PNG  IHDRX cHRMz&u0`:pQ<bKGD pHYsodtIME MeqIDATxw]Wug^Qd˶ 6`!N:!@xI~)%7%@Bh&`lnjVF29gΨ4E$|>cɚ{gk= %,a KX%,a KX%,a KX%,a KX%,a KX%,a KX%, b` ǟzeאfp]<!SJmɤY޲ڿ,%c ~ع9VH.!Ͳz&QynֺTkRR.BLHi٪:l;@(!MԴ=žI,:o&N'Kù\vRmJ雵֫AWic H@" !: Cé||]k-Ha oݜ:y F())u]aG7*JV@J415p=sZH!=!DRʯvɱh~V\}v/GKY$n]"X"}t@ xS76^[bw4dsce)2dU0 CkMa-U5tvLƀ~mlMwfGE/-]7XAƟ`׮g ewxwC4\[~7@O-Q( a*XGƒ{ ՟}$_y3tĐƤatgvێi|K=uVyrŲlLӪuܿzwk$m87k( `múcE)"@rK( z4$D; 2kW=Xb$V[Ru819קR~qloѱDyįݎ*mxw]y5e4K@ЃI0A D@"BDk_)N\8͜9dz"fK0zɿvM /.:2O{ Nb=M=7>??Zuo32 DLD@D| &+֎C #B8ַ`bOb $D#ͮҪtx]%`ES`Ru[=¾!@Od37LJ0!OIR4m]GZRJu$‡c=%~s@6SKy?CeIh:[vR@Lh | (BhAMy=݃  G"'wzn޺~8ԽSh ~T*A:xR[ܹ?X[uKL_=fDȊ؂p0}7=D$Ekq!/t.*2ʼnDbŞ}DijYaȲ(""6HA;:LzxQ‘(SQQ}*PL*fc\s `/d'QXW, e`#kPGZuŞuO{{wm[&NBTiiI0bukcA9<4@SӊH*؎4U/'2U5.(9JuDfrޱtycU%j(:RUbArLֺN)udA':uGQN"-"Is.*+k@ `Ojs@yU/ H:l;@yyTn}_yw!VkRJ4P)~y#)r,D =ě"Q]ci'%HI4ZL0"MJy 8A{ aN<8D"1#IJi >XjX֔#@>-{vN!8tRݻ^)N_╗FJEk]CT՟ YP:_|H1@ CBk]yKYp|og?*dGvzنzӴzjֺNkC~AbZƷ`.H)=!QͷVTT(| u78y֮}|[8-Vjp%2JPk[}ԉaH8Wpqhwr:vWª<}l77_~{s۴V+RCģ%WRZ\AqHifɤL36: #F:p]Bq/z{0CU6ݳEv_^k7'>sq*+kH%a`0ԣisqにtү04gVgW΂iJiS'3w.w}l6MC2uԯ|>JF5`fV5m`Y**Db1FKNttu]4ccsQNnex/87+}xaUW9y>ͯ骵G{䩓Գ3+vU}~jJ.NFRD7<aJDB1#ҳgSb,+CS?/ VG J?|?,2#M9}B)MiE+G`-wo߫V`fio(}S^4e~V4bHOYb"b#E)dda:'?}׮4繏`{7Z"uny-?ǹ;0MKx{:_pÚmFמ:F " .LFQLG)Q8qN q¯¯3wOvxDb\. BKD9_NN &L:4D{mm o^tֽ:q!ƥ}K+<"m78N< ywsard5+Š²z~mnG)=}lYݧNj'QJS{S :UYS-952?&O-:W}(!6Mk4+>A>j+i|<<|;ر^߉=HE|V#F)Emm#}/"y GII웻Jі94+v뾧xu~5C95~ūH>c@덉pʃ1/4-A2G%7>m;–Y,cyyaln" ?ƻ!ʪ<{~h~i y.zZB̃/,雋SiC/JFMmBH&&FAbϓO^tubbb_hZ{_QZ-sύodFgO(6]TJA˯#`۶ɟ( %$&+V'~hiYy>922 Wp74Zkq+Ovn錄c>8~GqܲcWꂎz@"1A.}T)uiW4="jJ2W7mU/N0gcqܗOO}?9/wìXžΏ0 >֩(V^Rh32!Hj5`;O28؇2#ݕf3 ?sJd8NJ@7O0 b־?lldщ̡&|9C.8RTWwxWy46ah嘦mh٤&l zCy!PY?: CJyв]dm4ǜҐR޻RլhX{FƯanшQI@x' ao(kUUuxW_Ñ줮[w8 FRJ(8˼)_mQ _!RJhm=!cVmm ?sFOnll6Qk}alY}; "baӌ~M0w,Ggw2W:G/k2%R,_=u`WU R.9T"v,<\Ik޽/2110Ӿxc0gyC&Ny޽JҢrV6N ``یeA16"J³+Rj*;BϜkZPJaÍ<Jyw:NP8/D$ 011z֊Ⱳ3ι֘k1V_"h!JPIΣ'ɜ* aEAd:ݺ>y<}Lp&PlRfTb1]o .2EW\ͮ]38؋rTJsǏP@芎sF\> P^+dYJLbJ C-xϐn> ι$nj,;Ǖa FU *择|h ~izť3ᤓ`K'-f tL7JK+vf2)V'-sFuB4i+m+@My=O҈0"|Yxoj,3]:cо3 $#uŘ%Y"y죯LebqtҢVzq¼X)~>4L׶m~[1_k?kxֺQ`\ |ٛY4Ѯr!)N9{56(iNq}O()Em]=F&u?$HypWUeB\k]JɩSع9 Zqg4ZĊo oMcjZBU]B\TUd34ݝ~:7ڶSUsB0Z3srx 7`:5xcx !qZA!;%͚7&P H<WL!džOb5kF)xor^aujƍ7 Ǡ8/p^(L>ὴ-B,{ۇWzֺ^k]3\EE@7>lYBȝR.oHnXO/}sB|.i@ɥDB4tcm,@ӣgdtJ!lH$_vN166L__'Z)y&kH;:,Y7=J 9cG) V\hjiE;gya~%ks_nC~Er er)muuMg2;֫R)Md) ,¶ 2-wr#F7<-BBn~_(o=KO㭇[Xv eN_SMgSҐ BS헃D%g_N:/pe -wkG*9yYSZS.9cREL !k}<4_Xs#FmҶ:7R$i,fi!~' # !6/S6y@kZkZcX)%5V4P]VGYq%H1!;e1MV<!ϐHO021Dp= HMs~~a)ަu7G^];git!Frl]H/L$=AeUvZE4P\.,xi {-~p?2b#amXAHq)MWǾI_r`S Hz&|{ +ʖ_= (YS(_g0a03M`I&'9vl?MM+m~}*xT۲(fY*V4x@29s{DaY"toGNTO+xCAO~4Ϳ;p`Ѫ:>Ҵ7K 3}+0 387x\)a"/E>qpWB=1 ¨"MP(\xp߫́A3+J] n[ʼnӼaTbZUWb={~2ooKױӰp(CS\S筐R*JغV&&"FA}J>G֐p1ٸbk7 ŘH$JoN <8s^yk_[;gy-;߉DV{c B yce% aJhDȶ 2IdйIB/^n0tNtџdcKj4϶v~- CBcgqx9= PJ) dMsjpYB] GD4RDWX +h{y`,3ꊕ$`zj*N^TP4L:Iz9~6s) Ga:?y*J~?OrMwP\](21sZUD ?ܟQ5Q%ggW6QdO+\@ ̪X'GxN @'4=ˋ+*VwN ne_|(/BDfj5(Dq<*tNt1х!MV.C0 32b#?n0pzj#!38}޴o1KovCJ`8ŗ_"]] rDUy޲@ Ȗ-;xџ'^Y`zEd?0„ DAL18IS]VGq\4o !swV7ˣι%4FѮ~}6)OgS[~Q vcYbL!wG3 7띸*E Pql8=jT\꘿I(z<[6OrR8ºC~ډ]=rNl[g|v TMTղb-o}OrP^Q]<98S¤!k)G(Vkwyqyr޽Nv`N/e p/~NAOk \I:G6]4+K;j$R:Mi #*[AȚT,ʰ,;N{HZTGMoּy) ]%dHء9Պ䠬|<45,\=[bƟ8QXeB3- &dҩ^{>/86bXmZ]]yޚN[(WAHL$YAgDKp=5GHjU&99v簪C0vygln*P)9^͞}lMuiH!