Initial LDAP support

cps/ub.py

@@ -14,6 +14,7 @@ import json
 import datetime
 from binascii import hexlify
 import cli
+import ldap
 
 engine = create_engine('sqlite:///{0}'.format(cli.settingspath), echo=False)
 Base = declarative_base()
@@ -46,6 +47,8 @@ SIDEBAR_PUBLISHER = 4096
 DEFAULT_PASS = "admin123"
 DEFAULT_PORT = int(os.environ.get("CALIBRE_PORT", 8083))
 
+LDAP_PROVIDER_URL = 'ldap://localhost:389/'
+LDAP_PROTOCOL_VERSION = 3
 
 class UserBase:
 
@@ -152,6 +155,13 @@ class UserBase:
     def __repr__(self):
         return '<User %r>' % self.nickname
 
+    @staticmethod
+    def try_login(username, password):
+        conn = get_ldap_connection()
+        conn.simple_bind_s(
+             'uid={},ou=users,dc=yunohost,dc=org'.format(username),
+             password
+        )
 
 # Baseclass for Users in Calibre-Web, settings which are depending on certain users are stored here. It is derived from
 # User Base (all access methods are declared there)
@@ -778,6 +788,11 @@ else:
     migrate_Database()
     clean_database()
 
+#get LDAP connection
+def get_ldap_connection():
+    conn = ldap.initialize(LDAP_PROVIDER_URL)
+    return conn
+
 # Generate global Settings Object accessible from every file
 config = Config()
 searched_ids = {}

cps/web.py

@@ -57,6 +57,7 @@ from redirect import redirect_back
 import time
 import server
 from reverseproxy import ReverseProxied
+import ldap
 
 try:
     from googleapiclient.errors import HttpError
@@ -2342,7 +2343,16 @@ def login():
     if request.method == "POST":
         form = request.form.to_dict()
         user = ub.session.query(ub.User).filter(func.lower(ub.User.nickname) == form['username'].strip().lower()).first()
-        if user and check_password_hash(user.password, form['password']) and user.nickname is not "Guest":
+        try:
+            app.logger.info("Tryong LDAP connexion")
+            ub.User.try_login(form['username'], form['password'])
+            login_user(user, remember=True)
+            flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
+            return redirect_back(url_for("index"))
+        except ldap.INVALID_CREDENTIALS:
+            ipAdress = request.headers.get('X-Forwarded-For', request.remote_addr)
+            app.logger.info('LDAP Login failed for user "' + form['username'] + '" IP-adress: ' + ipAdress)
+        if user and check_password_hash(user.password, form['password']) and user.nickname is not "Guest" and not user.is_authenticated:
             login_user(user, remember=True)
             flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
             return redirect_back(url_for("index"))