salt/auth/ldap.py
# -*- coding: utf-8 -*-
'''
Provide authentication using simple LDAP binds
:depends: - ldap Python module
'''
# Import python libs
from __future__ import absolute_import, print_function, unicode_literals
import logging
import itertools
from salt.ext import six
# Import salt libs
from salt.exceptions import CommandExecutionError, SaltInvocationError
import salt.utils.stringutils
import salt.utils.data
log = logging.getLogger(__name__)
# Import third party libs
from jinja2 import Environment
try:
import ldap
import ldap.modlist
import ldap.filter
HAS_LDAP = True
except ImportError:
HAS_LDAP = False
# Defaults, override in master config
__defopts__ = {'auth.ldap.basedn': '',
'auth.ldap.uri': '',
'auth.ldap.server': 'localhost',
'auth.ldap.port': '389',
'auth.ldap.starttls': False,
'auth.ldap.tls': False,
'auth.ldap.no_verify': False,
'auth.ldap.anonymous': False,
'auth.ldap.scope': 2,
'auth.ldap.groupou': 'Groups',
'auth.ldap.accountattributename': 'memberUid',
'auth.ldap.groupattribute': 'memberOf',
'auth.ldap.persontype': 'person',
'auth.ldap.groupclass': 'posixGroup',
'auth.ldap.activedirectory': False,
'auth.ldap.freeipa': False,
'auth.ldap.minion_stripdomains': [],
}
def _config(key, mandatory=True, opts=None):
'''
Return a value for 'name' from master config file options or defaults.
'''
try:
if opts:
value = opts['auth.ldap.{0}'.format(key)]
else:
value = __opts__['auth.ldap.{0}'.format(key)]
except KeyError:
try:
value = __defopts__['auth.ldap.{0}'.format(key)]
except KeyError:
if mandatory:
msg = 'missing auth.ldap.{0} in master config'.format(key)
raise SaltInvocationError(msg)
return False
return value
def _render_template(param, username):
'''
Render config template, substituting username where found.
'''
env = Environment()
template = env.from_string(param)
variables = {'username': username}
return template.render(variables)
class _LDAPConnection(object):
'''
Setup an LDAP connection.
'''
def __init__(self, uri, server, port,
starttls, tls, no_verify,
binddn, bindpw,
anonymous, accountattributename, activedirectory=False):
'''
Bind to an LDAP directory using passed credentials.
'''
self.uri = uri
self.server = server
self.port = port
self.starttls = starttls
self.tls = tls
self.binddn = binddn
self.bindpw = bindpw
if not HAS_LDAP:
raise CommandExecutionError(
'LDAP connection could not be made, the python-ldap module is '
'not installed. Install python-ldap to use LDAP external auth.'
)
if self.starttls and self.tls:
raise CommandExecutionError(
'Cannot bind with both starttls and tls enabled.'
'Please enable only one of the protocols'
)
schema = 'ldaps' if tls else 'ldap'
if self.uri == '':
self.uri = '{0}://{1}:{2}'.format(schema, self.server, self.port)
try:
if no_verify:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER)
self.ldap = ldap.initialize('{0}'.format(self.uri))
self.ldap.protocol_version = 3 # ldap.VERSION3
self.ldap.set_option(ldap.OPT_REFERRALS, 0) # Needed for AD
if not anonymous:
if not self.bindpw:
raise CommandExecutionError(
'LDAP bind password is not set: password cannot be empty if auth.ldap.anonymous is False'
)
if self.starttls:
self.ldap.start_tls_s()
self.ldap.simple_bind_s(self.binddn, self.bindpw)
except Exception as ldap_error:
raise CommandExecutionError(
'Failed to bind to LDAP server {0} as {1}: {2}'.format(
self.uri, self.binddn, ldap_error
)
)
def _bind_for_search(anonymous=False, opts=None):
'''
Bind with binddn and bindpw only for searching LDAP
