repoze.who LDAP plugin

Merge lp:~gnarea/repoze.who.plugins.ldap/1.1proposal into lp:repoze.who.plugins.ldap

1.1proposal
Merge into trunk

Proposed by Gustavo Narea on 2010-05-31

Status:	Merged
Approved by:	Gustavo Narea on 2010-05-31
Approved revision:	70
Merge reported by:	Gustavo Narea
Merged at revision:	not available
Proposed branch:	lp:~gnarea/repoze.who.plugins.ldap/1.1proposal
Merge into:	lp:repoze.who.plugins.ldap
Diff against target:	1071 lines (+589/-105) 10 files modified CHANGELOG (+20/-8) LICENSE (+2/-1) demo/ldapauth/controllers/root.py (+3/-3) demo/ldapauth/model/__init__.py (+1/-1) demo/ldapauth/model/identity.py (+5/-5) docs/source/index.rst (+5/-3) repoze/who/plugins/ldap/__init__.py (+6/-3) repoze/who/plugins/ldap/plugins.py (+288/-36) repoze/who/plugins/ldap/tests.py (+255/-43) setup.py (+4/-2)
To merge this branch:	bzr merge lp:~gnarea/repoze.who.plugins.ldap/1.1proposal
Related bugs:	Link a bug report
Related blueprints:	Create the IIdentifier email plugin (High)

Reviewer	Review Type	Date Requested	Status
Gustavo Narea			Pending
Review via email: mp+26455@code.launchpad.net

Commit message

Merged from the branch with the changes proposed by Lorenzo Catucci.

Description of the change

- Provided ``start_tls`` option both for the authenticator and the metadata
   provider.
- Enable both pattern-replacement and subtree searches for the naming
   attribute in ``_get_dn()``.
- Enable configuration of the naming attribute
- Enable the option to bind to the server with privileged credential before
   doing searches
- Add a restrict pattern to pre-authentication DN searches
- Let the user choose whether to return the full DN or the supplied login as
   the user identifier

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Gustavo Narea

 === modified file 'CHANGELOG'
 --- CHANGELOG	2010-01-28 23:42:16 +0000
 +++ CHANGELOG	2010-05-31 22:51:23 +0000
@@ -1,14 +1,26 @@
  repoze.who.plugins.ldap Changelog
  =================================
--2010-01-28
------------
--
--Changed the license to the `Repoze license <http://repoze.org/license.html>`_.
--
--
--1.0 (2008-09-09)
---------------------------------
++1.1 Alpha 1 (unreleased)
++------------------------
++
++
++ - Changed the license to the `Repoze license <http://repoze.org/license.html>`_.
++ - Provided ``start_tls`` option both for the authenticator and the metadata
++   provider.
++ - Enable both pattern-replacement and subtree searches for the naming
++   attribute in ``_get_dn()``.
++ - Enable configuration of the naming attribute
++ - Enable the option to bind to the server with privileged credential before
++   doing searches
++ - Add a restrict pattern to pre-authentication DN searches
++ - Let the user choose whether to return the full DN or the supplied login as
++   the user identifier
++
++
++1.0 (2008-09-11)
++----------------
++
  The initial release.
   - Provided the LDAP authenticator, which is compatible with identifiers that
 === modified file 'LICENSE'
 --- LICENSE	2010-05-19 22:31:15 +0000
 +++ LICENSE	2010-05-31 22:51:23 +0000
@@ -1,4 +1,5 @@
--Copyright (c) 2008-2010, Gustavo Narea.
++Copyright (c) 2008, Gustavo Narea.
++Copyright (c) 2010, Gustavo Narea and Lorenzo M. Catucci.
  All rights reserved.
  Redistribution and use in source and binary forms, with or without modification,
 === modified file 'demo/ldapauth/controllers/root.py'
 --- demo/ldapauth/controllers/root.py	2010-01-28 23:42:16 +0000
 +++ demo/ldapauth/controllers/root.py	2010-05-31 22:51:23 +0000
@@ -14,10 +14,10 @@
      @expose('ldapauth.templates.about')
      def about(self):
--        if request.environ.get('repoze.who.auth') == None:
++        if request.environ.get('repoze.who.identity') == None:
              raise HTTPUnauthorized()
--        user = request.environ['repoze.who.auth']['repoze.who.userid']
++        user = request.environ['repoze.who.identity']['repoze.who.userid']
          flash('Your Distinguished Name (DN) is "%s"' % user)
          # Passing the metadata
--        metadata = request.environ['repoze.who.auth']
++        metadata = request.environ['repoze.who.identity']
          return dict(metadata=metadata.items())
 === modified file 'demo/ldapauth/model/__init__.py'
 --- demo/ldapauth/model/__init__.py	2010-01-28 23:42:16 +0000
 +++ demo/ldapauth/model/__init__.py	2010-05-31 22:51:23 +0000
@@ -53,4 +53,4 @@
      #mapper(Reflected, t_reflected)
  # Import your model modules here.
--from ldapauth.model.auth import User, Group, Permission
++from ldapauth.model.identity import User, Group, Permission
 === modified file 'demo/ldapauth/model/identity.py'
 --- demo/ldapauth/model/identity.py	2010-01-28 23:42:16 +0000
 +++ demo/ldapauth/model/identity.py	2010-05-31 22:51:23 +0000
@@ -29,7 +29,7 @@
          onupdate="CASCADE", ondelete="CASCADE"))
+ )
--# auth model
++# identity model
  class Group(DeclarativeBase):
      """An ultra-simple group definition.
