[web2py] Re: Routing Help
Please also note my setup: https:nginx (load balancer with ssl) -> http:nginx -> uwsgi -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[web2py] Routing Help
I am trying to get a somewhat complex routing scheme to work, but haven't
been able to with either of the routing systems.
Assume I have the following applications and domains they should be mapped
to:
inventory -> inventory.example.com
admin -> monitor.example.com/admin
ipcheck -> monitor.example.com/ipcheck
onlineforms -> forms.example.com
I can make this work with the parameter based system like so:
routers = dict(
BASE = dict(
default_application = 'init',
default_controller = 'default',
applications = ['admin','ipcheck','init','onlineforms'],
domains = {
'inventory.example.com' :
'inventory',
'forms.example.com' : 'onlineforms'
}
)
)
And it works just fine, removing the application name and controller from
the URL where possible.
Now I want to add another application into the mix:
onlineformsadmin -> forms.example.com/admin
And I have no idea how to do that.
I messed with the pattern based routing, but it just gave me more problems.
For instance a line like:
('.*:https://inventory.example.com:.* .*', 'inventory')
in routes_app wouldn't stop requests to
https://inventory.example.com/default from trying to go to the 'default'
application.
In other words, unless I still specified inventory as the application, it
wouldn't go there.
I know I could just add another subdomain with the parameter based system,
but I would really like to avoid that and feel like I'm missing something
here.
Any help would be appreciated.
Thanks,
Kory
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
[web2py] Re: ldap login method bug - Allows any user to log in with blank password (AD)
Alright, I used the pep8 tool: http://pypi.python.org/pypi/pep8/
to do cleanup on the file. I fixed all the errors given by the tool except
lines being over 79 characters when it didn't make sense to shorten them.
This was mainly fixing indentation, but I fixed some typos, and a few code
things (changing None type checking to isinstance for example.)
I'm fairly certain the code all works correctly and I went over it several
times, but I only have AD to test against.
File attached.
Any idea when the next stable release will come out? It seems to me this
was a security error, and there may be vulnerable installations out there.
Thanks,
Kory
On Wednesday, July 11, 2012 6:11:48 PM UTC-5, Massimo Di Pierro wrote:
>
> Thanks, in trunk. Any chance you could fix the indentation a little to
> follow pep8
>
> I did some of it but it needs more work. This is not your fault. The pep8
> was badly broken in the original file.
>
> Massimo
>
> On Wednesday, 11 July 2012 17:45:04 UTC-5, Kory Prince wrote:
>>
>> I did some digging and turned up this:
>> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
>>
>> Which says a blank password causes the protocol to be changed to "none."
>>
>> More specifically http://tools.ietf.org/html/rfc4513#section-5.1.2 tells
>> us
>> "Clients SHOULD disallow an empty password input to a Name/Password
>> Authentication user interface."
>>
>>
>> Therefore I submit this patch that simply performs a check for a blank
>> password. If you think there is a better way,
>> please let me know, but I think it would be best to follow protocol.
>>
>> Thanks,
>> Kory
>>
>># -*- coding: utf-8 -*-
#
# last tinkered with by korylprince at gmail.com on 2012-07-12
#
import sys
import logging
try:
import ldap
import ldap.filter
ldap.set_option(ldap.OPT_REFERRALS, 0)
except Exception, e:
logging.error('missing ldap, try "easy_install python-ldap"')
raise e
def ldap_auth(server='ldap', port=None,
base_dn='ou=users,dc=domain,dc=com',
mode='uid', secure=False, cert_path=None, cert_file=None,
bind_dn=None, bind_pw=None, filterstr='objectClass=*',
username_attrib='uid',
custom_scope='subtree',
allowed_groups=None,
manage_user=False,
user_firstname_attrib='cn:1',
user_lastname_attrib='cn:2',
user_mail_attrib='mail',
manage_groups=False,
db=None,
group_dn=None,
group_name_attrib='cn',
group_member_attrib='memberUid',
group_filterstr='objectClass=*',
logging_level='error'):
"""
to use ldap login with MS Active Directory:
from gluon.contrib.login_methods.ldap_auth import ldap_auth
auth.settings.login_methods.append(ldap_auth(
mode='ad', server='my.domain.controller',
base_dn='ou=Users,dc=domain,dc=com'))
to use ldap login with Notes Domino:
auth.settings.login_methods.append(ldap_auth(
mode='domino',server='my.domino.server'))
to use ldap login with OpenLDAP:
auth.settings.login_methods.append(ldap_auth(
server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com'))
to use ldap login with OpenLDAP and subtree search and (optionally)
multiple DNs:
auth.settings.login_methods.append(ldap_auth(
mode='uid_r', server='my.ldap.server',
base_dn=['ou=Users,dc=domain,dc=com','ou=Staff,dc=domain,dc=com']))
or (if using CN):
auth.settings.login_methods.append(ldap_auth(
mode='cn', server='my.ldap.server',
base_dn='ou=Users,dc=domain,dc=com'))
or you can full customize the search for user:
auth.settings.login_methods.append(ldap_auth(
mode='custom', server='my.ldap.server',
base_dn='ou=Users,dc=domain,dc=com',
username_attrib='uid',
custom_scope='subtree'))
the custom_scope can be: base, onelevel, subtree.
If using secure ldaps:// pass secure=True and cert_path="..."
