* Catch errmsg when the LDAP server is not available (#5333)Jeroen van Meeuwen (Kolab Systems)2016-02-161-1/+1
|
* Ensure domain naming contexts are lists, not stringsJeroen van Meeuwen (Kolab Systems)2015-12-231-0/+3
|
* Correctly count the number of elements expected to be returned from a ↵Jeroen van Meeuwen (Kolab Systems)2015-09-241-2/+2
| | | | split(', ') (#4990)
* Translate naming contexts back to domain name spaces or the list of ↵Jeroen van Meeuwen (Kolab Systems)2015-08-141-0/+10
| | | | processes becomes volatile
* Correct detecting naming contexts for databases to synchronize against, and ↵Jeroen van Meeuwen (Kolab Systems)2015-08-141-37/+8
| | | | using parent domain name spaces for synchronization
* Add function _change_modify_None()Jeroen van Meeuwen (Kolab Systems)2015-08-131-0/+3
|
* Ensure 'anyone' gets '+p', not just 'p' (#4990)Jeroen van Meeuwen (Kolab Systems)2015-08-131-1/+1
|
* Increase compatibility with UCS-formed ACL entries for folders (#4990)Jeroen van Meeuwen (Kolab Systems)2015-08-131-2/+10
|
* fixing typo: missing closing bracketTimotheus Pokorra2015-08-061-1/+1
|
* Allow LDAP _search() to reconnect the original specific _search method, if ↵Jeroen van Meeuwen (Kolab Systems)2015-08-051-50/+77
| | | | the exception that caused _search to fail is an ldap.SERVER_DOWN exception. (#5180)
* Escape type errorsJeroen van Meeuwen (Kolab Systems)2015-07-311-2/+21
| | | | If a user is modified, but already has a result_attribute value, still create the mailbox if it doesn't already exist
* Escape filter value when searching LDAP entries by attribute (#4924)Thomas Bruederli2015-03-281-1/+2
|
* Add a function to retrieve the naming context used for a given domainJeroen van Meeuwen (Kolab Systems)2015-03-181-0/+62
|
* Consider kolabDelegate status when searching for events to be updated on ↵Thomas Bruederli2015-02-021-0/+19
| | | | iTip replies (#4261)
* Remove leftover print statementsJeroen van Meeuwen (Kolab Systems)2015-01-161-2/+0
|
* Fall back on standard root dn determinations if no ldap/domain_filter ↵Jeroen van Meeuwen (Kolab Systems)2015-01-141-31/+32
| | | | setting exists (#4218).
* Consider all valid recipient email addresses, including aliases, when ↵Thomas Bruederli2014-12-231-0/+28
| | | | identifying attendees in iTip messages (#4074)
* Fix error due to missing 'domain_name_attribute' variableThomas Bruederli2014-12-151-0/+4
|