marcoh00 / radicale-auth-ldap Goto Github PK

View Code? Open in Web Editor NEW

18.0 18.0 27.0 16 KB

LDAP authentication plugin for radicale DAV server

Python 100.00%

radicale-auth-ldap's People

Contributors

Stargazers

Watchers

Forkers

thallian naominitel kradalby coodeneko indication stefanrijnhart bu3tt1 holczert cloudron-io pvagner jdupouy pimbla ricjcosme carlzhang123

radicale-auth-ldap's Issues

LDAP3's LDAPInvalidCredentialsResult exception not found

Todo:

Fix reference
Depend on specific ldap3 version, so this cannot happen again
Write Test

LDAP3 version

Is there any specific reason why versions of LDAP3 >= 2.4 are not supported or is this just because they are untested?

I'd assume that newer 2.X versions would stay backwards-compatible. Supporting them would allow me to more easily package this module for my distribution.

[SECURITY] ldap3 removed utils.dn.escape_attribute_value

This is used while generating the to-be-searched-for DN out of arbitrary user input. This seems pretty important and has to be resolved before anyone should use this in production again. The temporary fix is to import the function from older ldap3 versions and just use it.

Don't use utils.dn.escape_attribute_value anymore as it is not inside ldap3 anymore
Re-import it into the source tree
Use imported version

Review LDAP query escaping

Since utils.dn.escape_attribute_value was re-imported into this project from ldap3, basic query string escaping is present again.

However, I don't feel too safe with this. I'm pretty sure there was a reason why ldap3 deprecated this and as I don't have a very deep understanding of ldap query strings, I just need to document that I can't guarantee this code will not kill your kittens or burn your house...

Seriously, this module parses more or less unfiltered queries from the web against an authentication backend and it would be very nice if someone with some LDAP skills could look after this again and make sure we do some proper query string escaping here!

Radicale 3 support

Hi,

we at Cloudron are in the process of updating our app package to Radicale v3 and thus were hoping to use this plugin for user integration, however it appears the Radicale auth plugin interface has slightly changed. I have created a custom plugin within our app package repo at https://git.cloudron.io/cloudron/radicale-app/-/tree/master/radicale_cloudron_ldap_auth

It would be great if we could somehow merge ours into this plugin to join forces.
Is there any interest within this project to support Radicale 3 and thus would a pull request with the fixes have any chances?

Thanks!

Refactoring and SSL hardening

Hi,

i have done some work on this plugin and add some smaller features:

switch to ldap3.utils.conv.escape_filter_chars instead of outdated escape_attribute_value
add some basic exception handling
move bind operations to a single method
add ability to hardening ssl connections (cert verify, ca cert, ssl protocol)
set some defaults for config options

I need to do some work on test coverage and maybe add missing ssl options (like ciphers) but for now i think it is good to go. If you like to merge it back i will create a pull request.

Failed to load authentication module 'radicale_auth_ldap': invalid syntax (connection.py, line 55)

I tried to add the plugin radicale_auth_ldap extending the Dockerfile of Kozea.

my Dockerfile

FROM alpine:latest

# Version of Radicale (e.g. 2.0.0)
ARG VERSION_RADICALE=2.1.11
ARG VERSION_RADICALE_AUTH_LDAP=c399db0c2990ca79f1113f7a6834502e90201149

# Install dependencies
RUN apk add --no-cache \
      python3 \
      python3-dev \
      build-base \
      libffi-dev \
      ca-certificates \
      openssl \
      git
# Install Radicale
RUN wget --quiet https://github.com/Kozea/Radicale/archive/${VERSION_RADICALE}.tar.gz --output-document=radicale.tar.gz && \
    tar xzf radicale.tar.gz && \
    pip3 install ./Radicale-${VERSION_RADICALE}[md5,bcrypt]
# Install LDAP
RUN git clone -v git://github.com/marcoh00/radicale-auth-ldap.git Radicale-${VERSION_RADICALE}/radicale-auth-ldap && \
    cd Radicale-${VERSION_RADICALE}/radicale-auth-ldap && \
    git checkout $VERSION_RADICALE_AUTH_LDAP && \
    pip3 install --upgrade .
# Remove artifacts
RUN rm -r radicale.tar.gz Radicale-${VERSION_RADICALE}
# Remove build dependencies
RUN apk del \
      python3-dev \
      build-base \
      libffi-dev \
      git
# Persistent storage for data (Mount it somewhere on the host!)
VOLUME /var/lib/radicale
# Configuration data (Put the "config" file here!)
VOLUME /etc/radicale
# TCP port of Radicale (Publish it on a host interface!)
EXPOSE 5232
# Run Radicale (Configure it here or provide a "config" file!)
CMD ["radicale", "--hosts", "0.0.0.0:5232"]

