odoo/addons/users_ldap/users_ldap.py

##############################################################################
#    
#    OpenERP, Open Source Management Solution
#    Copyright (C) 2004-2009 Tiny SPRL (<http://tiny.be>).
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as
#    published by the Free Software Foundation, either version 3 of the
#    License, or (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.     
#
##############################################################################

from osv import fields, osv
import pooler
import tools
import logging
import ldap
from ldap.filter import filter_format

import openerp.exceptions


class CompanyLDAP(osv.osv):
    _name = 'res.company.ldap'
    _order = 'sequence'
    _rec_name = 'ldap_server'
    _columns = {
        'sequence': fields.integer('Sequence'),
        'company': fields.many2one('res.company', 'Company', required=True,
            ondelete='cascade'),
        'ldap_server': fields.char('LDAP Server address', size=64, required=True),
        'ldap_server_port': fields.integer('LDAP Server port', required=True),
        'ldap_binddn': fields.char('LDAP binddn', size=64,
            help=("The user account on the LDAP server that is used to query "
                  "the directory. Leave empty to connect anonymously.")),
        'ldap_password': fields.char('LDAP password', size=64,
            help=("The password of the user account on the LDAP server that is "
                  "used to query the directory.")),
        'ldap_filter': fields.char('LDAP filter', size=256, required=True),
        'ldap_base': fields.char('LDAP base', size=64, required=True),
        'user': fields.many2one('res.users', 'Model User',
            help="Model used for user creation"),
        'create_user': fields.boolean('Create user',
            help="Create the user if not in database"),
    }
    _defaults = {
        'ldap_server': lambda *a: '127.0.0.1',
        'ldap_server_port': lambda *a: 389,
        'sequence': lambda *a: 10,
        'create_user': lambda *a: True,
    }

CompanyLDAP()


class res_company(osv.osv):
    _inherit = "res.company"
    _columns = {
        'ldaps': fields.one2many('res.company.ldap', 'company', 'LDAP Parameters'),
    }
res_company()

class users(osv.osv):
    _inherit = "res.users"
    def login(self, db, login, password):

        if not password:
            # empty passwords are disallowed for obvious security reasons
            return False

        ret = super(users,self).login(db, login, password)
        if ret:
            return ret
        logger = logging.getLogger('orm.ldap')
        pool = pooler.get_pool(db)
        cr = pooler.get_db(db).cursor()
        action_obj = pool.get('ir.actions.actions')
        cr.execute("""
            SELECT id, company, ldap_server, ldap_server_port, ldap_binddn, ldap_password,
                   ldap_filter, ldap_base, "user", create_user
            FROM res_company_ldap
            WHERE ldap_server != '' ORDER BY sequence""")
        for res_company_ldap in cr.dictfetchall():
            logger.debug(res_company_ldap)
            try:
                l = ldap.open(res_company_ldap['ldap_server'], res_company_ldap['ldap_server_port'])
                # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
                # See LDAP RFC 4513, Section 5.1.1
                if l.simple_bind_s(res_company_ldap['ldap_binddn'] or '',
                                   res_company_ldap['ldap_password'] or ''):
                    base = res_company_ldap['ldap_base']
                    scope = ldap.SCOPE_SUBTREE
                    filter = filter_format(res_company_ldap['ldap_filter'], (login,))
                    retrieve_attributes = None
                    result_id = l.search(base, scope, filter, retrieve_attributes)
                    timeout = 60
                    result_type, result_data = l.result(result_id, timeout)
                    if not result_data:
                        continue
                    if result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:
                        dn = result_data[0][0]
                        logger.debug(dn)
                        name = result_data[0][1]['cn'][0]
                        if l.bind_s(dn, password):
                            l.unbind()
                            cr.execute("SELECT id FROM res_users WHERE login=%s",(tools.ustr(login),))
                            res = cr.fetchone()
                            logger.debug(res)
                            if res:
                                cr.close()
                                return res[0]
                            if not res_company_ldap['create_user']:
                                continue
                            action_id = action_obj.search(cr, 1, [('usage', '=', 'menu')])[0]
                            if res_company_ldap['user']:
                                res = self.copy(cr, 1, res_company_ldap['user'],
                                        default={'active': True})
                                self.write(cr, 1, res, {
                                    'name': name,
                                    'login': login.encode('utf-8'),
                                    'company_id': res_company_ldap['company'],
                                    })
                            else:
                                res = self.create(cr, 1, {
                                    'name': name,
                                    'login': login.encode('utf-8'),
                                    'company_id': res_company_ldap['company'],
                                    'action_id': action_id,
                                    'menu_id': action_id,
                                    })
                            cr.commit()
                            cr.close()
                            return res
                    l.unbind()
            except Exception:
                logger.warning("Cannot auth", exc_info=True)
                continue
        cr.close()
        return False