:param anonymous: Try binding anonymously
:param opts: Pass in when __opts__ is not available
:return: LDAPConnection object
'''
# Get config params; create connection dictionary
connargs = {}
# config params (auth.ldap.*)
params = {
'mandatory': ['uri', 'server', 'port', 'starttls', 'tls',
'no_verify', 'anonymous',
'accountattributename', 'activedirectory'],
'additional': ['binddn', 'bindpw', 'filter', 'groupclass',
'auth_by_group_membership_only'],
}
paramvalues = {}
for param in params['mandatory']:
paramvalues[param] = _config(param, opts=opts)
for param in params['additional']:
paramvalues[param] = _config(param, mandatory=False, opts=opts)
paramvalues['anonymous'] = anonymous
# Only add binddn/bindpw to the connargs when they're set, as they're not
# mandatory for initializing the LDAP object, but if they're provided
# initially, a bind attempt will be done during the initialization to
# validate them
if paramvalues['binddn']:
connargs['binddn'] = paramvalues['binddn']
if paramvalues['bindpw']:
params['mandatory'].append('bindpw')
for name in params['mandatory']:
connargs[name] = paramvalues[name]
if not paramvalues['anonymous']:
if paramvalues['binddn'] and paramvalues['bindpw']:
# search for the user's DN to be used for the actual authentication
return _LDAPConnection(**connargs).ldap
def _bind(username, password, anonymous=False, opts=None):
'''
Authenticate via an LDAP bind
'''
# Get config params; create connection dictionary
basedn = _config('basedn', opts=opts)
scope = _config('scope', opts=opts)
connargs = {}
# config params (auth.ldap.*)
params = {
'mandatory': ['uri', 'server', 'port', 'starttls', 'tls',
'no_verify', 'anonymous',
'accountattributename', 'activedirectory'],
'additional': ['binddn', 'bindpw', 'filter', 'groupclass',
'auth_by_group_membership_only'],
}
paramvalues = {}
for param in params['mandatory']:
paramvalues[param] = _config(param, opts=opts)
for param in params['additional']:
paramvalues[param] = _config(param, mandatory=False, opts=opts)
paramvalues['anonymous'] = anonymous
if paramvalues['binddn']:
# the binddn can also be composited, e.g.
# - {{ username }}@domain.com
# - cn={{ username }},ou=users,dc=company,dc=tld
# so make sure to render it first before using it
paramvalues['binddn'] = _render_template(paramvalues['binddn'], username)
paramvalues['binddn'] = ldap.filter.escape_filter_chars(paramvalues['binddn'])
if paramvalues['filter']:
escaped_username = ldap.filter.escape_filter_chars(username)
paramvalues['filter'] = _render_template(paramvalues['filter'], escaped_username)
# Only add binddn/bindpw to the connargs when they're set, as they're not
# mandatory for initializing the LDAP object, but if they're provided
# initially, a bind attempt will be done during the initialization to
# validate them
if paramvalues['binddn']:
connargs['binddn'] = paramvalues['binddn']
if paramvalues['bindpw']:
params['mandatory'].append('bindpw')
for name in params['mandatory']:
connargs[name] = paramvalues[name]
if not paramvalues['anonymous']:
if paramvalues['binddn'] and paramvalues['bindpw']:
# search for the user's DN to be used for the actual authentication
_ldap = _LDAPConnection(**connargs).ldap
log.debug(
'Running LDAP user dn search with filter:%s, dn:%s, '
'scope:%s', paramvalues['filter'], basedn, scope
)
result = _ldap.search_s(basedn, int(scope), paramvalues['filter'])
if not result:
log.warning('Unable to find user %s', username)
return False
elif len(result) > 1:
# Active Directory returns something odd. Though we do not
# chase referrals (ldap.set_option(ldap.OPT_REFERRALS, 0) above)
# it still appears to return several entries for other potential
# sources for a match. All these sources have None for the
# CN (ldap array return items are tuples: (cn, ldap entry))
# But the actual CNs are at the front of the list.
# So with some list comprehension magic, extract the first tuple
# entry from all the results, create a list from those,
# and count the ones that are not None. If that total is more than one
# we need to error out because the ldap filter isn't narrow enough.
cns = [tup[0] for tup in result]
total_not_none = sum(1 for c in cns if c is not None)
if total_not_none > 1:
log.error('LDAP lookup found multiple results for user %s', username)
return False
elif total_not_none == 0:
log.error('LDAP lookup--unable to find CN matching user %s', username)
return False
connargs['binddn'] = result[0][0]
if paramvalues['binddn'] and not paramvalues['bindpw']:
connargs['binddn'] = paramvalues['binddn']
elif paramvalues['binddn'] and not paramvalues['bindpw']:
connargs['binddn'] = paramvalues['binddn']
# Update connection dictionary with the user's password
connargs['bindpw'] = password
# Attempt bind with user dn and password
if paramvalues['anonymous']:
log.debug('Attempting anonymous LDAP bind')
else:
log.debug('Attempting LDAP bind with user dn: %s', connargs['binddn'])
try:
ldap_conn = _LDAPConnection(**connargs).ldap
except Exception:
connargs.pop('bindpw', None) # Don't log the password
log.error('Failed to authenticate user dn via LDAP: %s', connargs)
log.debug('Error authenticating user dn via LDAP:', exc_info=True)
return False
log.debug('Successfully authenticated user dn via LDAP: %s', connargs['binddn'])
return ldap_conn
def auth(username, password):
'''
Simple LDAP auth
'''
if not HAS_LDAP:
log.error('LDAP authentication requires python-ldap module')
return False
bind = None
# If bind credentials are configured, verify that we receive a valid bind
if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
search_bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
# If username & password are not None, attempt to verify they are valid
if search_bind and username and password:
bind = _bind(username, password,
anonymous=_config('auth_by_group_membership_only', mandatory=False)
and _config('anonymous', mandatory=False))
else:
bind = _bind(username, password,
anonymous=_config('auth_by_group_membership_only', mandatory=False)
and _config('anonymous', mandatory=False))
if bind:
log.debug('LDAP authentication successful')
return bind
log.error('LDAP _bind authentication FAILED')
return False
def groups(username, **kwargs):
'''
Authenticate against an LDAP group
Behavior is highly dependent on if Active Directory is in use.
AD handles group membership very differently than OpenLDAP.
See the :ref:`External Authentication <acl-eauth>` documentation for a thorough
discussion of available parameters for customizing the search.
OpenLDAP allows you to search for all groups in the directory
and returns members of those groups. Then we check against
the username entered.
'''
group_list = []
# If bind credentials are configured, use them instead of user's
if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
else:
bind = _bind(username, kwargs.get('password', ''),
anonymous=_config('auth_by_group_membership_only', mandatory=False)
and _config('anonymous', mandatory=False))
if bind:
log.debug('ldap bind to determine group membership succeeded!')
if _config('activedirectory'):
try:
get_user_dn_search = '(&({0}={1})(objectClass={2}))'.format(_config('accountattributename'),
username,
_config('persontype'))
user_dn_results = bind.search_s(_config('basedn'),
ldap.SCOPE_SUBTREE,
get_user_dn_search, [str('distinguishedName')]) # future lint: disable=blacklisted-function
except Exception as e:
log.error('Exception thrown while looking up user DN in AD: %s', e)
return group_list
if not user_dn_results:
log.error('Could not get distinguished name for user %s', username)
return group_list
# LDAP results are always tuples. First entry in the tuple is the DN
dn = ldap.filter.escape_filter_chars(user_dn_results[0][0])
ldap_search_string = '(&(member={0})(objectClass={1}))'.format(dn, _config('groupclass'))
log.debug('Running LDAP group membership search: %s', ldap_search_string)
try:
search_results = bind.search_s(_config('basedn'),
ldap.SCOPE_SUBTREE,
ldap_search_string,
[salt.utils.stringutils.to_str(_config('accountattributename')), str('cn')]) # future lint: disable=blacklisted-function
except Exception as e:
log.error('Exception thrown while retrieving group membership in AD: %s', e)
return group_list
for _, entry in search_results:
if 'cn' in entry:
group_list.append(salt.utils.stringutils.to_unicode(entry['cn'][0]))
log.debug('User %s is a member of groups: %s', username, group_list)
elif _config('freeipa'):
escaped_username = ldap.filter.escape_filter_chars(username)
search_base = _config('group_basedn')
search_string = _render_template(_config('group_filter'), escaped_username)
search_results = bind.search_s(search_base,
ldap.SCOPE_SUBTREE,
search_string,
[salt.utils.stringutils.to_str(_config('accountattributename')), salt.utils.stringutils.to_str(_config('groupattribute')), str('cn')]) # future lint: disable=blacklisted-function
for entry, result in search_results:
for user in itertools.chain(result.get(_config('accountattributename'), []),
result.get(_config('groupattribute'), [])):
if username == salt.utils.stringutils.to_unicode(user).split(',')[0].split('=')[-1]:
group_list.append(entry.split(',')[0].split('=')[-1])
log.debug('User %s is a member of groups: %s', username, group_list)
if not auth(username, kwargs['password']):
log.error('LDAP username and password do not match')
return []
else:
if _config('groupou'):
search_base = 'ou={0},{1}'.format(_config('groupou'), _config('basedn'))
else:
search_base = '{0}'.format(_config('basedn'))
search_string = '(&({0}={1})(objectClass={2}))'.format(_config('accountattributename'),
username, _config('groupclass'))
search_results = bind.search_s(search_base,
ldap.SCOPE_SUBTREE,
search_string,
[salt.utils.stringutils.to_str(_config('accountattributename')),
str('cn'), # future lint: disable=blacklisted-function
salt.utils.stringutils.to_str(_config('groupattribute'))])
for _, entry in search_results:
if username in salt.utils.data.decode(entry[_config('accountattributename')]):
group_list.append(salt.utils.stringutils.to_unicode(entry['cn'][0]))
for user, entry in search_results:
if username == salt.utils.stringutils.to_unicode(user).split(',')[0].split('=')[-1]:
for group in salt.utils.data.decode(entry[_config('groupattribute')]):
group_list.append(salt.utils.stringutils.to_unicode(group).split(',')[0].split('=')[-1])
log.debug('User %s is a member of groups: %s', username, group_list)