@@ -132,7 +132,7 @@
          #elif "custom" == algorithm:
          #    custom_encryption_path = turbogears.config.get(
--        #        "auth.custom_encryption", None )
++        #        "identity.custom_encryption", None )
+         #
          #    if custom_encryption_path:
          #        custom_encryption = turbogears.util.load_class(
@@ -151,10 +151,10 @@
      def validate_password(self, password):
          """Check the password against existing credentials.
          """
--        auth = config.get('auth', None)
--        if auth is None:
++        identity = config.get('identity', None)
++        if identity is None:
              return password
--        algorithm = auth.get('password_encryption_method', None)
++        algorithm = identity.get('password_encryption_method', None)
          return self.password == self.__encrypt_password(algorithm, password)
 === modified file 'docs/source/index.rst'
 --- docs/source/index.rst	2008-09-08 23:20:55 +0000
 +++ docs/source/index.rst	2010-05-31 22:51:23 +0000
@@ -86,14 +86,16 @@
  This plugin was made possible thanks to the people below:
-- - **Chris McDonough**, for his guidance throughout the development of the
--   plugin.
++ - **Lorenzo M. Catucci**, of the `University of Rome "Tor Vergata"
++   <http://www.uniroma2.it/>`_, for implementing all of the new features in v1.1.
++ - **Chris McDonough**, for his guidance throughout the initial development of
++   the plugin.
  Copyright notice for this documentation
  =======================================
--Copyright (c) 2008, by Gustavo Narea.
++Copyright (c) 2008-2010, by Gustavo Narea.
  Permission is granted to copy, distribute and/or modify this document under the
  terms of the `GNU Free Documentation License <http://www.gnu.org/copyleft/fdl.html>`_,
 === modified file 'repoze/who/plugins/ldap/__init__.py'
 --- repoze/who/plugins/ldap/__init__.py	2010-05-19 22:31:15 +0000
 +++ repoze/who/plugins/ldap/__init__.py	2010-05-31 22:51:23 +0000
@@ -1,7 +1,9 @@
  # -*- coding: utf-8 -*-
+ #
  # repoze.who.plugins.ldap, LDAP authentication for WSGI applications.
--# Copyright (C) 2008-2010 by Gustavo Narea <http://gustavonarea.net/>
++# Copyright (C) 2010 by Gustavo Narea  <http://gustavonarea.net/> and
++#                       Lorenzo M. Catucci <http://www.uniroma2.it/>.
++# Copyright (C) 2008 by Gustavo Narea <http://gustavonarea.net/>.
+ #
  # This file is part of repoze.who.plugins.ldap
  # <http://code.gustavonarea.net/repoze.who.plugins.ldap/>
@@ -34,6 +36,7 @@
  import ldap
  from repoze.who.plugins.ldap.plugins import LDAPAuthenticatorPlugin, \
--                                            LDAPAttributesPlugin
++                                            LDAPAttributesPlugin, \
++                                            LDAPSearchAuthenticatorPlugin
--__all__ = ['LDAPAuthenticatorPlugin', 'LDAPAttributesPlugin']
++__all__ = ['LDAPAuthenticatorPlugin', 'LDAPSearchAuthenticatorPlugin', 'LDAPAttributesPlugin']
 === modified file 'repoze/who/plugins/ldap/plugins.py'
 --- repoze/who/plugins/ldap/plugins.py	2010-05-19 22:40:52 +0000
 +++ repoze/who/plugins/ldap/plugins.py	2010-05-31 22:51:23 +0000
@@ -1,7 +1,9 @@
  # -*- coding: utf-8 -*-
+ #
  # repoze.who.plugins.ldap, LDAP authentication for WSGI applications.
--# Copyright (C) 2008-2010 by Gustavo Narea <http://gustavonarea.net/>
++# Copyright (C) 2010 by Gustavo Narea  <http://gustavonarea.net/> and
++#                       Lorenzo M. Catucci <http://www.uniroma2.it/>.
++# Copyright (C) 2008 by Gustavo Narea <http://gustavonarea.net/>.
+ #
  # This file is part of repoze.who.plugins.ldap
  # <http://code.gustavonarea.net/repoze.who.plugins.ldap/>
@@ -12,64 +14,114 @@
  # EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO,
  # THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND
  # FITNESS FOR A PARTICULAR PURPOSE.
--
  """LDAP plugins for repoze.who."""
--__all__ = ['LDAPAuthenticatorPlugin', 'LDAPAttributesPlugin']
++__all__ = ['LDAPAuthenticatorPlugin', 'LDAPSearchAuthenticatorPlugin',
++           'LDAPAttributesPlugin']
  from zope.interface import implements
  import ldap
  from repoze.who.interfaces import IAuthenticator, IMetadataProvider
++from base64 import b64encode, b64decode
++
++import re
++
  #{ Authenticators
--class LDAPAuthenticatorPlugin(object):
++class LDAPBaseAuthenticatorPlugin(object):
      implements(IAuthenticator)
--    def __init__(self, ldap_connection, base_dn):
++    def __init__(self, ldap_connection, base_dn, returned_id='dn',
++                 start_tls=False, bind_dn='', bind_pass='', **kwargs):
          """Create an LDAP authentication plugin.
          By passing an existing LDAPObject, you're free to use the LDAP
          authentication method you want, the way you want.
--        If the default way to find the DN is not suitable for you, you may want
--        to override L{_get_dn}.
++        If the default way to find the DN is not suitable for you, you must
++        override L{_get_dn}.