̍#DoRBn9l@ xA/_v=ȺT{7Yt2N"4!YN`ae >Q<XMydEB`VU}u]嫇.%e^ánE87Mu\t`cP=AD/G)sI"@MP;)]%fH9'FNsj1pVhY&9=0pfuJ&gޤx+k:!r˭wkl03׼Ku C &ѓYt{.O.zҏ z}/tf_wEp2gvX)GN#I ݭ߽v/ .& и(ZF{e"=V!{zW`, ]+LGz"(UJp|j( #V4, 8B 0 9OkRrlɱl94)'VH9=9W|>PS['G(*I1==C<5"Pg+x'K5EMd؞Af8lG ?D FtoB[je?{k3zQ vZ;%Ɠ,]E>KZ+T/ EJxOZ1i #T<@ I}q9/t'zi(EMqw`mYkU6;[t4DPeckeM;H}_g pMww}k6#H㶏+b8雡Sxp)&C $@'b,fPߑt$RbJ'vznuS ~8='72_`{q纶|Q)Xk}cPz9p7O:'|G~8wx(a 0QCko|0ASD>Ip=4Q, d|F8RcU"/KM opKle M3#i0c%<7׿p&pZq[TR"BpqauIp$ 8~Ĩ!8Սx\ւdT>>Z40ks7 z2IQ}ItԀ<-%S⍤};zIb$I 5K}Q͙D8UguWE$Jh )cu4N tZl+[]M4k8֦Zeq֮M7uIqG 1==tLtR,ƜSrHYt&QP윯Lg' I,3@P'}'R˪e/%-Auv·ñ\> vDJzlӾNv5:|K/Jb6KI9)Zh*ZAi`?S {aiVDԲuy5W7pWeQJk֤#5&V<̺@/GH?^τZL|IJNvI:'P=Ϛt"¨=cud S Q.Ki0 !cJy;LJR;G{BJy޺[^8fK6)=yʊ+(k|&xQ2`L?Ȓ2@Mf 0C`6-%pKpm')c$׻K5[J*U[/#hH!6acB JA _|uMvDyk y)6OPYjœ50VT K}cǻP[ $:]4MEA.y)|B)cf-A?(e|lɉ#P9V)[9t.EiQPDѠ3ϴ;E:+Օ t ȥ~|_N2,ZJLt4! %ա]u {+=p.GhNcŞQI?Nd'yeh n7zi1DB)1S | S#ًZs2|Ɛy$F SxeX{7Vl.Src3E℃Q>b6G ўYCmtկ~=K0f(=LrAS GN'ɹ9<\!a`)֕y[uՍ[09` 9 +57ts6}b4{oqd+J5fa/,97J#6yν99mRWxJyѡyu_TJc`~W>l^q#Ts#2"nD1%fS)FU w{ܯ R{ ˎ󅃏џDsZSQS;LV;7 Od1&1n$ N /.q3~eNɪ]E#oM~}v֯FڦwyZ=<<>Xo稯lfMFV6p02|*=tV!c~]fa5Y^Q_WN|Vs 0ҘދU97OI'N2'8N֭fgg-}V%y]U4 峧p*91#9U kCac_AFңĪy뚇Y_AiuYyTTYЗ-(!JFLt›17uTozc. S;7A&&<ԋ5y;Ro+:' *eYJkWR[@F %SHWP 72k4 qLd'J "zB6{AC0ƁA6U.'F3:Ȅ(9ΜL;D]m8ڥ9}dU "v!;*13Rg^fJyShyy5auA?ɩGHRjo^]׽S)Fm\toy 4WQS@mE#%5ʈfFYDX ~D5Ϡ9tE9So_aU4?Ѽm%&c{n>.KW1Tlb}:j uGi(JgcYj0qn+>) %\!4{LaJso d||u//P_y7iRJ߬nHOy) l+@$($VFIQ9%EeKʈU. ia&FY̒mZ=)+qqoQn >L!qCiDB;Y<%} OgBxB!ØuG)WG9y(Ą{_yesuZmZZey'Wg#C~1Cev@0D $a@˲(.._GimA:uyw֬%;@!JkQVM_Ow:P.s\)ot- ˹"`B,e CRtaEUP<0'}r3[>?G8xU~Nqu;Wm8\RIkբ^5@k+5(By'L&'gBJ3ݶ!/㮻w҅ yqPWUg<e"Qy*167΃sJ\oz]T*UQ<\FԎ`HaNmڜ6DysCask8wP8y9``GJ9lF\G g's Nn͵MLN֪u$| /|7=]O)6s !ĴAKh]q_ap $HH'\1jB^s\|- W1:=6lJBqjY^LsPk""`]w)󭃈,(HC ?䔨Y$Sʣ{4Z+0NvQkhol6C.婧/u]FwiVjZka&%6\F*Ny#8O,22+|Db~d ~Çwc N:FuuCe&oZ(l;@ee-+Wn`44AMK➝2BRՈt7g*1gph9N) *"TF*R(#'88pm=}X]u[i7bEc|\~EMn}P瘊J)K.0i1M6=7'_\kaZ(Th{K*GJyytw"IO-PWJk)..axӝ47"89Cc7ĐBiZx 7m!fy|ϿF9CbȩV 9V-՛^pV̌ɄS#Bv4-@]Vxt-Z, &ֺ*diؠ2^VXbs֔Ìl.jQ]Y[47gj=幽ex)A0ip׳ W2[ᎇhuE^~q흙L} #-b۸oFJ_QP3r6jr+"nfzRJTUqoaۍ /$d8Mx'ݓ= OՃ| )$2mcM*cЙj}f };n YG w0Ia!1Q.oYfr]DyISaP}"dIӗթO67jqR ҊƐƈaɤGG|h;t]䗖oSv|iZqX)oalv;۩meEJ\!8=$4QU4Xo&VEĊ YS^E#d,yX_> ۘ-e\ "Wa6uLĜZi`aD9.% w~mB(02G[6y.773a7 /=o7D)$Z 66 $bY^\CuP. (x'"J60׿Y:Oi;F{w佩b+\Yi`TDWa~|VH)8q/=9!g߆2Y)?ND)%?Ǐ`k/sn:;O299yB=a[Ng 3˲N}vLNy;*?x?~L&=xyӴ~}q{qE*IQ^^ͧvü{Huu=R|>JyUlZV, B~/YF!Y\u_ݼF{_C)LD]m {H 0ihhadd nUkf3oٺCvE\)QJi+֥@tDJkB$1!Đr0XQ|q?d2) Ӣ_}qv-< FŊ߫%roppVBwü~JidY4:}L6M7f٬F "?71<2#?Jyy4뷢<_a7_=Q E=S1И/9{+93֮E{ǂw{))?maÆm(uLE#lïZ  ~d];+]h j?!|$F}*"4(v'8s<ŏUkm7^7no1w2ؗ}TrͿEk>p'8OB7d7R(A 9.*Mi^ͳ; eeUwS+C)uO@ =Sy]` }l8^ZzRXj[^iUɺ$tj))<sbDJfg=Pk_{xaKo1:-uyG0M ԃ\0Lvuy'ȱc2Ji AdyVgVh!{]/&}}ċJ#%d !+87<;qN޼Nفl|1N:8ya  8}k¾+-$4FiZYÔXk*I&'@iI99)HSh4+2G:tGhS^繿 Kتm0 вDk}֚+QT4;sC}rՅE,8CX-e~>G&'9xpW,%Fh,Ry56Y–hW-(v_,? ; qrBk4-V7HQ;ˇ^Gv1JVV%,ik;D_W!))+BoS4QsTM;gt+ndS-~:11Sgv!0qRVh!"Ȋ(̦Yl.]PQWgٳE'`%W1{ndΗBk|Ž7ʒR~,lnoa&:ü$ 3<a[CBݮwt"o\ePJ=Hz"_c^Z.