# Only test user auth on first call for job.
# 'show_jid' only exists on first payload so we can use that for the conditional.
if 'show_jid' in kwargs and not _bind(username, kwargs.get('password'),
anonymous=_config('auth_by_group_membership_only', mandatory=False) and
_config('anonymous', mandatory=False)):
log.error('LDAP username and password do not match')
return []
else:
log.error('ldap bind to determine group membership FAILED!')
return group_list
def __expand_ldap_entries(entries, opts=None):
'''
:param entries: ldap subtree in external_auth config option
:param opts: Opts to use when __opts__ not defined
:return: Dictionary with all allowed operations
Takes the ldap subtree in the external_auth config option and expands it
with actual minion names
webadmins%: <all users in the AD 'webadmins' group>
- server1
- .*
- ldap(OU=webservers,dc=int,dc=bigcompany,dc=com)
- test.ping
- service.restart
- ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com)
- allowed_fn_list_attribute^
This function only gets called if auth.ldap.activedirectory = True
'''
bind = _bind_for_search(opts=opts)
acl_tree = []
for user_or_group_dict in entries:
if not isinstance(user_or_group_dict, dict):
acl_tree.append(user_or_group_dict)
continue
for minion_or_ou, matchers in six.iteritems(user_or_group_dict):
permissions = matchers
retrieved_minion_ids = []
if minion_or_ou.startswith('ldap('):
search_base = minion_or_ou.lstrip('ldap(').rstrip(')')
search_string = '(objectClass=computer)'
try:
search_results = bind.search_s(search_base,
ldap.SCOPE_SUBTREE,
search_string,
[str('cn')]) # future lint: disable=blacklisted-function
for ldap_match in search_results:
try:
minion_id = ldap_match[1]['cn'][0].lower()
# Some LDAP/AD trees only have the FQDN of machines
# in their computer lists. auth.minion_stripdomains
# lets a user strip off configured domain names
# and arrive at the basic minion_id
if opts.get('auth.ldap.minion_stripdomains', None):
for domain in opts['auth.ldap.minion_stripdomains']:
if minion_id.endswith(domain):
minion_id = minion_id[:-len(domain)]
break
retrieved_minion_ids.append(minion_id)
except TypeError:
# TypeError here just means that one of the returned
# entries didn't match the format we expected
# from LDAP.
pass
for minion_id in retrieved_minion_ids:
acl_tree.append({minion_id: permissions})
log.trace('Expanded acl_tree is: %s', acl_tree)
except ldap.NO_SUCH_OBJECT:
pass
else:
acl_tree.append({minion_or_ou: matchers})
log.trace('__expand_ldap_entries: %s', acl_tree)
return acl_tree
def process_acl(auth_list, opts=None):
'''
Query LDAP, retrieve list of minion_ids from an OU or other search.
For each minion_id returned from the LDAP search, copy the perms
matchers into the auth dictionary
:param auth_list:
:param opts: __opts__ for when __opts__ is not injected
:return: Modified auth list.
'''
ou_names = []
for item in auth_list:
if isinstance(item, six.string_types):
continue
ou_names.extend([potential_ou for potential_ou in item.keys() if potential_ou.startswith('ldap(')])
if ou_names:
auth_list = __expand_ldap_entries(auth_list, opts)
return auth_list