activesambaldap 0.0.1

data/lib/active_samba_ldap/group.rb

@@ -0,0 +1,182 @@
+require 'English'
+
+require 'active_samba_ldap/entry'
+
+module ActiveSambaLdap
+  class Group < Base
+    include Reloadable::Subclasses
+
+    include Entry
+
+    class << self
+      def ldap_mapping(options={})
+        options = default_options.merge(options)
+        super(extract_ldap_mapping_options(options))
+        init_associations(options)
+      end
+
+      def find_by_name_or_gid_number(key)
+        group = nil
+        begin
+          gid_number = Integer(key)
+          group = find_by_gid_number(gid_number)
+          raise GidNumberDoesNotExist.new(gid_number) if group.nil?
+        rescue ArgumentError
+          raise GroupDoesNotExist.new(key) unless exists?(key)
+          group = find(key)
+        end
+        group
+      end
+
+      def find_by_gid_number(number)
+        attribute = "gidNumber"
+        value = Integer(number).to_s
+        find(:first, :filter => "(#{attribute}=#{value})")
+      end
+
+      private
+      def default_options
+        {
+          :dn_attribute => "cn",
+          :prefix => configuration[:groups_suffix],
+          :classes => default_classes,
+
+          :members_wrap => "memberUid",
+          :users_class => default_user_class,
+          :computers_class => default_computer_class,
+
+          :primary_members_foreign_key => "gidNumber",
+          :primary_members_primary_key => "gidNumber",
+          :primary_users_class => default_user_class,
+          :primary_computers_class => default_computer_class,
+        }
+      end
+
+      def default_classes
+        ["top", "posixGroup"]
+      end
+
+      def default_user_class
+        "User"
+      end
+
+      def default_computer_class
+        "Computer"
+      end
+
+      def init_associations(options)
+        association_options = {}
+        options.each do |key, value|
+          case key.to_s
+          when /^((?:primary_)?(?:(?:user|computer|member)s))_/
+            association_options[$1] ||= {}
+            association_options[$1][$POSTMATCH.to_sym] = value
+          end
+        end
+
+        members_opts = association_options["members"] || {}
+        user_members_opts = association_options["users"] || {}
+        computer_members_opts = association_options["computers"] || {}
+        has_many :users, members_opts.merge(user_members_opts)
+        has_many :computers, members_opts.merge(computer_members_opts)
+
+        primary_members_opts = association_options["primary_members"] || {}
+        primary_user_members_opts =
+          association_options["primary_users"] || {}
+        primary_computer_members_opts =
+          association_options["primary_computers"] || {}
+        has_many :primary_users,
+                 primary_members_opts.merge(primary_user_members_opts)
+        has_many :primary_computers,
+                 primary_members_opts.merge(primary_computer_members_opts)
+      end
+
+      def prepare_create_options(group, options)
+        prepare_create_options_for_number(:gid_number, group, options)
+      end
+    end
+
+    def fill_default_values(options={})
+      gid_number = options[:gid_number]
+      change_gid_number(gid_number) if gid_number
+      self.description ||= options[:description] || cn
+    end
+
+    def members
+      users.to_ary + computers.to_ary
+    end
+
+    def reload_members
+      users.reload
+      computers.reload
+    end
+
+    def primary_members
+      primary_users.to_ary + primary_computers.to_ary
+    end
+
+    def reload_primary_members
+      primary_users.reload
+      primary_computers.reload
+    end
+
+    def change_gid_number(gid, allow_non_unique=false)
+      check_unique_gid_number(gid) unless allow_non_unique
+      self.gid_number = gid.to_s
+    end
+
+    def destroy(options={})
+      if options[:remove_members]
+        if options[:force_change_primary_members]
+          change_primary_members(options)
+        end
+        reload_primary_members
+        unless primary_members.empty?
+          not_destroyed_members = primary_members.collect {|x| x.uid}
+          raise PrimaryGroupCanNotBeDestroyed.new(cn, not_destroyed_members)
+        end
+        self.users = []
+        self.computers = []
+      end
+      super()
+    end
+
+    private
+    def ensure_uid(member_or_uid)
+      if member_or_uid.is_a?(String)
+        member_or_uid
+      else
+        member_or_uid.uid
+      end
+    end
+
+    def check_unique_gid_number(gid_number)
+      ActiveSambaLdap::Base.restart_nscd do
+        if self.class.find_by_gid_number(Integer(gid_number))
+          raise GidNumberAlreadyExists.new(gid_number)
+        end
+      end
+    end
+
+    def change_primary_members(options={})
+      name = cn
+
+      pr_members = primary_members
+      cannot_removed_members = []
+      pr_members.each do |member|
+        if (member.groups.collect {|group| group.cn} - [name]).empty?
+          cannot_removed_members << member.uid
+        end
+      end
+      unless cannot_removed_members.empty?
+        raise CanNotChangePrimaryGroup.new(name, cannot_removed_members)
+      end
+
+      pr_members.each do |member|
+        new_group = member.groups.find {|gr| gr.cn != name}
+        member.primary_group = new_group
+        member.save!
+      end
+    end
+  end
+end