docker-compose.yml

version: "3.5"
services:
    radicale:
        build: .
        container_name: radicale
        ports:
          - "5232:5232"
        volumes:
          - ./volumes:/var/lib/radicale/collections
          - ./configs:/etc/radicale

config

[auth]
type = radicale_auth_ldap

# LDAP server URL, with protocol and port
ldap_url = ldap://ldap:389

# LDAP base path
ldap_base = ou=Users,dc=TESTDOMAIN

# LDAP login attribute
ldap_attribute = uid

# LDAP filter string
# placed as X in a query of the form (&(...)X)
# example: (objectCategory=Person)(objectClass=User)(memberOf=cn=calenderusers,ou=users,dc=example,dc=org)
ldap_filter = (objectClass=person)

# LDAP dn for initial login, used if LDAP server does not allow anonymous searches
# Leave empty if searches are anonymous
ldap_binddn = cn=admin,dc=TESTDOMAIN

# LDAP password for initial login, used with ldap_binddn
ldap_password = verysecurepassword

# LDAP scope of the search
ldap_scope = LEVEL

I get this error

radicale        | [7fe1390b3d48] INFO: Starting Radicale
radicale        | [7fe1390b3d48] ERROR: An exception occurred during server startup: Failed to load authentication module 'radicale_auth_ldap': invalid syntax (connection.py, line 55)
radicale        | Traceback (most recent call last):
radicale        |   File "/usr/lib/python3.8/site-packages/radicale/auth.py", line 80, in load
radicale        |     class_ = import_module(auth_type).Auth
radicale        |   File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
radicale        |     return _bootstrap._gcd_import(name[level:], package, level)
radicale        |   File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
radicale        |   File "<frozen importlib._bootstrap>", line 991, in _find_and_load
radicale        |   File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
radicale        |   File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
radicale        |   File "<frozen importlib._bootstrap_external>", line 783, in exec_module
radicale        |   File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
radicale        |   File "/usr/lib/python3.8/site-packages/radicale_auth_ldap/__init__.py", line 29, in <module>
radicale        |     import ldap3
radicale        |   File "/usr/lib/python3.8/site-packages/ldap3/__init__.py", line 132, in <module>
radicale        |     from .core.connection import Connection
radicale        |   File "/usr/lib/python3.8/site-packages/ldap3/core/connection.py", line 55
radicale        |     from ..strategy.async import AsyncStrategy
radicale        |                     ^
radicale        | SyntaxError: invalid syntax
radicale        | 
radicale        | The above exception was the direct cause of the following exception:
radicale        | 
radicale        | Traceback (most recent call last):
radicale        |   File "/usr/lib/python3.8/site-packages/radicale/__main__.py", line 138, in run
radicale        |     serve(configuration, logger)
radicale        |   File "/usr/lib/python3.8/site-packages/radicale/__main__.py", line 229, in serve
radicale        |     application = Application(configuration, logger)
radicale        |   File "/usr/lib/python3.8/site-packages/radicale/__init__.py", line 251, in __init__
radicale        |     self.Auth = auth.load(configuration, logger)
radicale        |   File "/usr/lib/python3.8/site-packages/radicale/auth.py", line 82, in load
radicale        |     raise RuntimeError("Failed to load authentication module %r: %s" %
radicale        | RuntimeError: Failed to load authentication module 'radicale_auth_ldap': invalid syntax (connection.py, line 55)
radicale exited with code 1

I tried with Python 3.6 and 3.7 too.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.