          This plugin is compatible with any identifier plugin that defines the
--        C{login} and C{password} items in the I{auth} dictionary.
++        C{login} and C{password} items in the I{identity} dictionary.
          @param ldap_connection: An initialized LDAP connection.
          @type ldap_connection: C{ldap.ldapobject.SimpleLDAPObject}
++
          @param base_dn: The base for the I{Distinguished Name}. Something like
              C{ou=employees,dc=example,dc=org}, to which will be prepended the
              user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
          @type base_dn: C{unicode}
++        @param returned_id: Should we return the full DN or just the
++            bare naming identifier value on successful authentication?
++        @type returned_id: C{str}, 'dn' or 'login'
++        @attention: While the DN is always unique, if you configure the
++            authenticator plugin to return the bare naming attribute,
++            you have to ensure its uniqueness in the DIT.
++        @param start_tls: Should we negotiate a TLS upgrade on the connection with
++            the directory server?
++        @type start_tls: C{bool}
++        @param bind_dn: Operate as the bind_dn directory entry
++        @type bind_dn: C{str}
++        @param bind_pass: The password for bind_dn directory entry
++        @type bind_pass: C{str}
          @raise ValueError: If at least one of the parameters is not defined.
          """
          if base_dn is None:
              raise ValueError('A base Distinguished Name must be specified')
          self.ldap_connection = make_ldap_connection(ldap_connection)
++
++        if start_tls:
++            try:
++                self.ldap_connection.start_tls_s()
++            except:
++                raise ValueError('Cannot upgrade the connection')
++
++        self.bind_dn = bind_dn
++        self.bind_pass = bind_pass
++
          self.base_dn = base_dn
++        if returned_id.lower() == 'dn':
++            self.ret_style = 'd'
++        elif returned_id.lower() == 'login':
++            self.ret_style = 'l'
++        else:
++            raise ValueError("The return style should be 'dn' or 'login'")
++
++    def _get_dn(self, environ, identity):
++        """
++        Return the user DN based on the environment and the identity.
++
++        Must be implemented in a subclass
++
++        @param environ: The WSGI environment.
++        @param identity: The identity dictionary.
++        @return: The Distinguished Name (DN)
++        @rtype: C{unicode}
++        @raise ValueError: If the C{login} key is not in the I{identity} dict.
++
++        """
++        raise ValueError('Unimplemented')
++
++
      # IAuthenticatorPlugin
--    def authenticate(self, environ, auth):
--        """Return the Distinguished Name of the user to be authenticated.
++    def authenticate(self, environ, identity):
++        """Return the naming identifier of the user to be authenticated.
--        @attention: The uid is not returned because it may not be unique; the
--            DN, on the contrary, is always unique.
--        @return: The Distinguished Name (DN), if the credentials were valid.
++        @return: The naming identifier, if the credentials were valid.
          @rtype: C{unicode} or C{None}
          """
          try:
--            dn = self._get_dn(environ, auth)
--            password = auth['password']
++            dn = self._get_dn(environ, identity)
++            password = identity['password']
          except (KeyError, TypeError, ValueError):
              return None
@@ -80,38 +132,196 @@
          try:
              self.ldap_connection.simple_bind_s(dn, password)
++            userdata = identity.get('userdata', '')
              # The credentials are valid!
--            return dn
++            if self.ret_style == 'd':
++                return dn
++            else:
++                identity['userdata'] = userdata + '<dn:%s>' % b64encode(dn)
++                return identity['login']
          except ldap.LDAPError:
              return None
++
++    def __repr__(self):
++        return '<%s %s>' % (self.__class__.__name__, id(self))
++
++
++class LDAPAuthenticatorPlugin(LDAPBaseAuthenticatorPlugin):
++
++    def __init__(self, ldap_connection, base_dn, naming_attribute='uid',
++                 **kwargs):
++        """Create an LDAP authentication plugin using pattern-determined DNs
++
++        By passing an existing LDAPObject, you're free to use the LDAP
++        authentication method you want, the way you want.
--    def _get_dn(self, environ, auth):
--        """
--        Return the DN based on the environment and the auth.
--
--        It prepends the user id to the base DN given in the constructor:
--
--        If the C{login} item of the auth is C{rms} and the base DN is
++        This plugin is compatible with any identifier plugin that defines the
++        C{login} and C{password} items in the I{identity} dictionary.
++
++        @param ldap_connection: An initialized LDAP connection.
++        @type ldap_connection: C{ldap.ldapobject.SimpleLDAPObject}
++        @param base_dn: The base for the I{Distinguished Name}. Something like
++            C{ou=employees,dc=example,dc=org}, to which will be prepended the
++            user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
++        @type base_dn: C{unicode}
++        @param naming_attribute: The naming attribute for directory entries,
++            C{uid} by default.
++        @type naming_attribute: C{unicode}
++
++        @raise ValueError: If at least one of the parameters is not defined.
++
++        The following parameters are inherited from
++        L{LDAPBaseAuthenticatorPlugin.__init__}
++        @param base_dn: The base for the I{Distinguished Name}. Something like
++            C{ou=employees,dc=example,dc=org}, to which will be prepended the
++            user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
++        @param returned_id: Should we return full Directory Names or just the
++            bare naming identifier on successful authentication?
++        @param start_tls: Should we negotiate a TLS upgrade on the connection with
++            the directory server?
