mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-03 00:07:05 +00:00
305 lines
9.0 KiB
Python
305 lines
9.0 KiB
Python
#!/usr/local/lib/mailinabox/env/bin/python
|
|
# -*- indent-tabs-mode: t; tab-width: 4; python-indent-offset: 4; -*-
|
|
#####
|
|
##### This file is part of Mail-in-a-Box-LDAP which is released under the
|
|
##### terms of the GNU Affero General Public License as published by the
|
|
##### Free Software Foundation, either version 3 of the License, or (at
|
|
##### your option) any later version. See file LICENSE or go to
|
|
##### https://github.com/downtownallday/mailinabox-ldap for full license
|
|
##### details.
|
|
#####
|
|
|
|
|
|
import ldap3, time
|
|
|
|
|
|
class Response:
|
|
#
|
|
# helper class for iterating over ldap search results
|
|
# example:
|
|
# conn = connect()
|
|
# response = conn.wait( conn.search(...) )
|
|
# for record in response:
|
|
# print(record['dn'])
|
|
#
|
|
rowidx=0
|
|
def __init__(self, result, response):
|
|
self.result = result
|
|
self.response = response
|
|
if result is None:
|
|
raise ValueError("INVALID RESULT: None")
|
|
|
|
def __iter__(self):
|
|
self.rowidx=0
|
|
return self
|
|
|
|
def __next__(self):
|
|
# return the next record in the result set
|
|
rtn = self.next()
|
|
if rtn is None: raise StopIteration
|
|
return rtn
|
|
|
|
def next(self):
|
|
# return the next record in the result set or None
|
|
if self.rowidx >= len(self.response):
|
|
return None
|
|
rtn=self.response[self.rowidx]['attributes']
|
|
rtn['dn'] = self.response[self.rowidx]['dn']
|
|
self.rowidx += 1
|
|
|
|
return rtn
|
|
|
|
def count(self):
|
|
# return the number of records in the result set
|
|
return len(self.response)
|
|
|
|
|
|
|
|
class PagedSearch:
|
|
#
|
|
# Helper class for iterating over and handling paged searches.
|
|
# Use PagedSearch when expecting a large number of matching
|
|
# entries. slapd by default limits each result set to 500 entries.
|
|
#
|
|
# example:
|
|
# conn=connection()
|
|
# response = conn.paged_search(...)
|
|
# for record in response:
|
|
# print(record['dn'])
|
|
#
|
|
# PagedSearch is limited to one iteration pass. In the above
|
|
# example the 'for' statement could not be repeated.
|
|
#
|
|
|
|
def __init__(self, conn, search_base, search_filter, search_scope, attributes, page_size):
|
|
self.conn = conn
|
|
self.search_base = search_base
|
|
self.search_filter = search_filter
|
|
self.search_scope = search_scope
|
|
self.attributes = attributes
|
|
self.page_size = page_size
|
|
|
|
# issue the search
|
|
self.response = None
|
|
self.id = conn.search(search_base, search_filter, search_scope, attributes=attributes, paged_size=page_size, paged_criticality=True)
|
|
self.page_count = 0
|
|
|
|
def __iter__(self):
|
|
# wait for the search result on first iteration
|
|
self.response = self.conn.wait(self.id)
|
|
self.page_count += 1
|
|
return self
|
|
|
|
def __next__(self):
|
|
# return the next record in the result set
|
|
r = self.response.next()
|
|
if r is None:
|
|
cookie=self.response.result['controls']['1.2.840.113556.1.4.319']['value']['cookie']
|
|
if not cookie:
|
|
raise StopIteration
|
|
self.id = self.conn.search(self.search_base, self.search_filter, self.search_scope, attributes=self.attributes, paged_size=self.page_size, paged_cookie=cookie)
|
|
self.response = self.conn.wait(self.id)
|
|
self.page_count += 1
|
|
r = self.response.next()
|
|
if r is None:
|
|
raise StopIteration
|
|
return r
|
|
|
|
def abandon(self):