#ˆ*x z̝grY]tdkP*:97YľXyBkD4N.C_[;F9`8& !AMO c `@BA& Ost\-\NX+Xp < !bj3C&QL+*&kAQ=04}cC!9~820G'PC9xa!w&bo_1 Sw"ܱ V )Yl3+ס2KoXOx]"`^WOy :3GO0g;%Yv㐫(R/r (s } u B &FeYZh0y> =2<Ϟc/ -u= c&׭,.0"g"7 6T!vl#sc>{u/Oh Bᾈ)۴74]x7 gMӒ"d]U)}" v4co[ ɡs 5Gg=XR14?5A}D "b{0$L .\4y{_fe:kVS\\O]c^W52LSBDM! C3Dhr̦RtArx4&agaN3Cf<Ԉp4~ B'"1@.b_/xQ} _߃҉/gٓ2Qkqp0շpZ2fԫYz< 4L.Cyυι1t@鎫Fe sYfsF}^ V}N<_`p)alٶ "(XEAVZ<)2},:Ir*#m_YӼ R%a||EƼIJ,,+f"96r/}0jE/)s)cjW#w'Sʯ5<66lj$a~3Kʛy 2:cZ:Yh))+a߭K::N,Q F'qB]={.]h85C9cr=}*rk?vwV렵ٸW Rs%}rNAkDv|uFLBkWY YkX מ|)1!$#3%y?pF<@<Rr0}: }\J [5FRxY<9"SQdE(Q*Qʻ)q1E0B_O24[U'],lOb ]~WjHޏTQ5Syu wq)xnw8~)c 쫬gٲߠ H% k5dƝk> kEj,0% b"vi2Wس_CuK)K{n|>t{P1򨾜j>'kEkƗBg*H%'_aY6Bn!TL&ɌOb{c`'d^{t\i^[uɐ[}q0lM˕G:‚4kb祔c^:?bpg… +37stH:0}en6x˟%/<]BL&* 5&fK9Mq)/iyqtA%kUe[ڛKN]Ě^,"`/ s[EQQm?|XJ߅92m]G.E΃ח U*Cn.j_)Tѧj̿30ڇ!A0=͜ar I3$C^-9#|pk!)?7.x9 @OO;WƝZBFU keZ75F6Tc6"ZȚs2y/1 ʵ:u4xa`C>6Rb/Yм)^=+~uRd`/|_8xbB0?Ft||Z\##|K 0>>zxv8۴吅q 8ĥ)"6>~\8:qM}#͚'ĉ#p\׶ l#bA?)|g g9|8jP(cr,BwV (WliVxxᡁ@0Okn;ɥh$_ckCgriv}>=wGzβ KkBɛ[˪ !J)h&k2%07δt}!d<9;I&0wV/ v 0<H}L&8ob%Hi|޶o&h1L|u֦y~󛱢8fٲUsւ)0oiFx2}X[zVYr_;N(w]_4B@OanC?gĦx>мgx>ΛToZoOMp>40>V Oy V9iq!4 LN,ˢu{jsz]|"R޻&'ƚ{53ўFu(<٪9:΋]B;)B>1::8;~)Yt|0(pw2N%&X,URBK)3\zz&}ax4;ǟ(tLNg{N|Ǽ\G#C9g$^\}p?556]/RP.90 k,U8/u776s ʪ_01چ|\N 0VV*3H鴃J7iI!wG_^ypl}r*jɤSR 5QN@ iZ#1ٰy;_\3\BQQ x:WJv츟ٯ$"@6 S#qe딇(/P( Dy~TOϻ<4:-+F`0||;Xl-"uw$Цi󼕝mKʩorz"mϺ$F:~E'ҐvD\y?Rr8_He@ e~O,T.(ފR*cY^m|cVR[8 JҡSm!ΆԨb)RHG{?MpqrmN>߶Y)\p,d#xۆWY*,l6]v0h15M˙MS8+EdI='LBJIH7_9{Caз*Lq,dt >+~ّeʏ?xԕ4bBAŚjﵫ!'\Ը$WNvKO}ӽmSşذqsOy?\[,d@'73'j%kOe`1.g2"e =YIzS2|zŐƄa\U,dP;jhhhaxǶ?КZ՚.q SE+XrbOu%\GتX(H,N^~]JyEZQKceTQ]VGYqnah;y$cQahT&QPZ*iZ8UQQM.qo/T\7X"u?Mttl2Xq(IoW{R^ ux*SYJ! 4S.Jy~ BROS[V|žKNɛP(L6V^|cR7i7nZW1Fd@ Ara{詑|(T*dN]Ko?s=@ |_EvF]׍kR)eBJc" MUUbY6`~V޴dJKß&~'d3i WWWWWW

F1l3 Manager

Current Directory: /opt/saltstack/salt/lib/python3.10/site-packages/salt/auth
/opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/
Viewing File: /opt/saltstack/salt/lib/python3.10/site-packages/salt/auth/ldap.py
""" Provide authentication using simple LDAP binds :depends: - ldap Python module """ import itertools import logging from jinja2 import Environment import salt.utils.data import salt.utils.stringutils from salt.exceptions import CommandExecutionError, SaltInvocationError log = logging.getLogger(__name__) try: # pylint: disable=no-name-in-module import ldap import ldap.filter import ldap.modlist HAS_LDAP = True # pylint: enable=no-name-in-module except ImportError: HAS_LDAP = False # Defaults, override in master config __defopts__ = { "auth.ldap.basedn": "", "auth.ldap.uri": "", "auth.ldap.server": "localhost", "auth.ldap.port": "389", "auth.ldap.starttls": False, "auth.ldap.tls": False, "auth.ldap.no_verify": False, "auth.ldap.anonymous": False, "auth.ldap.scope": 2, "auth.ldap.groupou": "Groups", "auth.ldap.accountattributename": "memberUid", "auth.ldap.groupattribute": "memberOf", "auth.ldap.persontype": "person", "auth.ldap.groupclass": "posixGroup", "auth.ldap.activedirectory": False, "auth.ldap.freeipa": False, "auth.ldap.minion_stripdomains": [], } def _config(key, mandatory=True, opts=None): """ Return a value for 'name' from master config file options or defaults. """ try: if opts: value = opts[f"auth.ldap.