[web2py] Re: Routing Help
Please also note my setup: https:nginx (load balancer with ssl) -> http:nginx -> uwsgi -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[web2py] Routing Help
I am trying to get a somewhat complex routing scheme to work, but haven't been able to with either of the routing systems. Assume I have the following applications and domains they should be mapped to: inventory -> inventory.example.com admin -> monitor.example.com/admin ipcheck -> monitor.example.com/ipcheck onlineforms -> forms.example.com I can make this work with the parameter based system like so: routers = dict( BASE = dict( default_application = 'init', default_controller = 'default', applications = ['admin','ipcheck','init','onlineforms'], domains = { 'inventory.example.com' : 'inventory', 'forms.example.com' : 'onlineforms' } ) ) And it works just fine, removing the application name and controller from the URL where possible. Now I want to add another application into the mix: onlineformsadmin -> forms.example.com/admin And I have no idea how to do that. I messed with the pattern based routing, but it just gave me more problems. For instance a line like: ('.*:https://inventory.example.com:.* .*', 'inventory') in routes_app wouldn't stop requests to https://inventory.example.com/default from trying to go to the 'default' application. In other words, unless I still specified inventory as the application, it wouldn't go there. I know I could just add another subdomain with the parameter based system, but I would really like to avoid that and feel like I'm missing something here. Any help would be appreciated. Thanks, Kory -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[web2py] Re: ldap login method bug - Allows any user to log in with blank password (AD)
Alright, I used the pep8 tool: http://pypi.python.org/pypi/pep8/ to do cleanup on the file. I fixed all the errors given by the tool except lines being over 79 characters when it didn't make sense to shorten them. This was mainly fixing indentation, but I fixed some typos, and a few code things (changing None type checking to isinstance for example.) I'm fairly certain the code all works correctly and I went over it several times, but I only have AD to test against. File attached. Any idea when the next stable release will come out? It seems to me this was a security error, and there may be vulnerable installations out there. Thanks, Kory On Wednesday, July 11, 2012 6:11:48 PM UTC-5, Massimo Di Pierro wrote: > > Thanks, in trunk. Any chance you could fix the indentation a little to > follow pep8 > > I did some of it but it needs more work. This is not your fault. The pep8 > was badly broken in the original file. > > Massimo > > On Wednesday, 11 July 2012 17:45:04 UTC-5, Kory Prince wrote: >> >> I did some digging and turned up this: >> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html >> >> Which says a blank password causes the protocol to be changed to "none." >> >> More specifically http://tools.ietf.org/html/rfc4513#section-5.1.2 tells >> us >> "Clients SHOULD disallow an empty password input to a Name/Password >> Authentication user interface." >> >> >> Therefore I submit this patch that simply performs a check for a blank >> password. If you think there is a better way, >> please let me know, but I think it would be best to follow protocol. >> >> Thanks, >> Kory >> >># -*- coding: utf-8 -*- # # last tinkered with by korylprince at gmail.com on 2012-07-12 # import sys import logging try: import ldap import ldap.filter ldap.set_option(ldap.OPT_REFERRALS, 0) except Exception, e: logging.error('missing ldap, try "easy_install python-ldap"') raise e def ldap_auth(server='ldap', port=None, base_dn='ou=users,dc=domain,dc=com', mode='uid', secure=False, cert_path=None, cert_file=None, bind_dn=None, bind_pw=None, filterstr='objectClass=*', username_attrib='uid', custom_scope='subtree', allowed_groups=None, manage_user=False, user_firstname_attrib='cn:1', user_lastname_attrib='cn:2', user_mail_attrib='mail', manage_groups=False, db=None, group_dn=None, group_name_attrib='cn', group_member_attrib='memberUid', group_filterstr='objectClass=*', logging_level='error'): """ to use ldap login with MS Active Directory: from gluon.contrib.login_methods.ldap_auth import ldap_auth auth.settings.login_methods.append(ldap_auth( mode='ad', server='my.domain.controller', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with Notes Domino: auth.settings.login_methods.append(ldap_auth( mode='domino',server='my.domino.server')) to use ldap login with OpenLDAP: auth.settings.login_methods.append(ldap_auth( server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with OpenLDAP and subtree search and (optionally) multiple DNs: auth.settings.login_methods.append(ldap_auth( mode='uid_r', server='my.ldap.server', base_dn=['ou=Users,dc=domain,dc=com','ou=Staff,dc=domain,dc=com'])) or (if using CN): auth.settings.login_methods.append(ldap_auth( mode='cn', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) or you can full customize the search for user: auth.settings.login_methods.append(ldap_auth( mode='custom', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com', username_attrib='uid', custom_scope='subtree')) the custom_scope can be: base, onelevel, subtree. If using secure ldaps:// pass secure=True and cert_path="..." If ldap is using GnuTLS then you need cert_file="..." instead cert_path because cert_path isn't implemented in GnuTLS :( If you need to bind to the directory with an admin account in order to search it then specify bind_dn & bind_pw to use fo
[web2py] Re: ldap login method bug - Allows any user to log in with blank password (AD)