++        @param bind_dn: Operate as the bind_dn directory entry
++        @param bind_pass: The password for bind_dn directory entry
++
++
++        """
++        LDAPBaseAuthenticatorPlugin.__init__(self, ldap_connection, base_dn,
++                                             **kwargs)
++        self.naming_pattern = u'%s=%%s,%%s' % naming_attribute
++
++    def _get_dn(self, environ, identity):
++        """
++        Return the user naming identifier based on the environment and the
++        identity.
++
++        If the C{login} item of the identity is C{rms} and the base DN is
          C{ou=developers,dc=gnu,dc=org}, the resulting DN will be:
--        C{uid=rms,ou=developers,dc=gnu,dc=org}.
++        C{uid=rms,ou=developers,dc=gnu,dc=org}
--        @attention: You may want to override this method if the DN generated by
--            default doesn't meet your requirements. If you do so, make sure to
--            raise a C{ValueError} exception if the operation is not successful.
          @param environ: The WSGI environment.
--        @param auth: The auth dictionary.
++        @param identity: The identity dictionary.
          @return: The Distinguished Name (DN)
          @rtype: C{unicode}
--        @raise ValueError: If the C{login} key is not in the I{auth} dict.
++        @raise ValueError: If the C{login} key is not in the I{identity} dict.
          """
++
++        if self.bind_dn:
++            try:
++                self.ldap_connection.bind_s(self.bind_dn, self.bind_password)
++            except ldap.LDAPError:
++                raise ValueError("Couldn't bind with supplied credentials")
          try:
--            return u'uid=%s,%s' % (auth['login'], self.base_dn)
++            return self.naming_pattern % ( identity['login'], self.base_dn)
          except (KeyError, TypeError):
              raise ValueError
--    def __repr__(self):
--        return '<%s %s>' % (self.__class__.__name__, id(self))
++
++class LDAPSearchAuthenticatorPlugin(LDAPBaseAuthenticatorPlugin):
++
++    def __init__(self, ldap_connection, base_dn, naming_attribute='uid',
++                 search_scope='subtree', restrict='', **kwargs):
++        """Create an LDAP authentication plugin determining the DN via LDAP searches.
++
++        By passing an existing LDAPObject, you're free to use the LDAP
++        authentication method you want, the way you want.
++
++        If the default way to find the DN is not suitable for you, you may want
++        to override L{_get_dn}.
++
++        This plugin is compatible with any identifier plugin that defines the
++        C{login} and C{password} items in the I{identity} dictionary.
++
++        @param ldap_connection: An initialized LDAP connection.
++        @type ldap_connection: C{ldap.ldapobject.SimpleLDAPObject}
++        @param base_dn: The base for the I{Distinguished Name}. Something like
++            C{ou=employees,dc=example,dc=org}, to which will be prepended the
++            user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
++        @type base_dn: C{unicode}
++        @param naming_attribute: The naming attribute for directory entries,
++            C{uid} by default.
++        @type naming_attribute: C{unicode}
++        @param search_scope: Scope for ldap searches
++        @type search_scope: C{str}, 'subtree' or 'onelevel', possibly
++            abbreviated to at least the first three characters
++        @param restrict: An ldap filter which will be ANDed to the search filter
++            while searching for entries matching the naming attribute
++        @type restrict: C{unicode}
++        @attention: restrict will be interpolated into the search string as a
++            bare string like in "(&%s(identifier=login))". It must be correctly
++            parenthesised for such usage as in restrict = "(objectClass=*)".
++
++        @raise ValueError: If at least one of the parameters is not defined.
++
++        The following parameters are inherited from
++        L{LDAPBaseAuthenticatorPlugin.__init__}
++        @param base_dn: The base for the I{Distinguished Name}. Something like
++            C{ou=employees,dc=example,dc=org}, to which will be prepended the
++            user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
++        @param returned_id: Should we return full Directory Names or just the
++            bare naming identifier on successful authentication?
++        @param start_tls: Should we negotiate a TLS upgrade on the connection
++            with the directory server?
++        @param bind_dn: Operate as the bind_dn directory entry
++        @param bind_pass: The password for bind_dn directory entry
++
++        """
++        LDAPBaseAuthenticatorPlugin.__init__(self, ldap_connection, base_dn,
++                                             **kwargs)
++
++        if search_scope[:3].lower() == 'sub':
++            self.search_scope = ldap.SCOPE_SUBTREE
++        elif search_scope[:3].lower() == 'one':
++            self.search_scope = ldap.SCOPE_ONELEVEL
++        else:
++            raise ValueError("The search scope should be 'one[level]' or 'sub[tree]'")
++
++        if restrict:
++            self.search_pattern = u'(&%s(%s=%%s))' % (restrict,naming_attribute)
++        else:
++            self.search_pattern = u'(%s=%%s)' % naming_attribute
++
++    def _get_dn(self, environ, identity):
++        """
++        Return the DN based on the environment and the identity.
++
++        Searches the directory entry with naming attribute matching the
++        C{login} item of the identity.
++
++        If the C{login} item of the identity is C{rms}, the naming attribute is
++        C{uid} and the base DN is C{dc=gnu,dc=org}, we'll ask the server
++        to search for C{uid = rms} beneath the search base, hopefully
++        finding C{uid=rms,ou=developers,dc=gnu,dc=org}.
++
++        @param environ: The WSGI environment.
++        @param identity: The identity dictionary.
++        @return: The Distinguished Name (DN)
++        @rtype: C{unicode}
++        @raise ValueError: If the C{login} key is not in the I{identity} dict.