    def check(self, db, uid, passwd):
        try:
            return super(users,self).check(db, uid, passwd)
        except openerp.exceptions.AccessDenied:
            pass

        if not passwd:
            # empty passwords disallowed for obvious security reasons
            raise openerp.exceptions.AccessDenied()

        cr = pooler.get_db(db).cursor()
        user = self.browse(cr, 1, uid)
        logger = logging.getLogger('orm.ldap')
        if user and user.company_id.ldaps:
            for res_company_ldap in user.company_id.ldaps:
                try:
                    l = ldap.open(res_company_ldap.ldap_server, res_company_ldap.ldap_server_port)
                    # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
                    # See LDAP RFC 4513, Section 5.1.1
                    if l.simple_bind_s(res_company_ldap.ldap_binddn or '',
                                       res_company_ldap.ldap_password or ''):
                        base = res_company_ldap.ldap_base
                        scope = ldap.SCOPE_SUBTREE
                        filter = filter_format(res_company_ldap.ldap_filter, (user.login,))
                        retrieve_attributes = None
                        result_id = l.search(base, scope, filter, retrieve_attributes)
                        timeout = 60
                        result_type, result_data = l.result(result_id, timeout)
                        if result_data and result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:
                            dn = result_data[0][0]
                            # some LDAP servers allow anonymous binding with blank passwords,
                            # but these have been rejected above, so we're safe to use bind()
                            if l.bind_s(dn, passwd):
                                l.unbind()
                                self._uid_cache.setdefault(db, {})[uid] = passwd
                                cr.close()
                                return True
                        l.unbind()
                except Exception:
                    logger.warning('cannot check', exc_info=True)
                    pass
        cr.close()
        raise openerp.exceptions.AccessDenied()
        
users()
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`##############################################################################`
			`#`
			`# OpenERP, Open Source Management Solution`
			`# Copyright (C) 2004-2009 Tiny SPRL (<http://tiny.be>).`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as`
			`# published by the Free Software Foundation, either version 3 of the`
			`# License, or (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`
			`##############################################################################`

[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`from osv import fields, osv`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`import pooler`
			`import tools`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`import logging`
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`import ldap`
			`from ldap.filter import filter_format`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00
[FIX] users_ldap to use new exceptions bzr revid: al@openerp.com-20111022151535-44c124ymzs7kd1wx 2011-10-22 15:15:35 +00:00			`import openerp.exceptions`

