Hack for implementing LDAP auth.

Might be useful to use as a basis for a more complete solution.

Author: Richard Jones

patches/20020205.alternate_auth

@@ -0,0 +1,254 @@
+From [email protected] Wed Feb  6 04:27:15 2002
+X-Sieve: cmu-sieve 2.0
+Return-Path: <[email protected]>
+Received: (from uucp@localhost)
+	by crown.off.ekorp.com (8.9.3/8.9.3) id RAA12435
+	for [email protected]; Tue, 5 Feb 2002 17:30:24 GMT
+Received: from usw-sf-fw2.sourceforge.net(216.136.171.252), claiming to be "usw-sf-list1.sourceforge.net"
+ via SMTP by mx3.ekorp.com, id smtpdAAALJaWqy; Tue Feb  5 17:30:22 2002
+Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)
+	by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
+	id 16Y9Q6-0002kj-00; Tue, 05 Feb 2002 09:30:14 -0800
+Received: from lotus2.lotus.com ([129.42.241.42])
+	by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
+	id 16Y9Ps-0002ee-00
+	for <[email protected]>; Tue, 05 Feb 2002 09:30:00 -0800
+Received: from internet2.lotus.com (internet2 [172.16.131.236])
+	by lotus2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HUnTQ013140
+	for <[email protected]>; Tue, 5 Feb 2002 12:30:54 -0500 (EST)
+Received: from a3mail.lotus.com (a3mail.lotus.com [9.95.5.66])
+	by internet2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HTHS0005917
+	for <[email protected]>; Tue, 5 Feb 2002 12:29:17 -0500 (EST)
+To: [email protected]
+X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
+Message-ID: <[email protected]>
+From: "Daniel Clark/CAM/Lotus" <[email protected]>
+X-MIMETrack: Serialize by Router on A3MAIL/CAM/H/Lotus(Build V5010_01222002 |January 22, 2002) at
+ 02/05/2002 12:25:48 PM
+MIME-Version: 1.0
+Content-type: text/plain;
+  charset=iso-8859-1
+Content-transfer-encoding: quoted-printable
+Subject: [Roundup-devel] Alternative authentication for roundup
+Sender: [email protected]
+Errors-To: [email protected]
+X-BeenThere: [email protected]
+X-Mailman-Version: 2.0.5
+Precedence: bulk
+List-Help: <mailto:[email protected]?subject=help>
+List-Post: <mailto:[email protected]>
+List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/roundup-devel>,
+	<mailto:[email protected]?subject=subscribe>
+List-Id: <roundup-devel.lists.sourceforge.net>
+List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/roundup-devel>,
+	<mailto:[email protected]?subject=unsubscribe>
+List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=roundup-devel>
+X-Original-Date: Tue, 5 Feb 2002 12:27:15 -0500
+Date: Tue, 5 Feb 2002 12:27:15 -0500
+Status: R 
+X-Status: N
+
+I'm trying to get roundup to work with an alternative method of
+authentication (due to a corporate requirement of using a common intran=
+et
+password). I've created an "altauth" module to abstract the details of =
+the
+authentication. Since the hyperdb usernames and passwords seem to be
+referenced in a lot of places in the code, I am just creating hyperdb
+entries for the users if they exist and enter their correct passwords
+against the alternate authentication source. For the most part this eff=
+ects
+the login_action function in cgi_client.py. I've completed some changes=
+
+that make this work for the web interface, but as I am new to roundup a=
+nd
+relatively new to python I thought I'd post the changes for review. If
+others would find this functionality useful I would be happy if these
+changes (probably reworked) could make it into future releases.
+
+The main things I think I still need to do are add equivalent changes t=
+o
+mailgw.py and handle messages from the alternative authentication sourc=
+e
+better.
+
+--- cgi_client.py Tue Feb  5 21:56:30 2002
++++ cgi_client.py-altauth     Tue Feb  5 21:56:30 2002
+@@ -27,6 +27,13 @@
+ import roundupdb, htmltemplate, date, hyperdb, password
+ from roundup.i18n import _
+
++try:
++    from altauth import altauth
++    import password as password_module
++    altauth_exists =3D 1
++except:
++    altauth_exists =3D 0
++
+ class Unauthorised(ValueError):
+     pass
+
+@@ -807,7 +814,24 @@
+             password =3D self.form['__login_password'].value
+         else:
+             password =3D ''
++        # if using alternate authentication, perform it.
++        if altauth_exists:
++            auth =3D altauth(self.user, password)
+         # make sure the user exists
++        if altauth_exists:
++            if auth.exists:
++                try:
++                    uid =3D self.db.user.lookup(self.user)
++                except KeyError:
++                    username =3D str(self.user)
++                    self.db =3D self.instance.open('admin')
++                    cl =3D self.db.user
++                    props =3D {'username':username, 'realname':auth.re=
+alname,
++                             'organisation':auth.org, 'address':auth.e=
+mail,
++                             'phone':auth.phone}