++
++        """
++
++        if self.bind_dn:
++            try:
++                self.ldap_connection.bind_s(self.bind_dn, self.bind_password)
++            except ldap.LDAPError:
++                raise ValueError("Couldn't bind with supplied credentials")
++        try:
++            login_name = identity['login'].replace('*',r'\*')
++            srch = self.search_pattern % login_name
++            dn_list = self.ldap_connection.search_s(
++                self.base_dn,
++                self.search_scope,
++                srch,
++                )
++
++            if len(dn_list) == 1:
++                return dn_list[0][0]
++            elif len(dn_list) > 1:
++                raise ValueError('Too many entries found for %s' % srch)
++            else:
++                raise ValueError('No entry found for %s' %srch)
++        except (KeyError, TypeError, ldap.LDAPError):
++            raise # ValueError
  #{ Metadata providers
@@ -121,9 +331,12 @@
      """Loads LDAP attributes of the authenticated user."""
      implements(IMetadataProvider)
++
++    dnrx = re.compile('<dn:(?P<b64dn>[A-Za-z0-9+/]+=*)>')
      def __init__(self, ldap_connection, attributes=None,
--                 filterstr='(objectClass=*)'):
++                 filterstr='(objectClass=*)', start_tls = '',
++                 bind_dn = '', bind_pass =''):
          """
          Fetch LDAP attributes of the authenticated user.
@@ -137,9 +350,28 @@
              <http://www.faqs.org/rfcs/rfc4515.html>}; the results won't be
              filtered unless you define this.
          @type filterstr: C{str}
++        @param start_tls: Should we negotiate a TLS upgrade on the connection with
++            the directory server?
++        @type start_tls: C{str}
++        @param bind_dn: Operate as the bind_dn directory entry
++        @type bind_dn: C{str}
++        @param bind_pass: The password for bind_dn directory entry
++        @type bind_pass: C{str}
          @raise ValueError: If L{make_ldap_connection} could not create a
              connection from C{ldap_connection}, or if C{attributes} is not an
              iterable.
++
++        The following parameters are inherited from
++        L{LDAPBaseAuthenticatorPlugin.__init__}
++        @param base_dn: The base for the I{Distinguished Name}. Something like
++            C{ou=employees,dc=example,dc=org}, to which will be prepended the
++            user id: C{uid=jsmith,ou=employees,dc=example,dc=org}.
++        @param returned_id: Should we return full Directory Names or just the
++            naming attribute value on successful authentication?
++        @param start_tls: Should we negotiate a TLS upgrade on the connection with
++            the directory server?
++        @param bind_dn: Operate as the bind_dn directory entry
++        @param bind_pass: The password for bind_dn directory entry
          """
          if hasattr(attributes, 'split'):
@@ -150,13 +382,21 @@
          elif attributes is not None:
              raise ValueError('The needed LDAP attributes are not valid')
          self.ldap_connection = make_ldap_connection(ldap_connection)
++        if start_tls:
++            try:
++                self.ldap_connection.start_tls_s()
++            except:
++                raise ValueError('Cannot upgrade the connection')
++
++        self.bind_dn   = bind_dn
++        self.bind_pass = bind_pass
          self.attributes = attributes
          self.filterstr = filterstr
      # IMetadataProvider
      def add_metadata(self, environ, identity):
          """
--        Add metadata about the authenticated user to the auth.
++        Add metadata about the authenticated user to the identity.
          It modifies the C{identity} dictionary to add the metadata.
@@ -165,17 +405,29 @@
          """
          # Search arguments:
++        dnmatch = self.dnrx.match(identity.get('userdata',''))
++        if dnmatch:
++            dn = b64decode(dnmatch.group('b64dn'))
++        else:
++            dn = identity.get('repoze.who.userid')
          args = (
--            identity.get('repoze.who.userid'),
++            dn,
              ldap.SCOPE_BASE,
              self.filterstr,
              self.attributes
+         )
++        if self.bind_dn:
++            try:
++                self.ldap_connection.bind_s(self.bind_dn, self.bind_pass)
++            except ldap.LDAPError:
++                raise ValueError("Couldn't bind with supplied credentials")
          try:
              attributes = self.ldap_connection.search_s(*args)
--            identity.update(attributes)
          except ldap.LDAPError, msg:
              environ['repoze.who.logger'].warn('Cannot add metadata: %s' % msg)
++            raise Exception(identity)
++        else:
++            identity.update(attributes[0][1])
  #{ Utilities
 === modified file 'repoze/who/plugins/ldap/tests.py'
 --- repoze/who/plugins/ldap/tests.py	2010-05-19 22:31:15 +0000
 +++ repoze/who/plugins/ldap/tests.py	2010-05-31 22:51:23 +0000
@@ -1,50 +1,53 @@
  # -*- coding: utf-8 -*-
+ #
  # repoze.who.plugins.ldap, LDAP authentication for WSGI applications.
--# Copyright (C) 2008-2010 by Gustavo Narea <http://gustavonarea.net/>
++# Copyright (C) 2010 by Gustavo Narea  <http://gustavonarea.net/> and
++#                       Lorenzo M. Catucci <http://www.uniroma2.it/>.
++# Copyright (C) 2008 by Gustavo Narea <http://gustavonarea.net/>.s
+ #
  # This file is part of repoze.who.plugins.ldap
  # <http://code.gustavonarea.net/repoze.who.plugins.ldap/>
+ #
--# repoze.who.plugins.ldap is freedomware: you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by the
--# Free Software Foundation, either version 3 of the License, or any later
--# version.
--#
--# repoze.who.plugins.ldap is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
--# Public License for more details.