If ldap is using GnuTLS then you need cert_file="..." instead cert_path
because cert_path isn't implemented in GnuTLS :(
If you need to bind to the directory with an admin account in order to
search it then specify bind_dn & bind_pw to use fo
[web2py] Re: ldap login method bug - Allows any user to log in with blank password (AD)
I did some digging and turned up this: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html Which says a blank password causes the protocol to be changed to "none." More specifically http://tools.ietf.org/html/rfc4513#section-5.1.2 tells us " Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface." Therefore I submit this patch that simply performs a check for a blank password. If you think there is a better way, please let me know, but I think it would be best to follow protocol. Thanks, Kory # -*- coding: utf-8 -*- # # last tinkered with by korylprince at gmail.com on 2012-07-11 # import sys import logging try: import ldap import ldap.filter ldap.set_option( ldap.OPT_REFERRALS, 0 ) except Exception, e: logging.error( 'missing ldap, try "easy_install python-ldap"' ) raise e def ldap_auth( server = 'ldap', port = None, base_dn = 'ou=users,dc=domain,dc=com', mode = 'uid', secure = False, cert_path = None, cert_file = None, bind_dn = None, bind_pw = None, filterstr = 'objectClass=*', username_attrib = 'uid', custom_scope = 'subtree', allowed_groups = None, manage_user = False, user_firstname_attrib = 'cn:1', user_lastname_attrib = 'cn:2', user_mail_attrib = 'mail', manage_groups = False, db = None, group_dn = None, group_name_attrib = 'cn', group_member_attrib = 'memberUid', group_filterstr = 'objectClass=*', logging_level = 'error' ): """ to use ldap login with MS Active Directory: from gluon.contrib.login_methods.ldap_auth import ldap_auth auth.settings.login_methods.append(ldap_auth( mode='ad', server='my.domain.controller', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with Notes Domino: auth.settings.login_methods.append(ldap_auth( mode='domino',server='my.domino.server')) to use ldap login with OpenLDAP: auth.settings.login_methods.append(ldap_auth( server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with OpenLDAP and subtree search and (optionally) multiple DNs: auth.settings.login_methods.append(ldap_auth( mode='uid_r', server='my.ldap.server', base_dn=['ou=Users,dc=domain,dc=com','ou=Staff,dc=domain,dc=com'])) or (if using CN): auth.settings.login_methods.append(ldap_auth( mode='cn', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) or you can full customize the search for user: auth.settings.login_methods.append(ldap_auth( mode='custom', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com', username_attrib='uid', custom_scope='subtree')) the custom_scope can be: base, onelevel, subtree. If using secure ldaps:// pass secure=True and cert_path="..." If ldap is using GnuTLS then you need cert_file="..." instead cert_path because cert_path isn't implemented in GnuTLS :( If you need to bind to the directory with an admin account in order to search it then specify bind_dn & bind_pw to use for this. - currently only implemented for Active Directory If you need to restrict the set of allowed users (e.g. to members of a department) then specify a rfc4515 search filter string. - currently only implemented for mode in ['ad', 'company', 'uid_r'] You can manage user attribute first name, last name, email from ldap: auth.settings.login_methods.append(ldap_auth(...as usual..., manage_user = True, user_firstname_attrib = 'cn:1', user_lastname_attrib = 'cn:2', user_mail_attrib = 'mail' )) Where: manage_user - let web2py handle user data from ldap user_firstname_attrib - the attribute containing the user's first name optionally you can specify parts. Example: cn: "John Smith" - 'cn:1' = 'John' user_lastname_attrib - the attribute containing the user's last name optionally you can specify parts. Example: cn: "John Smith" - 'cn:2' = 'Smith' user_mail_attrib - the attribure containing the user's email address If you need group control from ldap to web2py app's database feel free to set: auth.settings.login_methods.append(ldap_auth(...as usual..., manage_groups = True, db = db, group_dn = 'ou=Groups,dc=domain,dc=com', group_name_attrib = 'cn', group_member_attrib = 'memberUid', group_filterstr = 'objectClass=*' ))
[web2py] ldap login method bug - Allows any user to log in with blank password (AD)
Hello all. Today I discovered that all my web2py installations are allowing any domain user to login as long as they don't enter a password. The root of this is that the ldap_auth.py authentication will return True as long as a user is in Active Directory. An incorrect password will not work, but a blank one will. My setup is the latest stable web2py with ldap_auth.py from web2py trunk on github. Can I get someone to test this and see if it is an issue for them? I will try and fix this tomorrow and submit a patch. Thanks, Kory
[web2py] Help understanding SQLFORM.accepts/process/validate
Hello all.
I am attempting to make a custom field of sorts that is composed of other
field types. For example this one field will write html for x number of
fields and will be stored in the db as list of x elements.
If there is some better way in web2py to do this please let me know!
So far this is what I have done. First I created a WidgetFactory:
import gluon.sqlhtml as sqlhtml
import gluon.dal as dal
def MultiWidgetFactory(*fields):
class MultiWidget(sqlhtml.FormWidget):
_class = "multi"
@classmethod
def widget(cls, field, value, **attributes):
_id = '%s_%s' % (field._tablename, field.name)
_name = field.name
items = []
for f in fields:
#required!
f._tablename = _id
items.append(SQLFORM.widgets[f.type].widget(f,'text',
requires=dal.sqlhtml_validators(f)))
return CAT(*items)
return MultiWidget
(Yes, setting 'text' is just for debugging purposes.)
next I create a field in a table like so:
Field('schools','text', widget=MultiWidgetFactory(Field('school_name'),Field
('major_minor_fields'),Field('year_graduated')).widget)
Later I call and output form:
form = SQLFORM(db.table, fields=['schools'])
This works great. The form outputs each of the fields in my multiwidget,
and each of them are validated.
Now for the issue: for the life of me I can't figure out how to persuade
form.process/accepts/validate to take my form!
I always get an error: "" despite the fact
that I directly edit request.vars and add a schools key before calling
process.
I looked through the code of process, accept, and validate in the FORM and
SQLFORM objects, but everything I am reading tells me it should just work.
If someone could please help, or suggest an easier alternative, I would
appreciate it.
Kory Prince
