From: Michael Tremer Date: Wed, 28 Jun 2023 10:26:29 +0000 (+0000) Subject: accounts: Authenticate against Kerberos rather than LDAP X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da8538e5deb6cfcc1f2ad6cec16fa613d284b94d;p=ipfire.org.git accounts: Authenticate against Kerberos rather than LDAP Signed-off-by: Michael Tremer --- diff --git a/src/backend/accounts.py b/src/backend/accounts.py index 1c5a577c..d6e2d749 100644 --- a/src/backend/accounts.py +++ b/src/backend/accounts.py @@ -8,12 +8,14 @@ import hashlib import hmac import iso3166 import json +import kerberos import ldap import ldap.modlist import logging import os import phonenumbers import re +import socket import sys import time import tornado.httpclient @@ -29,6 +31,8 @@ from .misc import Object # Set the client keytab name os.environ["KRB5_CLIENT_KTNAME"] = "/etc/ipfire.org/ldap.keytab" +FQDN = socket.gethostname() + class LDAPObject(Object): def init(self, dn, attrs=None): self.dn = dn @@ -765,19 +769,21 @@ class Account(LDAPObject): logging.debug("Checking credentials for %s" % self.dn) - # Create a new LDAP connection - ldap_uri = self.backend.settings.get("ldap_uri") - conn = ldap.initialize(ldap_uri) - + # Check the credentials against the Kerberos database try: - conn.simple_bind_s(self.dn, password.encode("utf-8")) - except ldap.INVALID_CREDENTIALS: - logging.debug("Account credentials are invalid for %s" % self) + kerberos.checkPassword(self.uid, password, "host/%s" % FQDN, "IPFIRE.ORG") + + # Catch any authentication errors + except kerberos.BasicAuthError as e: + logging.debug("Could not authenticate %s: %s" % (self.uid, e)) + return False - logging.info("Successfully authenticated %s" % self) + # Otherwise return True + else: + logging.info("Successfully authenticated %s" % self) - return True + return True def check_password_quality(self, password): """