--#
--# You should have received a copy of the GNU General Public License along with
--# repoze.who.plugins.ldap. If not, see <http://www.gnu.org/licenses/>.
--
++# This software is subject to the provisions of the BSD-like license at
++# http://www.repoze.org/LICENSE.txt.  A copy of the license should accompany
++# this distribution.  THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL
++# EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO,
++# THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND
++# FITNESS FOR A PARTICULAR PURPOSE.
  """Test suite for repoze.who.plugins.ldap"""
  import unittest
  from dataflake.ldapconnection.tests import fakeldap
--from ldap import modlist
++import ldap
++from ldap import modlist, dn
  from ldap.ldapobject import SimpleLDAPObject
  from zope.interface.verify import verifyClass
  from repoze.who.interfaces import IAuthenticator, IMetadataProvider
  from repoze.who.plugins.ldap import LDAPAuthenticatorPlugin, \
--                                    LDAPAttributesPlugin
++                                    LDAPAttributesPlugin, \
++                                    LDAPSearchAuthenticatorPlugin
  from repoze.who.plugins.ldap.plugins import make_ldap_connection
++from base64 import b64encode
++
  class Base(unittest.TestCase):
      """Base test case for the plugins"""
      def setUp(self):
          # Connecting to a fake server with a fake account:
--        conn = fakeldap.initialize('ldap://example.org')
++        conn = fakeldap.FakeLDAPConnection()
          conn.simple_bind_s('Manager', 'some password')
++        # We must explicitly create the base_dn DIT components
++        fakeldap.addTreeItems(base_dn)
          # Adding a fake user, which is used in the tests
          person_attr = {'cn': [fakeuser['cn']],
                         'uid': fakeuser['uid'],
--                       'userPassword': [fakeuser['hashedPassword']]}
++                       'userPassword': [fakeuser['hashedPassword']],
++                       'telephone': [fakeuser['telephone']],
++                       'mail':[fakeuser['mail']]}
          conn.add_s(fakeuser['dn'], modlist.addModlist(person_attr))
          self.connection = conn
          # Creating a fake environment:
@@ -75,13 +78,14 @@
      def test_without_connection(self):
          self.assertRaises(ValueError, LDAPAuthenticatorPlugin, None,
                            'dc=example,dc=org')
++
      def test_without_base_dn(self):
--        conn = fakeldap.initialize('ldap://example.org')
++        conn = fakeldap.FakeLDAPConnection()
          self.assertRaises(TypeError, LDAPAuthenticatorPlugin, conn)
          self.assertRaises(ValueError, LDAPAuthenticatorPlugin, conn, None)
      def test_with_connection(self):
--        conn = fakeldap.initialize('ldap://example.org')
++        conn = fakeldap.FakeLDAPConnection()
          LDAPAuthenticatorPlugin(conn, 'dc=example,dc=org')
      def test_connection_is_url(self):
@@ -104,40 +108,167 @@
          self.assertEqual(result, None)
      def test_authenticate_incomplete_credentials(self):
--        auth1 = {'login': fakeuser['uid']}
--        auth2 = {'password': fakeuser['password']}
--        result1 = self.plugin.authenticate(self.env, auth1)
--        result2 = self.plugin.authenticate(self.env, auth2)
++        identity1 = {'login': fakeuser['uid']}
++        identity2 = {'password': fakeuser['password']}
++        result1 = self.plugin.authenticate(self.env, identity1)
++        result2 = self.plugin.authenticate(self.env, identity2)
          self.assertEqual(result1, None)
          self.assertEqual(result2, None)
      def test_authenticate_noresults(self):
--        auth = {'login': 'i_dont_exist',
++        identity = {'login': 'i_dont_exist',
                      'password': 'super secure password'}
--        result = self.plugin.authenticate(self.env, auth)
++        result = self.plugin.authenticate(self.env, identity)
          self.assertEqual(result, None)
      def test_authenticate_comparefail(self):
--        auth = {'login': fakeuser['uid'],
++        identity = {'login': fakeuser['uid'],
                      'password': 'wrong password'}
--        result = self.plugin.authenticate(self.env, auth)
++        result = self.plugin.authenticate(self.env, identity)
          self.assertEqual(result, None)
      def test_authenticate_comparesuccess(self):
--        auth = {'login': fakeuser['uid'],
++        identity = {'login': fakeuser['uid'],
                      'password': fakeuser['password']}
--        result = self.plugin.authenticate(self.env, auth)
++        result = self.plugin.authenticate(self.env, identity)
          self.assertEqual(result, fakeuser['dn'])
      def test_custom_authenticator(self):
          """L{LDAPAuthenticatorPlugin._get_dn} should be overriden with no
          problems"""
          plugin = CustomLDAPAuthenticatorPlugin(self.connection, base_dn)
--        auth = {'login': fakeuser['uid'],
++        identity = {'login': fakeuser['uid'],
                      'password': fakeuser['password']}
--        result = plugin.authenticate(self.env, auth)
--        expected = 'uid=%s,ou=admins,%s' % (fakeuser['uid'], base_dn)
++        result = plugin.authenticate(self.env, identity)
++        expected = 'uid=%s,%s' % (fakeuser['uid'], base_dn)
          self.assertEqual(result, expected)
++        self.assertTrue(plugin.called)
++
++class TestLDAPSearchAuthenticatorPluginNaming(Base):
++    """Tests for the L{LDAPSearchAuthenticatorPlugin} IAuthenticator plugin"""
++
++    def setUp(self):
++        super(TestLDAPSearchAuthenticatorPluginNaming, self).setUp()
++        # Loading the plugin:
++        self.plugin = LDAPSearchAuthenticatorPlugin(
++            self.connection,
++            base_dn,
++            naming_attribute='telephone',
++            )
++
++    def test_authenticate_noresults(self):
++        identity = {'login': 'i_dont_exist',
++                    'password': 'super secure password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparefail(self):
++        identity = {'login': fakeuser['telephone'],
++                    'password': 'wrong password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparesuccess(self):
++        identity = {'login': fakeuser['telephone'],
++                    'password': fakeuser['password']}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, fakeuser['dn'])
++
++class TestLDAPAuthenticatorReturnLogin(Base):
++    """
++    Tests the L{LDAPAuthenticatorPlugin} IAuthenticator plugin returning
++    login.
