Permalink
Browse files

Create a local copy of LDAP users

This will create a local copy of LDAP users
  • Loading branch information...
matthewfischer committed Apr 14, 2014
1 parent 0bd3762 commit 95c61729ccacc612c5644e61b7e0dc9682497f8e
Showing with 26 additions and 12 deletions.
  1. +26 −12 hybrid_identity.py
@@ -27,14 +27,14 @@
CONF = config.CONF
LOG = log.getLogger(__name__)

import pdb

class Identity(sql.Identity):
def __init__(self, *args, **kwargs):
super(Identity, self).__init__(*args, **kwargs)
self.user = ldap_backend.UserApi(CONF)
self.domain_aware = True

# Identity interface
def authenticate(self, user_id, password):
"""Authenticate based on a user and password.
@@ -51,11 +51,20 @@ def authenticate(self, user_id, password):
# if the user_ref has a password, it's from the SQL backend and
# we can just check if it coincides with the one we got
conn = None
try:
assert utils.check_password(password, user_ref['password'])
except TypeError:
raise AssertionError('Invalid user / password')
except KeyError: # if it doesn't have a password, it must be LDAP
ldap_local = False
authenticated = False
pdb.set_trace()
if 'password' in user_ref:
if user_ref['password'] == None:
LOG.debug("LDAP user with local entry in SQL")
ldap_local = True
else:
if utils.check_password(password, user_ref['password']):
LOG.debug("Authenticated user with SQL.")
authenticated = True
else:
raise AssertionError('Invalid user / password')
elif not authenticated:
try:
# get_connection does a bind for us which checks the password
conn = self.user.get_connection(self.user._id_to_dn(user_id),
@@ -66,11 +75,15 @@ def authenticate(self, user_id, password):
else:
LOG.debug("Authenticated user with LDAP.")
self.domain_aware = False
if not ldap_local:
# make the user
LOG.debug("Adding local user")
user_ref['enabled'] = 1
user_ref['domain_id'] = 'default'
super(Identity, self).create_user(user_id, user_ref)
finally:
if conn:
conn.unbind_s()
else:
LOG.debug("Authenticated user with SQL.")

return identity.filter_user(user_ref)

@@ -88,12 +101,12 @@ def _get_user(self, session, user_id):
return user_ref.to_dict()

def get_user(self, user_id):
LOG.debug("Called get_user %s" % user_id)
LOG.warn("Called get_user %s" % user_id)
session = self.get_session()
return identity.filter_user(self._get_user(session, user_id))

def get_user_by_name(self, user_name, domain_id):
LOG.debug("Called get_user_by_name %s, %s" % (user_name, domain_id))
LOG.warn("Called get_user_by_name %s, %s" % (user_name, domain_id))
# try SQL first
try:
user = super(Identity, self).get_user_by_name(user_name, domain_id)
@@ -105,5 +118,6 @@ def get_user_by_name(self, user_name, domain_id):

def list_users(self):
sql_users = super(Identity, self).list_users()
ldap_users = self.user.get_all_filtered()
return sql_users + ldap_users
#ldap_users = self.user.get_all_filtered()
#return sql_users + ldap_users
return sql_users

1 comment on commit 95c6172

@fr6nco

This comment has been minimized.

Copy link

fr6nco commented on 95c6172 Jan 24, 2017

Great contribution. I will need a similar setup using SQL + LDAP for authentication. Thank you.

Please sign in to comment.