|
|
# "If you send 0 as paged_size and a valid cookie the search
|
|
# operation referred by that cookie is abandoned."
|
|
cookie=self.response.result['controls']['1.2.840.113556.1.4.319']['value']['cookie']
|
|
if not cookie: return
|
|
self.id = self.conn.search(self.search_base, self.search_filter, self.search_scope, attributes=self.attributes, paged_size=0, paged_cookie=cookie)
|
|
|
|
|
|
|
|
|
|
class LdapConnection(ldap3.Connection):
|
|
# This is a subclass ldap3.Connection with our own methods for
|
|
# simplifying searches and modifications
|
|
|
|
def wait(self, id):
|
|
# Wait for results from an async search and return the result
|
|
# set in a Response object. If a syncronous strategy is in
|
|
# use, it returns immediately with the Response object.
|
|
if type(id)==int:
|
|
# async
|
|
tup = self.get_response(id)
|
|
return Response(tup[1], tup[0])
|
|
else:
|
|
# sync - conn has returned results
|
|
return Response(self.result, self.response)
|
|
|
|
def paged_search(self, search_base, search_filter, search_scope=ldap3.SUBTREE, attributes=None, page_size=200):
|
|
# Perform a paged search - see PagedSearch above
|
|
return PagedSearch(self,
|
|
search_base,
|
|
search_filter,
|
|
search_scope,
|
|
attributes,
|
|
page_size)
|
|
|
|
def add(self, dn, object_class=None, attrs=None, controls=None):
|
|
# This overrides ldap3's add method to automatically remove
|
|
# empty attributes from the attribute list for a ldap ADD
|
|
# operation, which cause exceptions.
|
|
if attrs is not None:
|
|
keys = [ k for k in attrs ]
|
|
for k in keys:
|
|
if attrs[k] is None or \
|
|
type(attrs[k]) is list and len(attrs[k])==0 or \
|
|
type(attrs[k]) is str and attrs[k]=='':
|
|
del attrs[k]
|
|
return ldap3.Connection.add(self, dn, object_class, attrs, controls)
|
|
|
|
def chase_members(self, members, attrib, env):
|
|
# Given a list of distinguished names (members), lookup each
|
|
# one and return the list of values for `attrib` in an
|
|
# array. It is *not* recursive. `attrib` is a string holding
|
|
# the name of an attribute.
|
|
resolved=[]
|
|
for dn in members:
|
|
try:
|
|
response = self.wait(self.search(dn, "(objectClass=*)", ldap3.BASE, attributes=attrib))
|
|
rec = response.next()
|
|
if rec is not None: resolved.append(rec[attrib])
|
|
except ldap3.core.exceptions.LDAPNoSuchObjectResult:
|
|
# ignore orphans
|
|
pass
|
|
return resolved
|
|
|
|
# static
|
|
def ldap_modify_op(attr, record, new_values):
|
|
# Return an ldap operation to change record[attr] so that it
|
|
# has values `new_values`. `new_values` is a list.
|
|
|
|
if not type(new_values) is list:
|
|
new_values = [ new_values ]
|
|
# remove None values
|
|
new_values = [ v for v in new_values if v is not None ]
|
|
|
|
if len(record[attr]) == 0:
|
|
if len(new_values) == 0:
|
|
# NOP: current=empty, desired=empty
|
|
return None
|
|
# ADD: current=empty, desired=non-empty
|
|
return [(ldap3.MODIFY_ADD, new_values)]
|
|
if len(new_values) == 0:
|
|
# DELETE: current=non-empty, desired=empty
|
|
return [(ldap3.MODIFY_DELETE, [])]
|
|
# MODIFY: current=non-empty, desired=non-empty
|
|
return [(ldap3.MODIFY_REPLACE, new_values)]
|
|
|
|
|
|
|
|
def add_or_modify(self, dn, existing_record, attrs_to_update, objectClasses, values):