[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00
			`class CompanyLDAP(osv.osv):`
			`_name = 'res.company.ldap'`
			`_order = 'sequence'`
			`_rec_name = 'ldap_server'`
			`_columns = {`
			`'sequence': fields.integer('Sequence'),`
			`'company': fields.many2one('res.company', 'Company', required=True,`
			`ondelete='cascade'),`
			`'ldap_server': fields.char('LDAP Server address', size=64, required=True),`
			`'ldap_server_port': fields.integer('LDAP Server port', required=True),`
[MERGE] users_ldap: support for anonymous binding at company level Anonymous binding is enabled by having empty names and password in company LDAP setup. This does NOT permit anonymous binding for user authentication, which is still forbidden. The anonymous access will only be used to query the directory for the existence of the users. Thanks to Stefan Rijnhart for the idea and implementation! bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l 2011-06-15 17:30:06 +00:00			`'ldap_binddn': fields.char('LDAP binddn', size=64,`
[IMP] Anonymous bind now triggered by empty bind dn instead of redundant 'anonymous' checkbox bzr revid: stefan@therp.nl-20110611151853-brr3nnp427wq40i7 2011-06-11 15:18:53 +00:00			`help=("The user account on the LDAP server that is used to query "`
			`"the directory. Leave empty to connect anonymously.")),`
			`'ldap_password': fields.char('LDAP password', size=64,`
[MERGE] users_ldap: support for anonymous binding at company level Anonymous binding is enabled by having empty names and password in company LDAP setup. This does NOT permit anonymous binding for user authentication, which is still forbidden. The anonymous access will only be used to query the directory for the existence of the users. Thanks to Stefan Rijnhart for the idea and implementation! bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l 2011-06-15 17:30:06 +00:00			`help=("The password of the user account on the LDAP server that is "`
			`"used to query the directory.")),`
[FIX/BUG] Increased the Ldap Filter Size bzr revid: jam@tinyerp.com-20110727115309-awso1wew48qtisdt 2011-07-27 11:53:09 +00:00			`'ldap_filter': fields.char('LDAP filter', size=256, required=True),`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`'ldap_base': fields.char('LDAP base', size=64, required=True),`
[IMP] type bzr revid: fp@tinyerp.com-20100129080035-o3tmadogl1evxru0 2010-01-29 08:00:35 +00:00			`'user': fields.many2one('res.users', 'Model User',`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`help="Model used for user creation"),`
			`'create_user': fields.boolean('Create user',`
			`help="Create the user if not in database"),`
			`}`
			`_defaults = {`
			`'ldap_server': lambda *a: '127.0.0.1',`
			`'ldap_server_port': lambda *a: 389,`
			`'sequence': lambda *a: 10,`
			`'create_user': lambda *a: True,`
			`}`

			`CompanyLDAP()`


			`class res_company(osv.osv):`
			`_inherit = "res.company"`
			`_columns = {`
			`'ldaps': fields.one2many('res.company.ldap', 'company', 'LDAP Parameters'),`
			`}`
			`res_company()`

			`class users(osv.osv):`
			`_inherit = "res.users"`
			`def login(self, db, login, password):`
[FIX] users_ldap: consistent handling of login() vs check() Explicit check for blank passwords was introduced recently in check() for bug 760301, but login() did not behave the same so the resulting error message would be inconsistent. lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110616160219-m0y066q914s4y7ev 2011-06-16 16:02:19 +00:00
			`if not password:`
			`# empty passwords are disallowed for obvious security reasons`
			`return False`

