Skip to content
  1. Jun 18, 2015
  3. Jun 17, 2015
  5. Jun 16, 2015
    • ziirish's avatar
      remove unused file · 9e8b883a
      ziirish authored
      9e8b883a
    • ziirish's avatar
      Merge branch 'master' into 'master' · d6af10c6
      ziirish authored 
      Use RESTARTABLE client_strategy for persistent Connections

Fixes for #64 for AD. Changes the Connection used for doing ldap searches (ie. fetch()) to attempt to re-connect if the server has closed the socket. Note that Connections used for binding (ie. check()) use the default SYNC strategy.

String representations of the Connection are incredibly useful.

```
2015-06-16 10:24:52 [21634] [DEBUG] POST /login
filter: (&(sAMAccountName=wade.fitzpatrick)(|(userAccountControl=512)(userAccountControl=66048))) | base: OU=Systems,OU=Employees,DC=corp,DC=net,DC=au
LDAP Connection = ldaps://corp.net.au:636 - ssl - user: CN=LDAP Read,CN=Users,DC=corp,DC=net,DC=au - bound - open - <local: 10.137.1.140:60119 - remote: 10.137.1.193:636> - tls not started - listening - RestartableStrategy
Found DN: CN=Wade Fitzpatrick,OU=Systems,OU=Employees,DC=corp,DC=net,DC=au
filter: (&(sAMAccountName=wade.fitzpatrick)(|(userAccountControl=512)(userAccountControl=66048))) | base: OU=Systems,OU=Employees,DC=corp,DC=net,DC=au
LDAP Connection = ldaps://corp.net.au:636 - ssl - user: CN=LDAP Read,CN=Users,DC=corp,DC=net,DC=au - bound - open - <local: 10.137.1.140:60119 - remote: 10.137.1.193:636> - tls not started - listening - RestartableStrategy
Found DN: CN=Wade Fitzpatrick,OU=Systems,OU=Employees,DC=corp,DC=net,DC=au
LDAP Connection = ldaps://corp.net.au:636 - ssl - user: CN=Wade Fitzpatrick,OU=Systems,OU=Employees,DC=corp,DC=net,DC=au - bound - open - <local: 10.137.1.140:60417 - remote: 10.137.1.193:636> - tls not started - listening - SyncStrategy
Bound as user: CN=Wade Fitzpatrick,OU=Systems,OU=Employees,DC=corp,DC=net,DC=au
2015-06-16 10:24:53 [21634] [DEBUG] Closing connection.
2015-06-16 10:24:53 [21634] [DEBUG] GET /
2015-06-16 10:24:53 [21634] [DEBUG] Closing connection.
```

And below, running 5 worker threads under gunicorn, we can see the number of connections decrease then reconnect as needed:
```
root@rubicon:~# netstat -anp |grep  :636
tcp        0      0 10.137.1.140:60119       10.137.1.193:636         ESTABLISHED 21634/python
tcp        0      0 10.137.1.140:60117       10.137.1.193:636         ESTABLISHED 21625/python
tcp        0      0 10.137.1.140:60116       10.137.1.193:636         ESTABLISHED 21627/python
tcp        0      0 10.137.1.140:60120       10.137.1.193:636         ESTABLISHED 21636/python
tcp        0      0 10.137.1.140:60118       10.137.1.193:636         ESTABLISHED 21626/python
tcp6       0      0 10.137.1.140:52366       10.137.1.193:636         ESTABLISHED 12140/java
root@rubicon:~# netstat -anp |grep  :636
tcp6       0      0 10.137.1.140:52366       10.137.1.193:636         ESTABLISHED 12140/java
root@rubicon:~# netstat -anp |grep  :636
tcp        0      0 10.137.1.140:36869       10.137.1.193:636         ESTABLISHED 21634/python
tcp6       0      0 10.137.1.140:52366       10.137.1.193:636         ESTABLISHED 12140/java
```

See merge request !2

fixes #64
      d6af10c6
    • ziirish's avatar
      a few fixes for !2 · 66915e9e
      ziirish authored
      66915e9e
    • Wade Fitzpatrick's avatar
      fix: use RESTARTABLE client strategy for persistent connections · 92948065
      Wade Fitzpatrick authored
      92948065
  7. Jun 15, 2015
  9. Jun 14, 2015
  11. Jun 12, 2015
  13. Jun 11, 2015
    • ziirish's avatar
      fix: more parser error handling + pep8 · 7e2f9629
      ziirish authored
      7e2f9629
    • ziirish's avatar
      fix: the config parser did not handle the exceptions correctly · 958d1925
      ziirish authored
      958d1925
    • ziirish's avatar
      Merge branch 'master' into 'master' · 0f1247af
      ziirish authored 
      Improved ldap handling & docs; binds against AD

== New config options
- adds port and encryption options for binding over SSL/TLS
- adds 'searchattr' option, the LDAP attribute to search on, defaults to 'uid'

== LdapLoader.fetch() changes:
- uses python format() to render the search attribute and search value into the search filter
- if search filter is not specified, uses a simple attr=value search filter
- returns DN and CN of the object if found

== LdapLoader.check() changes:
- binds to the LDAP server using the DN found in fetch(). Previously it was trying to bind using 'uid' and the search base which would not work for non-POSIX accounts or objects found in sub-trees.

== LdapUser.__init__() changes:
- records the DN of the user in order to re-bind as that object

== LdapUser.login() changes:
- searches for the user again to prevent binding as a disabled user. In AD, a user may still be able to bind even though their userAccountControl attribute prevents them from logging in to a host. This check overrides the cached result in case the account was disabled since last login.
- disables the user if it can no longer be found in LDAP.

== Overall improvements
- better documentation of the classes and functions

= TODO
- add better user documentation explaining the new config options and how search filter should be used properly.

See merge request !1
Closes #63
      0f1247af
    • ziirish's avatar
      fix: confusion between attribute and option · 046c7ed4
      ziirish authored
      046c7ed4
    • Wade Fitzpatrick's avatar
      fix: use actual dn instead of an attribute · dd328b93
      Wade Fitzpatrick authored
      dd328b93