++
++    """
++
++    def setUp(self):
++        super(TestLDAPAuthenticatorReturnLogin, self).setUp()
++        # Loading the plugin:
++        self.plugin = LDAPAuthenticatorPlugin(
++            self.connection,
++            base_dn,
++            returned_id='login',
++            )
++
++    def test_authenticate_noresults(self):
++        identity = {'login': 'i_dont_exist',
++                    'password': 'super secure password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparefail(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': 'wrong password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparesuccess(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': fakeuser['password']}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, fakeuser['uid'])
++
++    def test_authenticate_dn_in_userdata(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': fakeuser['password']}
++        expected_dn = '<dn:%s>' % b64encode(fakeuser['dn'])
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(identity['userdata'], expected_dn)
++
++
++class TestLDAPSearchAuthenticatorReturnLogin(Base):
++    """
++    Tests the L{LDAPSearchAuthenticatorPlugin} IAuthenticator plugin returning
++    login.
++
++    """
++
++    def setUp(self):
++        super(TestLDAPSearchAuthenticatorReturnLogin, self).setUp()
++        # Loading the plugin:
++        self.plugin = LDAPSearchAuthenticatorPlugin(
++            self.connection,
++            base_dn,
++            returned_id='login',
++            )
++
++    def test_authenticate_noresults(self):
++        identity = {'login': 'i_dont_exist',
++                    'password': 'super secure password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparefail(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': 'wrong password'}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, None)
++
++    def test_authenticate_comparesuccess(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': fakeuser['password']}
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(result, fakeuser['uid'])
++
++    def test_authenticate_dn_in_userdata(self):
++        identity = {'login': fakeuser['uid'],
++                    'password': fakeuser['password']}
++        expected_dn = '<dn:%s>' % b64encode(fakeuser['dn'])
++        result = self.plugin.authenticate(self.env, identity)
++        self.assertEqual(identity['userdata'], expected_dn)
++
++
++class TestLDAPAuthenticatorPluginStartTls(Base):
++    """Tests for the L{LDAPAuthenticatorPlugin} IAuthenticator plugin"""
++
++    def setUp(self):
++        super(TestLDAPAuthenticatorPluginStartTls, self).setUp()
++        # Loading the plugin:
++        self.plugin = LDAPAuthenticatorPlugin(self.connection, base_dn,
++                                              start_tls=True)
++
++    def test_implements(self):
++        verifyClass(IAuthenticator, LDAPAuthenticatorPlugin, tentative=True)
  class TestMakeLDAPAttributesPlugin(unittest.TestCase):
@@ -192,25 +323,26 @@
      def test_add_metadata(self):
          plugin = LDAPAttributesPlugin(self.connection)
          environ = {}
--        auth = {'repoze.who.userid': fakeuser['dn']}
--        expected_auth = {
++        identity = {'repoze.who.userid': fakeuser['dn']}
++        expected_identity = {
              'repoze.who.userid': fakeuser['dn'],
              'cn': [fakeuser['cn']],
              'userPassword': [fakeuser['hashedPassword']],
--            'uid': fakeuser['uid']
++            'uid': fakeuser['uid'],
++            'telephone': [ fakeuser['telephone']],
++            'mail': [fakeuser['mail']]
+         }
--        plugin.add_metadata(environ, auth)
--        self.assertEqual(auth, expected_auth)
++        plugin.add_metadata(environ, identity)
++        self.assertEqual(identity, expected_identity)
  # Test cases for plugin utilities
--
  class TestLDAPConnectionFactory(unittest.TestCase):
      """Tests for L{make_ldap_connection}"""
      def test_connection_is_object(self):
--        conn = fakeldap.initialize('ldap://example.org')
++        conn = fakeldap.FakeLDAPConnection()
          self.assertEqual(make_ldap_connection(conn), conn)
      def test_connection_is_str(self):
@@ -225,6 +357,74 @@
          self.assertRaises(ValueError, make_ldap_connection, None)
++# Test cases for the fakeldap connection itself
++
++class TestLDAPConnection(unittest.TestCase):
++    """Connection use tests"""
++
++    def setUp(self):
++        # Connecting to a fake server with a fake account:
++        conn = fakeldap.FakeLDAPConnection()
++        conn.simple_bind_s('Manager', 'some password')
++        # We must explicitly create the base_dn DIT components
++        fakeldap.addTreeItems(base_dn)
++        # Adding a fake user, which is used in the tests
++        self.person_attr = {'cn': [fakeuser['cn']],
++                       'uid': fakeuser['uid'],
++                       'userPassword': [fakeuser['hashedPassword']],