{key}"] else: value = __opts__[f"auth.ldap.{key}"] except KeyError: try: value = __defopts__[f"auth.ldap.{key}"] except KeyError: if mandatory: msg = f"missing auth.ldap.{key} in master config" raise SaltInvocationError(msg) return False return value def _render_template(param, username): """ Render config template, substituting username where found. """ env = Environment() template = env.from_string(param) variables = {"username": username} return template.render(variables) class _LDAPConnection: """ Setup an LDAP connection. """ def __init__( self, uri, server, port, starttls, tls, no_verify, binddn, bindpw, anonymous, accountattributename, activedirectory=False, ): """ Bind to an LDAP directory using passed credentials. """ self.uri = uri self.server = server self.port = port self.starttls = starttls self.tls = tls self.binddn = binddn self.bindpw = bindpw if not HAS_LDAP: raise CommandExecutionError( "LDAP connection could not be made, the python-ldap module is " "not installed. Install python-ldap to use LDAP external auth." ) if self.starttls and self.tls: raise CommandExecutionError( "Cannot bind with both starttls and tls enabled." "Please enable only one of the protocols" ) schema = "ldaps" if tls else "ldap" if self.uri == "": self.uri = f"{schema}://{self.server}:{self.port}" try: if no_verify: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) self.ldap = ldap.initialize(f"{self.uri}") self.ldap.protocol_version = 3 # ldap.VERSION3 self.ldap.set_option(ldap.OPT_REFERRALS, 0) # Needed for AD if not anonymous: if not self.bindpw: raise CommandExecutionError( "LDAP bind password is not set: password cannot be empty if auth.ldap.anonymous is False" ) if self.starttls: self.ldap.start_tls_s() self.ldap.simple_bind_s(self.binddn, self.bindpw) except Exception as ldap_error: # pylint: disable=broad-except raise CommandExecutionError( "Failed to bind to LDAP server {} as {}: {}".format( self.uri, self.binddn, ldap_error ) ) def _bind_for_search(anonymous=False, opts=None): """ Bind with binddn and bindpw only for searching LDAP :param anonymous: Try binding anonymously :param opts: Pass in when __opts__ is not available :return: LDAPConnection object """ # Get config params; create connection dictionary connargs = {} # config params (auth.ldap.*) params = { "mandatory": [ "uri", "server", "port", "starttls", "tls", "no_verify", "anonymous", "accountattributename", "activedirectory", ], "additional": [ "binddn", "bindpw", "filter", "groupclass", "auth_by_group_membership_only", ], } paramvalues = {} for param in params["mandatory"]: paramvalues[param] = _config(param, opts=opts) for param in params["additional"]: paramvalues[param] = _config(param, mandatory=False, opts=opts) paramvalues["anonymous"] = anonymous # Only add binddn/bindpw to the connargs when they're set, as they're not # mandatory for initializing the LDAP object, but if they're provided # initially, a bind attempt will be done during the initialization to # validate them if paramvalues["binddn"]: connargs["binddn"] = paramvalues["binddn"] if paramvalues["bindpw"]: params["mandatory"].append("bindpw") for