|
|
# Add or modify an existing database entry.
|
|
# dn: dn for a new entry
|
|
# existing_record: the existing data, if any
|
|
# (a dict from Response.next()). The data must
|
|
# have values for each attribute in `attrs_to_update`
|
|
# attrs_to_update: an array of attribute names to update
|
|
# objectClasses: a list of object classes for a new entry
|
|
# values: a dict of attributes and values for a new or modified entry
|
|
if existing_record:
|
|
# modify existing
|
|
changes = {}
|
|
dn = existing_record['dn']
|
|
for attr in attrs_to_update:
|
|
modify_op = LdapConnection.ldap_modify_op(
|
|
attr,
|
|
existing_record,
|
|
values[attr])
|
|
if modify_op: changes[attr] = modify_op
|
|
if len(changes)>0:
|
|
self.wait ( self.modify(dn, changes) )
|
|
return 'modify'
|
|
else:
|
|
# add new entry
|
|
self.wait ( self.add(dn, objectClasses, values) )
|
|
return 'add'
|
|
|
|
|
|
def modify_record(self, rec, modifications):
|
|
# Modify an existing record by changing the attributes of
|
|
# `modifications` to their associated values. `modifications`
|
|
# is a dict with key of attribute name and value of list of
|
|
# string.
|
|
dn = rec['dn']
|
|
attrs_to_update=modifications.keys()
|
|
self.add_or_modify(dn, rec, attrs_to_update, None, modifications)
|
|
return True
|
|
|
|
|
|
def get_shadowLastChanged():
|
|
# get the number of days from the epoch
|
|
days = int(time.time() / (24 * 60 * 60))
|
|
return days
|
|
|
|
|
|
def get_ldap_server(env):
|
|
# return a ldap3.Server object for a ldap connection
|
|
tls=None
|
|
if env.LDAP_SERVER_TLS=="yes":
|
|
import ssl
|
|
tls=ldap3.Tls(
|
|
validate=ssl.CERT_REQUIRED,
|
|
ca_certs_file="/etc/ssl/certs/ca-certificates.crt")
|
|
|
|
server=ldap3.Server(
|
|
host=env.LDAP_SERVER,
|
|
port=int(env.LDAP_SERVER_PORT),
|
|
use_ssl=False if tls is None else True,
|
|
get_info=ldap3.NONE,
|
|
tls=tls)
|
|
|
|
return server
|
|
|
|
|
|
def connect(env):
|
|
# connect to the ldap server
|
|
#
|
|
# problems and observations:
|
|
#
|
|
# using thread-local storage does not work with Flask. nor does
|
|
# REUSABLE strategy - both fail with LDAPResponseTimeoutError
|
|
#
|
|
# there are a lot of connections left open with ASYNC strategy
|
|
#
|
|
# there are more unclosed connections with manual bind vs auto
|
|
# bind
|
|
#
|
|
# pooled connections only work for REUSABLE strategy
|
|
#
|
|
# paging does not work with REUSABLE strategy at all:
|
|
# get_response() always returns a protocol error (invalid cookie)
|
|
# when retrieving the second page
|
|
#
|
|
server = get_ldap_server(env)
|
|
|
|
auto_bind=ldap3.AUTO_BIND_NO_TLS
|
|
if env.LDAP_SERVER_STARTTLS=="yes":
|
|
auto_bind=ldap3.AUTO_BIND_TLS_BEFORE_BIND
|
|
|
|
conn = LdapConnection(
|
|
server,
|
|
env.LDAP_MANAGEMENT_DN,
|
|
env.LDAP_MANAGEMENT_PASSWORD,
|
|
auto_bind=auto_bind,
|
|
lazy=False,
|
|
#client_strategy=ldap3.ASYNC, # ldap3.REUSABLE,
|
|
client_strategy=ldap3.SYNC,
|
|
#pool_name="default",
|
|
#pool_size=5,
|
|
#pool_lifetime=20*60, # 20 minutes
|
|
#pool_keepalive=60,
|
|
raise_exceptions=True)
|
|
|
|
#conn.bind()
|
|
return conn
|
|
|
|
|
|
|
|
|