I did some digging and turned up this: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html Which says a blank password causes the protocol to be changed to "none." More specifically http://tools.ietf.org/html/rfc4513#section-5.1.2 tells us " Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface." Therefore I submit this patch that simply performs a check for a blank password. If you think there is a better way, please let me know, but I think it would be best to follow protocol. Thanks, Kory # -*- coding: utf-8 -*- # # last tinkered with by korylprince at gmail.com on 2012-07-11 # import sys import logging try: import ldap import ldap.filter ldap.set_option( ldap.OPT_REFERRALS, 0 ) except Exception, e: logging.error( 'missing ldap, try "easy_install python-ldap"' ) raise e def ldap_auth( server = 'ldap', port = None, base_dn = 'ou=users,dc=domain,dc=com', mode = 'uid', secure = False, cert_path = None, cert_file = None, bind_dn = None, bind_pw = None, filterstr = 'objectClass=*', username_attrib = 'uid', custom_scope = 'subtree', allowed_groups = None, manage_user = False, user_firstname_attrib = 'cn:1', user_lastname_attrib = 'cn:2', user_mail_attrib = 'mail', manage_groups = False, db = None, group_dn = None, group_name_attrib = 'cn', group_member_attrib = 'memberUid', group_filterstr = 'objectClass=*', logging_level = 'error' ): """ to use ldap login with MS Active Directory: from gluon.contrib.login_methods.ldap_auth import ldap_auth auth.settings.login_methods.append(ldap_auth( mode='ad', server='my.domain.controller', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with Notes Domino: auth.settings.login_methods.append(ldap_auth( mode='domino',server='my.domino.server')) to use ldap login with OpenLDAP: auth.settings.login_methods.append(ldap_auth( server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) to use ldap login with OpenLDAP and subtree search and (optionally) multiple DNs: auth.settings.login_methods.append(ldap_auth( mode='uid_r', server='my.ldap.server', base_dn=['ou=Users,dc=domain,dc=com','ou=Staff,dc=domain,dc=com'])) or (if using CN): auth.settings.login_methods.append(ldap_auth( mode='cn', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com')) or you can full customize the search for user: auth.settings.login_methods.append(ldap_auth( mode='custom', server='my.ldap.server', base_dn='ou=Users,dc=domain,dc=com', username_attrib='uid', custom_scope='subtree')) the custom_scope can be: base, onelevel, subtree. If using secure ldaps:// pass secure=True and cert_path="..." If ldap is using GnuTLS then you need cert_file="..." instead cert_path because cert_path isn't implemented in GnuTLS :( If you need to bind to the directory with an admin account in order to search it then specify bind_dn & bind_pw to use for this. - currently only implemented for Active Directory If you need to restrict the set of allowed users (e.g. to members of a department) then specify a rfc4515 search filter string. - currently only implemented for mode in ['ad', 'company', 'uid_r'] You can manage user attribute first name, last name, email from ldap: auth.settings.login_methods.append(ldap_auth(...as usual..., manage_user = True, user_firstname_attrib = 'cn:1', user_lastname_attrib = 'cn:2', user_mail_attrib = 'mail' )) Where: manage_user - let web2py handle user data from ldap user_firstname_attrib - the attribute containing the user's first name optionally you can specify parts. Example: cn: "John Smith" - 'cn:1' = 'John' user_lastname_attrib - the attribute containing the user's last name optionally you can specify parts. Example: cn: "John Smith" - 'cn:2' = 'Smith' user_mail_attrib - the attribure containing the user's email address If you need group control from ldap to web2py app's database feel free to set: auth.settings.login_methods.append(ldap_auth(...as usual..., manage_groups = True, db = db, group_dn = 'ou=Groups,dc=domain,dc=com', group_name_attrib = 'cn', group_member_attrib = 'memberUid', group_filterstr = 'objectClass=*' ))
[web2py] ldap login method bug - Allows any user to log in with blank password (AD)
Hello all. Today I discovered that all my web2py installations are allowing any domain user to login as long as they don't enter a password. The root of this is that the ldap_auth.py authentication will return True as long as a user is in Active Directory. An incorrect password will not work, but a blank one will. My setup is the latest stable web2py with ldap_auth.py from web2py trunk on github. Can I get someone to test this and see if it is an issue for them? I will try and fix this tomorrow and submit a patch. Thanks, Kory
[web2py] Help understanding SQLFORM.accepts/process/validate
Hello all. I am attempting to make a custom field of sorts that is composed of other field types. For example this one field will write html for x number of fields and will be stored in the db as list of x elements. If there is some better way in web2py to do this please let me know! So far this is what I have done. First I created a WidgetFactory: import gluon.sqlhtml as sqlhtml import gluon.dal as dal def MultiWidgetFactory(*fields): class MultiWidget(sqlhtml.FormWidget): _class = "multi" @classmethod def widget(cls, field, value, **attributes): _id = '%s_%s' % (field._tablename, field.name) _name = field.name items = [] for f in fields: #required! f._tablename = _id items.append(SQLFORM.widgets[f.type].widget(f,'text', requires=dal.sqlhtml_validators(f))) return CAT(*items) return MultiWidget (Yes, setting 'text' is just for debugging purposes.) next I create a field in a table like so: Field('schools','text', widget=MultiWidgetFactory(Field('school_name'),Field ('major_minor_fields'),Field('year_graduated')).widget) Later I call and output form: form = SQLFORM(db.table, fields=['schools']) This works great. The form outputs each of the fields in my multiwidget, and each of them are validated. Now for the issue: for the life of me I can't figure out how to persuade form.process/accepts/validate to take my form! I always get an error: "" despite the fact that I directly edit request.vars and add a schools key before calling process. I looked through the code of process, accept, and validate in the FORM and SQLFORM objects, but everything I am reading tells me it should just work. If someone could please help, or suggest an easier alternative, I would appreciate it. Kory Prince