name in params["mandatory"]: connargs[name] = paramvalues[name] if not paramvalues["anonymous"]: if paramvalues["binddn"] and paramvalues["bindpw"]: # search for the user's DN to be used for the actual authentication return _LDAPConnection(**connargs).ldap def _bind(username, password, anonymous=False, opts=None): """ Authenticate via an LDAP bind """ # Get config params; create connection dictionary basedn = _config("basedn", opts=opts) scope = _config("scope", opts=opts) connargs = {} # config params (auth.ldap.*) params = { "mandatory": [ "uri", "server", "port", "starttls", "tls", "no_verify", "anonymous", "accountattributename", "activedirectory", ], "additional": [ "binddn", "bindpw", "filter", "groupclass", "auth_by_group_membership_only", ], } paramvalues = {} for param in params["mandatory"]: paramvalues[param] = _config(param, opts=opts) for param in params["additional"]: paramvalues[param] = _config(param, mandatory=False, opts=opts) paramvalues["anonymous"] = anonymous if paramvalues["binddn"]: # the binddn can also be composited, e.g. # - {{ username }}@domain.com # - cn={{ username }},ou=users,dc=company,dc=tld # so make sure to render it first before using it paramvalues["binddn"] = _render_template(paramvalues["binddn"], username) paramvalues["binddn"] = ldap.filter.escape_filter_chars(paramvalues["binddn"]) if paramvalues["filter"]: escaped_username = ldap.filter.escape_filter_chars(username) paramvalues["filter"] = _render_template( paramvalues["filter"], escaped_username ) # Only add binddn/bindpw to the connargs when they're set, as they're not # mandatory for initializing the LDAP object, but if they're provided # initially, a bind attempt will be done during the initialization to # validate them if paramvalues["binddn"]: connargs["binddn"] = paramvalues["binddn"] if paramvalues["bindpw"]: params["mandatory"].append("bindpw") for name in params["mandatory"]: connargs[name] = paramvalues[name] if not paramvalues["anonymous"]: if paramvalues["binddn"] and paramvalues["bindpw"]: # search for the user's DN to be used for the actual authentication _ldap = _LDAPConnection(**connargs).ldap log.debug( "Running LDAP user dn search with filter:%s, dn:%s, scope:%s", paramvalues["filter"], basedn, scope, ) result = _ldap.search_s(basedn, int(scope), paramvalues["filter"]) if not result: log.warning("Unable to find user %s", username) return False elif len(result) > 1: # Active Directory returns something odd. Though we do not # chase referrals (ldap.set_option(ldap.OPT_REFERRALS, 0) above) # it still appears to return several entries for other potential # sources for a match. All these sources have None for the # CN (ldap array return items are tuples: (cn, ldap entry)) # But the actual CNs are at the front of the list. # So with some list comprehension magic, extract the first tuple # entry from all the results, create a list from those, # and count the ones that are not None. If that total is more than one # we need to error out because the ldap filter isn't narrow enough. cns = [tup[0] for tup in result] total_not_none = sum(1 for c in cns if c is