#! /usr/bin/python

import __init__
import ldap

class new(__init__.Auth):
    def init(self, config):
        self.ldap_host            = config.get('LDAP', 'host')
        self.ldap_base_dn         = config.get('LDAP', 'base_dn')
        self.ldap_search_template = config.get('LDAP', 'search_template')
    
    
    def auth(self, username, password):
        ## search for user to find dn
        conn = ldap.open(self.ldap_host)
        search_filter = self.ldap_search_template % { 'username': username }
        
        # only need the dn so try to return as little as possible
        result = conn.search_s(self.ldap_base_dn, ldap.SCOPE_SUBTREE, search_filter, ['objectclass'], 1)
        assert result, 'No results from LDAP search (invalid user?)'
        assert len(result) == 1, 'No or more than one results from LDAP search'
        
        # as noted in the userdb side, each result is a two-element
        # array. we just need the dn so we need the first element
        # of the first result.
        user_dn = result[0][0]
        
        ## try to bind to user's dn with supplied password
        try:
            conn.bind_s(user_dn, password, ldap.AUTH_SIMPLE)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False