++                       'telephone':[fakeuser['telephone']],
++                       'objectClass': ['top']}
++        conn.add_s(fakeuser['dn'], modlist.addModlist(self.person_attr))
++        self.connection = conn
++
++    def tearDown(self):
++        self.connection.delete_s(fakeuser['dn'])
++
++    def test_simple_search_result(self):
++        rs = self.connection.search_s(
++            base_dn,
++            ldap.SCOPE_SUBTREE,
++            '(uid=%s)' % fakeuser['uid'],
++            )
++        self.assertEqual(rs[0][0], fakeuser['dn'])
++        self.assertEqual(rs[0][1], self.person_attr )
++
++    def unimplemented_test_and_search_result(self):
++        rs = self.connection.search_s(
++            base_dn,
++            ldap.SCOPE_SUBTREE,
++            '(&(objectclass=*)(uid=%s))' % fakeuser['uid'],
++            )
++        self.assertEqual(rs[0][0], fakeuser['dn'])
++        self.assertEqual(rs[0][1], self.person_attr )
++
++    def unimplemented_test_bare_search_result(self):
++        rs = self.connection.search_s(
++            base_dn,
++            ldap.SCOPE_SUBTREE,
++            'uid=%s' % fakeuser['uid'],
++            )
++        self.assertEqual(rs[0][0], fakeuser['dn'])
++        self.assertEqual(rs[0][1], self.person_attr )
++
++    def error_test_email_address_search(self):
++        rs = self.connection.search_s(
++            base_dn,
++            ldap.SCOPE_SUBTREE,
++            '(mail=%s)' % fakeuser['mail'],
++            )
++        self.assertEqual(rs[0][0], fakeuser['dn'])
++        self.assertEqual(rs[0][1], self.person_attr )
++
++    def error_test_plus_in_search(self):
++        rs = self.connection.search_s(
++            base_dn,
++            ldap.SCOPE_SUBTREE,
++            '(telephone=+%s)' % fakeuser['telephone'],
++            )
++        self.assertEqual(rs[0][0], fakeuser['dn'])
++        self.assertEqual(rs[0][1], self.person_attr )
++
  #{ Fixtures
  base_dn = 'ou=people,dc=example,dc=org'
@@ -234,18 +434,22 @@
      'uid': 'carla',
      'cn': 'Carla Paola',
      'mail': 'carla@example.org',
++    'telephone': '39 123 456 789',
      'password': 'hello',
      'hashedPassword': '{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00='
+ }
++
  class CustomLDAPAuthenticatorPlugin(LDAPAuthenticatorPlugin):
      """Fake class to test that L{LDAPAuthenticatorPlugin._get_dn} can be
      overriden with no problems"""
--    def _get_dn(self, environ, auth):
++
++    def _get_dn(self, environ, identity):
++        self.called = True
          try:
--            return u'uid=%s,ou=admins,%s' % (auth['login'], self.base_dn)
++            return u'uid=%s,%s' % (identity['login'], self.base_dn)
          except (KeyError, TypeError):
--            raise ValueError, ('Could not find the DN from the auth and '
++            raise ValueError, ('Could not find the DN from the identity and '
                                 'environment')
@@ -261,11 +465,19 @@
      """
      suite = unittest.TestSuite()
++    suite.addTest(unittest.makeSuite(TestLDAPConnection, "test"))
      suite.addTest(unittest.makeSuite(TestMakeLDAPAuthenticatorPlugin, "test"))
      suite.addTest(unittest.makeSuite(TestLDAPAuthenticatorPlugin, "test"))
      suite.addTest(unittest.makeSuite(TestMakeLDAPAttributesPlugin, "test"))
      suite.addTest(unittest.makeSuite(TestLDAPAttributesPlugin, "test"))
      suite.addTest(unittest.makeSuite(TestLDAPConnectionFactory, "test"))
++    suite.addTest(unittest.makeSuite(TestLDAPSearchAuthenticatorPluginNaming,
++                                     "test"))
++    suite.addTest(unittest.makeSuite(TestLDAPAuthenticatorReturnLogin, "test"))
++    suite.addTest(unittest.makeSuite(TestLDAPSearchAuthenticatorReturnLogin,
++                                     "test"))
++    suite.addTest(unittest.makeSuite(TestLDAPAuthenticatorPluginStartTls,
++                                     "test"))
      return suite
 === modified file 'setup.py'
 --- setup.py	2010-05-19 22:31:15 +0000
 +++ setup.py	2010-05-31 22:51:23 +0000
@@ -1,7 +1,9 @@
  # -*- coding: utf-8 -*-
+ #
  # repoze.who.plugins.ldap, LDAP authentication for WSGI applications.
--# Copyright (C) 2008-2010 by Gustavo Narea <http://gustavonarea.net/>
++# Copyright (C) 2010 by Gustavo Narea  <http://gustavonarea.net/> and
++#                       Lorenzo M. Catucci <http://www.uniroma2.it/>.
++# Copyright (C) 2008 by Gustavo Narea <http://gustavonarea.net/>.
+ #
  # This file is part of repoze.who.plugins.ldap
  # <http://code.gustavonarea.net/repoze.who.plugins.ldap/>
@@ -46,7 +48,7 @@
      packages=find_packages(exclude=["*.tests", "demo", "demo.*"]),
      namespace_packages=['repoze', 'repoze.who', 'repoze.who.plugins'],
      zip_safe=False,
--    tests_require = ['dataflake.ldapconnection==0.3'],
++    tests_require = ['dataflake.ldapconnection < 1.1dev'],
      install_requires=[
          'repoze.who >= 1.0.6, < 2.0dev',
          'python-ldap>=2.3.5',