not None) if total_not_none > 1: log.error( "LDAP lookup found multiple results for user %s", username ) return False elif total_not_none == 0: log.error( "LDAP lookup--unable to find CN matching user %s", username ) return False connargs["binddn"] = result[0][0] if paramvalues["binddn"] and not paramvalues["bindpw"]: connargs["binddn"] = paramvalues["binddn"] elif paramvalues["binddn"] and not paramvalues["bindpw"]: connargs["binddn"] = paramvalues["binddn"] # Update connection dictionary with the user's password connargs["bindpw"] = password # Attempt bind with user dn and password if paramvalues["anonymous"]: log.debug("Attempting anonymous LDAP bind") else: log.debug("Attempting LDAP bind with user dn: %s", connargs["binddn"]) try: ldap_conn = _LDAPConnection(**connargs).ldap except Exception: # pylint: disable=broad-except connargs.pop("bindpw", None) # Don't log the password log.error("Failed to authenticate user dn via LDAP: %s", connargs) log.debug("Error authenticating user dn via LDAP:", exc_info=True) return False log.debug("Successfully authenticated user dn via LDAP: %s", connargs["binddn"]) return ldap_conn def auth(username, password): """ Simple LDAP auth """ if not HAS_LDAP: log.error("LDAP authentication requires python-ldap module") return False bind = None # If bind credentials are configured, verify that we receive a valid bind if _config("binddn", mandatory=False) and _config("bindpw", mandatory=False): search_bind = _bind_for_search(anonymous=_config("anonymous", mandatory=False)) # If username & password are not None, attempt to verify they are valid if search_bind and username and password: bind = _bind( username, password, anonymous=_config("auth_by_group_membership_only", mandatory=False) and _config("anonymous", mandatory=False), ) else: bind = _bind( username, password, anonymous=_config("auth_by_group_membership_only", mandatory=False) and _config("anonymous", mandatory=False), ) if bind: log.debug("LDAP authentication successful") return bind log.error("LDAP _bind authentication FAILED") return False def groups(username, **kwargs): """ Authenticate against an LDAP group Behavior is highly dependent on if Active Directory is in use. AD handles group membership very differently than OpenLDAP. See the :ref:`External Authentication <acl-eauth>` documentation for a thorough discussion of available parameters for customizing the search. OpenLDAP allows you to search for all groups in the directory and returns members of those groups. Then we check against the username entered. """ group_list = [] # If bind credentials are configured, use them instead of user's if _config("binddn", mandatory=False) and _config("bindpw", mandatory=False): bind = _bind_for_search(anonymous=_config("anonymous", mandatory=False)) else: bind = _bind( username, kwargs.get("password", ""), anonymous=_config("auth_by_group_membership_only", mandatory=False) and _config("anonymous", mandatory=False), ) if bind: log.debug("ldap bind to determine group membership succeeded!") if _config("activedirectory"): try: get_user_dn_search = "(&({}={})(objectClass={}))".format( _config("accountattributename"), username, _config("persontype") ) user_dn_results = bind.search_s( _config("basedn"), ldap.SCOPE_SUBTREE, get_user_dn_search, ["distinguishedName"], ) except Exception as e: # pylint: disable=broad-except log.error("Exception thrown while looking up user DN in AD: %s", e) return group_list if not user_dn_results: log.error("Could not get distinguished name for user %s", username) return group_list # LDAP results are always tuples. First entry in the tuple is the DN dn = ldap.filter.escape_filter_chars(user_dn_results[0][0]) ldap_search_string = "(&(member={})(objectClass={}))".format( dn, _config("groupclass") ) log.debug("Running LDAP group membership search: %s", ldap_search_string) try: search_results = bind.search_s( _config("basedn"), ldap.SCOPE_SUBTREE, ldap_search_string, [ salt.utils.stringutils.to_str(_config("accountattributename")), "cn", ], ) except Exception as e: # pylint: disable=broad-except log.error( "Exception thrown while retrieving group membership in AD: %s", e ) return group_list for _, entry in search_results: if "cn" in entry: group_list.append(salt.utils.stringutils.to_unicode(entry["cn"][0])) log.debug("User %s is a member of groups: %s", username, group_list) elif _config("freeipa"): escaped_username = ldap.filter.escape_filter_chars(username) search_base = _config("group_basedn") search_string = _render_template(_config("group_filter"), escaped_username) search_results = bind.search_s( search_base, ldap.SCOPE_SUBTREE, search_string, [ salt.utils.stringutils.to_str(_config("accountattributename")), salt.utils.stringutils.to_str(_config("groupattribute")), "cn", ], ) for entry, result in search_results: for user in itertools.chain( result.get(_config("accountattributename"), []), result.get(_config("groupattribute"), []), ): if ( username == salt.utils.stringutils.to_unicode(user) .split(",")[0] .split("=")[-1] ): group_list.append(entry.split(",")[0].split("=")[-1]) log.debug("User %s is a member of groups: %s", username, group_list) if not auth(username, kwargs["password"]): log.error("LDAP username and password do not match") return [] else: if _config("groupou"): search_base = "ou={},{}".format(_config("groupou"), _config("basedn")) else: search_base = "{}".format(_config("basedn")) search_string = "(&({}={})(objectClass={}))".format( _config("accountattributename"), username, _config("groupclass") ) search_results = bind.search_s( search_base, ldap.SCOPE_SUBTREE, search_string, [ salt.utils.stringutils.to_str(_config("accountattributename")), "cn", salt.utils.stringutils.to_str(_config("groupattribute")), ], ) for _, entry in search_results: if username in salt.utils.data.decode( entry[_config("accountattributename")] ): group_list.append(salt.utils.stringutils.to_unicode(entry["cn"][0])) for user, entry in search_results: if ( username == salt.utils.stringutils.to_unicode(user) .split(",")[0] .split("=")[-1] ): for group in salt.utils.data.decode( entry[_config("groupattribute")] ): group_list.append( salt.utils.stringutils.to_unicode(group) .split(",")[0] .split("=")[-1] ) log.debug("User %s is a member