++                    uid =3D cl.create(**props)
++                    self.user =3D cl.get(uid, 'username')
++                    self.db.commit()
+         try:
+             uid =3D self.db.user.lookup(self.user)
+         except KeyError:
+@@ -819,6 +843,20 @@
+             return 0
+
+         # and that the password is correct
++        if altauth_exists:
++            if auth.success:
++                name =3D str(self.user)
++                self.db =3D self.instance.open(name)
++                value =3D password_module.Password(password.strip())
++                password_dict =3D {'password':value}
++                user =3D self.db.user
++                user.set(uid, **password_dict)
++                self.db.commit()
++            else:
++                self.make_user_anonymous()o
++                action =3D self.form['__destination_url'].value
++                self.login(message=3D_(auth.message), action=3Daction)=
+
++                return 0
+         pw =3D self.db.user.get(uid, 'password')
+         if password !=3D pw:
+             self.make_user_anonymous()
+
+
+example altauth.py:
+
+__doc__ =3D """
+Alternative authentication for roundup
+"""
+
+import pipes, os, string
+
+class altauth:
+    """
+    Arguments:
+        username : username
+        password : password in plaintext
+
+    Instance variables:
+        realname : username's real name
+        org      : username's organization
+        email    : username's email address
+        phone    : username's phone number
+
+        code     : return code from alternate authentication
+        message  : message from alternate authentication
+        exists   : does user exist in alternate autentication source?
+        success  : did user enter a valid user / password combo?
+    """
+    def __init__(self, username=3DNone, password=3DNone):
+        # Make sure user and password have values - else java cwauthcmd=
+ hangs.
+        if username is None:
+            username =3D "test"
+        if password is None:
+            password =3D "test"
+
+        # In Bluepages, your username is your email address, but this m=
+ight not
+        # be true for other authentication sources.
+        self.email =3D username
+
+        # Get realname, phone and org from Bluepages
+        cmd =3D "phone ldap emailaddress=3D%s format givenname sn telep=
+honenumber dept" % self.email
+        s =3D os.popen(cmd).readlines()[0].strip().split()
+        self.realname =3D string.join(s[:-2])
+        self.phone =3D s[-2]
+        self.org =3D s[-1]
+
+        # Open a pipeline to java cwauth stuff. The most secure option =
+I could think of
+        # besides JPE (Java Python Extension), which I couldn't get to =
+work.
+        os.umask(077)
+        t=3Dpipes.Template()
+        t.append('java cwauthcmd', '--')
+        tmpfile =3D os.tmpnam()
+        f=3Dt.open(tmpfile, 'w')
+        f.write(username + " " + password)
+        f.close()
+        self.code =3D int(open(tmpfile).read().strip())
+        os.remove(tmpfile)
+
+        if self.code =3D=3D 0:
+            self.message =3D "Success. The authentication was successfu=
+l."
+            self.exists =3D 1
+            self.success =3D 1
+        elif self.code =3D=3D 2:
+            self.message =3D "Not registered. Visit http://w3.ibm.com/p=
+assword/"
+            self.exists =3D 0
+            self.success =3D 0
+        elif self.code =3D=3D 3:
+            self.message =3D "LDAP Error. There was an error communicat=
+ing with Bluepages."
+            self.exists =3D 0
+            self.success =3D 0
+        elif self.code =3D=3D 4:
+            self.message  =3D "No Record Found. No user was found havin=
+g that e-mail address."
+            self.exists =3D 0
+            self.success =3D 0
+        elif self.code =3D=3D 5:
+            self.message =3D "Multiple Records Found. More than one ent=
+ry exists for that e-mail address."
+            self.exists =3D 1
+            self.success =3D 0
+        elif self.code =3D=3D 6:
+            self.message =3D "Incorrect password. Try again or visit ht=
+tp://w3.ibm.com/password"
+            self.exists =3D 1
+            self.success =3D 0
+        else:
+            self.message =3D "Unknown result code. Contact daniel_clark=
+@us.ibm.com"
+            self.exists =3D 0
+            self.success =3D 0
+
+
+--
+Daniel Clark =A7 Sys Admin & Assistant Release Engineer
+IBM =BB Lotus =BB Messaging Technology Group =A7 http://w3.mtg.lotus.co=
+m
+Tieline 693-7353 =A7 External 617-693-7353 =A7 Mobile 617-877-0702
+AIM as djbclark =A7 Sametime as Daniel Clark/CAM/Lotus
+=
+
+
+
+_______________________________________________
+Roundup-devel mailing list
+[email protected]
+https://lists.sourceforge.net/lists/listinfo/roundup-devel
+
+