[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`ret = super(users,self).login(db, login, password)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`if ret:`
			`return ret`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger = logging.getLogger('orm.ldap')`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`pool = pooler.get_pool(db)`
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`cr = pooler.get_db(db).cursor()`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`action_obj = pool.get('ir.actions.actions')`
			`cr.execute("""`
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`SELECT id, company, ldap_server, ldap_server_port, ldap_binddn, ldap_password,`
			`ldap_filter, ldap_base, "user", create_user`
			`FROM res_company_ldap`
[IMP] Anonymous bind now triggered by empty bind dn instead of redundant 'anonymous' checkbox bzr revid: stefan@therp.nl-20110611151853-brr3nnp427wq40i7 2011-06-11 15:18:53 +00:00			`WHERE ldap_server != '' ORDER BY sequence""")`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`for res_company_ldap in cr.dictfetchall():`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger.debug(res_company_ldap)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`try:`
			`l = ldap.open(res_company_ldap['ldap_server'], res_company_ldap['ldap_server_port'])`
[MERGE] users_ldap: support for anonymous binding at company level Anonymous binding is enabled by having empty names and password in company LDAP setup. This does NOT permit anonymous binding for user authentication, which is still forbidden. The anonymous access will only be used to query the directory for the existence of the users. Thanks to Stefan Rijnhart for the idea and implementation! bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l 2011-06-15 17:30:06 +00:00			`# An empty binddn means anonymous auth, so it should be replaced w/ an empty string`
			`# See LDAP RFC 4513, Section 5.1.1`
[IMP] Anonymous bind now triggered by empty bind dn instead of redundant 'anonymous' checkbox bzr revid: stefan@therp.nl-20110611151853-brr3nnp427wq40i7 2011-06-11 15:18:53 +00:00			`if l.simple_bind_s(res_company_ldap['ldap_binddn'] or '',`
			`res_company_ldap['ldap_password'] or ''):`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`base = res_company_ldap['ldap_base']`
			`scope = ldap.SCOPE_SUBTREE`
			`filter = filter_format(res_company_ldap['ldap_filter'], (login,))`
			`retrieve_attributes = None`
			`result_id = l.search(base, scope, filter, retrieve_attributes)`
			`timeout = 60`
			`result_type, result_data = l.result(result_id, timeout)`
			`if not result_data:`
			`continue`
			`if result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:`
			`dn = result_data[0][0]`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger.debug(dn)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`name = result_data[0][1]['cn'][0]`
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`if l.bind_s(dn, password):`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`l.unbind()`
			`cr.execute("SELECT id FROM res_users WHERE login=%s",(tools.ustr(login),))`
			`res = cr.fetchone()`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger.debug(res)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`if res:`
			`cr.close()`
			`return res[0]`
			`if not res_company_ldap['create_user']:`
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`continue`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`action_id = action_obj.search(cr, 1, [('usage', '=', 'menu')])[0]`
			`if res_company_ldap['user']:`
			`res = self.copy(cr, 1, res_company_ldap['user'],`
			`default={'active': True})`
			`self.write(cr, 1, res, {`
			`'name': name,`
			`'login': login.encode('utf-8'),`
			`'company_id': res_company_ldap['company'],`
			`})`
			`else:`
			`res = self.create(cr, 1, {`
			`'name': name,`
			`'login': login.encode('utf-8'),`
			`'company_id': res_company_ldap['company'],`
			`'action_id': action_id,`
			`'menu_id': action_id,`
			`})`
			`cr.commit()`
			`cr.close()`
			`return res`
			`l.unbind()`
[FIX] Users_ldap : Corrected YAML Warnings,Thanks to Buildbot bzr revid: jvo@tinyerp.com-20110429111850-hisffd5wrbp19bxi 2011-04-29 11:18:50 +00:00			`except Exception:`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger.warning("Cannot auth", exc_info=True)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`continue`
			`cr.close()`
			`return False`