of groups: %s", username, group_list) # Only test user auth on first call for job. # 'show_jid' only exists on first payload so we can use that for the conditional. if "show_jid" in kwargs and not _bind( username, kwargs.get("password"), anonymous=_config("auth_by_group_membership_only", mandatory=False) and _config("anonymous", mandatory=False), ): log.error("LDAP username and password do not match") return [] else: log.error("ldap bind to determine group membership FAILED!") return group_list def __expand_ldap_entries(entries, opts=None): """ :param entries: ldap subtree in external_auth config option :param opts: Opts to use when __opts__ not defined :return: Dictionary with all allowed operations Takes the ldap subtree in the external_auth config option and expands it with actual minion names webadmins%: <all users in the AD 'webadmins' group> - server1 - .* - ldap(OU=webservers,dc=int,dc=bigcompany,dc=com) - test.ping - service.restart - ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com) - allowed_fn_list_attribute^ This function only gets called if auth.ldap.activedirectory = True """ bind = _bind_for_search(opts=opts) acl_tree = [] for user_or_group_dict in entries: if not isinstance(user_or_group_dict, dict): acl_tree.append(user_or_group_dict) continue for minion_or_ou, matchers in user_or_group_dict.items(): permissions = matchers retrieved_minion_ids = [] if minion_or_ou.startswith("ldap("): search_base = minion_or_ou.lstrip("ldap(").rstrip(")") search_string = "(objectClass=computer)" try: search_results = bind.search_s( search_base, ldap.SCOPE_SUBTREE, search_string, ["cn"] ) for ldap_match in search_results: try: minion_id = ldap_match[1]["cn"][0].lower() # Some LDAP/AD trees only have the FQDN of machines # in their computer lists. auth.minion_stripdomains # lets a user strip off configured domain names # and arrive at the basic minion_id if opts.get("auth.ldap.minion_stripdomains", None): for domain in opts["auth.ldap.minion_stripdomains"]: if minion_id.endswith(domain): minion_id = minion_id[: -len(domain)] break retrieved_minion_ids.append(minion_id) except TypeError: # TypeError here just means that one of the returned # entries didn't match the format we expected # from LDAP. pass for minion_id in retrieved_minion_ids: acl_tree.append({minion_id: permissions}) log.trace("Expanded acl_tree is: %s", acl_tree) except ldap.NO_SUCH_OBJECT: pass else: acl_tree.append({minion_or_ou: matchers}) log.trace("__expand_ldap_entries: %s", acl_tree) return acl_tree def process_acl(auth_list, opts=None): """ Query LDAP, retrieve list of minion_ids from an OU or other search. For each minion_id returned from the LDAP search, copy the perms matchers into the auth dictionary :param auth_list: :param opts: __opts__ for when __opts__ is not injected :return: Modified auth list. """ ou_names = [] for item in auth_list: if isinstance(item, str): continue ou_names.extend( [ potential_ou for potential_ou in item.keys() if potential_ou.startswith("ldap(") ] ) if ou_names: auth_list = __expand_ldap_entries(auth_list, opts) return auth_list
webs 1.0 - Enhanced UI