			`def check(self, db, uid, passwd):`
			`try:`
			`return super(users,self).check(db, uid, passwd)`
[FIX] users_ldap to use new exceptions bzr revid: al@openerp.com-20111022151535-44c124ymzs7kd1wx 2011-10-22 15:15:35 +00:00			`except openerp.exceptions.AccessDenied:`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`pass`
[FIX] users_ldap: double-check to prevent blank passwords The server should have done the check in the call to super.check(), but just in case, we double-check for blank passwords, as this is an issue for LDAP servers that allow anonymous bindings. See http://www.openldap.org/lists/openldap-software/200112/msg00178.html lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6 2011-04-28 15:35:43 +00:00
			`if not passwd:`
			`# empty passwords disallowed for obvious security reasons`
[FIX] users_ldap to use new exceptions bzr revid: al@openerp.com-20111022151535-44c124ymzs7kd1wx 2011-10-22 15:15:35 +00:00			`raise openerp.exceptions.AccessDenied()`
[FIX] users_ldap: double-check to prevent blank passwords The server should have done the check in the call to super.check(), but just in case, we double-check for blank passwords, as this is an issue for LDAP servers that allow anonymous bindings. See http://www.openldap.org/lists/openldap-software/200112/msg00178.html lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6 2011-04-28 15:35:43 +00:00
[IMP] users_ldap: clean code + add some debug logging bzr revid: chs@tinyerp.com-20100129161608-awmum09g0bzzn8f1 2010-01-29 16:16:08 +00:00			`cr = pooler.get_db(db).cursor()`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`user = self.browse(cr, 1, uid)`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger = logging.getLogger('orm.ldap')`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`if user and user.company_id.ldaps:`
			`for res_company_ldap in user.company_id.ldaps:`
			`try:`
			`l = ldap.open(res_company_ldap.ldap_server, res_company_ldap.ldap_server_port)`
[MERGE] users_ldap: support for anonymous binding at company level Anonymous binding is enabled by having empty names and password in company LDAP setup. This does NOT permit anonymous binding for user authentication, which is still forbidden. The anonymous access will only be used to query the directory for the existence of the users. Thanks to Stefan Rijnhart for the idea and implementation! bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l 2011-06-15 17:30:06 +00:00			`# An empty binddn means anonymous auth, so it should be replaced w/ an empty string`
			`# See LDAP RFC 4513, Section 5.1.1`
[IMP] Anonymous bind now triggered by empty bind dn instead of redundant 'anonymous' checkbox bzr revid: stefan@therp.nl-20110611151853-brr3nnp427wq40i7 2011-06-11 15:18:53 +00:00			`if l.simple_bind_s(res_company_ldap.ldap_binddn or '',`
			`res_company_ldap.ldap_password or ''):`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`base = res_company_ldap.ldap_base`
			`scope = ldap.SCOPE_SUBTREE`
			`filter = filter_format(res_company_ldap.ldap_filter, (user.login,))`
			`retrieve_attributes = None`
			`result_id = l.search(base, scope, filter, retrieve_attributes)`
			`timeout = 60`
			`result_type, result_data = l.result(result_id, timeout)`
			`if result_data and result_type == ldap.RES_SEARCH_RESULT and len(result_data) == 1:`
			`dn = result_data[0][0]`
[FIX] users_ldap: double-check to prevent blank passwords The server should have done the check in the call to super.check(), but just in case, we double-check for blank passwords, as this is an issue for LDAP servers that allow anonymous bindings. See http://www.openldap.org/lists/openldap-software/200112/msg00178.html lp bug: https://launchpad.net/bugs/760301 fixed bzr revid: odo@openerp.com-20110428153543-vfhx9rhbspoc84b6 2011-04-28 15:35:43 +00:00			`# some LDAP servers allow anonymous binding with blank passwords,`
			`# but these have been rejected above, so we're safe to use bind()`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`if l.bind_s(dn, passwd):`
			`l.unbind()`
			`self._uid_cache.setdefault(db, {})[uid] = passwd`
			`cr.close()`
			`return True`
			`l.unbind()`
[FIX] Users_ldap : Corrected YAML Warnings,Thanks to Buildbot bzr revid: jvo@tinyerp.com-20110429111850-hisffd5wrbp19bxi 2011-04-29 11:18:50 +00:00			`except Exception:`
users_ldap: replace tools.debug() with logging.debug() bzr revid: p_christ@hol.gr-20101214153320-5cz87zmxpfb6rntv 2010-12-14 15:33:20 +00:00			`logger.warning('cannot check', exc_info=True)`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00			`pass`
			`cr.close()`
[FIX] users_ldap to use new exceptions bzr revid: al@openerp.com-20111022151535-44c124ymzs7kd1wx 2011-10-22 15:15:35 +00:00			`raise openerp.exceptions.AccessDenied()`
[ADD] users_ldap: support authentication by ldap server bzr revid: hmo@tinyerp.com-20100129065234-058rl4od3j4s6red 2010-01-29 06:52:34 +00:00
			`users()`
			`# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:`