data/lib/active_samba_ldap/idmap.rb

@@ -0,0 +1,17 @@
+module ActiveSambaLdap
+  class Idmap < Base
+    include Reloadable::Subclasses
+
+    class << self
+      def ldap_mapping(options={})
+        default_options = {
+          :dn_attribute => "sambaSID",
+          :prefix => configuration[:idmap_suffix],
+          :classes => ["top", "sambaIdmapEntry"],
+        }
+        options = default_options.merge(options)
+        super options
+      end
+    end
+  end
+end

data/lib/active_samba_ldap/ou.rb

@@ -0,0 +1,18 @@
+module ActiveSambaLdap
+  class Ou < Base
+    include Reloadable::Subclasses
+
+    class << self
+      def ldap_mapping(options={})
+        default_options = {
+          :dn_attribute => "ou",
+          :prefix => "",
+          :classes => ["top", "organizationalUnit"],
+          :scope => :sub,
+        }
+        options = default_options.merge(options)
+        super(options)
+      end
+    end
+  end
+end

data/lib/active_samba_ldap/populate.rb

@@ -0,0 +1,254 @@
+module ActiveSambaLdap
+  module Populate
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def populate(options={})
+        Private.new(self, options).populate
+      end
+
+      def purge(options={})
+        self.delete_all(nil, {:scope => :sub}.merge(options))
+      end
+
+      class Private
+        def initialize(base, options)
+          @base = base
+          @options = options.dup
+        end
+
+        def populate
+          init_classes
+          init_options
+
+          entries = []
+          entries.concat(ensure_base)
+          entries.concat(ensure_group_base)
+          entries.concat(ensure_user_base)
+          entries.concat(ensure_computer_base)
+          entries.concat(ensure_idmap_base)
+          entries.concat(make_groups)
+          entries.concat(make_users)
+          entries.concat(make_pool)
+
+          [entries, @options]
+        end
+
+        def init_classes
+          @options[:user_class] = user_class = Class.new(SambaUser)
+          @options[:group_class] = group_class = Class.new(SambaGroup)
+          @options[:computer_class] = computer_class = Class.new(SambaComputer)
+          @options[:idmap_class] = idmap_class = Class.new(Idmap)
+          @options[:unix_id_pool_class] = id_pool_class = Class.new(UnixIdPool)
+
+          user_class.ldap_mapping
+          group_class.ldap_mapping
+          computer_class.ldap_mapping
+          idmap_class.ldap_mapping
+          id_pool_class.ldap_mapping
+
+          user_class.set_associated_class(:primary_group, group_class)
+          computer_class.set_associated_class(:primary_group, group_class)
+          user_class.set_associated_class(:groups, group_class)
+          computer_class.set_associated_class(:groups, group_class)
+
+          group_class.set_associated_class(:users, user_class)
+          group_class.set_associated_class(:computers, computer_class)
+          group_class.set_associated_class(:primary_users, user_class)
+          group_class.set_associated_class(:primary_computers, computer_class)
+        end
+
+        def user_class
+          @options[:user_class]
+        end
+
+        def group_class
+          @options[:group_class]
+        end
+
+        def computer_class
+          @options[:computer_class]
+        end
+
+        def idmap_class
+          @options[:idmap_class]
+        end
+
+        def init_options
+          config = @base.configuration
+          @options[:start_uid] ||= Integer(config[:start_uid])
+          @options[:start_gid] ||= Integer(config[:start_gid])
+          @options[:administrator] ||= user_class::DOMAIN_ADMIN_NAME
+          @options[:administrator_uid] ||=
+            user_class.rid2uid(user_class::DOMAIN_ADMIN_RID)
+          @options[:administrator_gid] ||=
+            group_class.rid2gid(group_class::DOMAIN_ADMINS_RID)
+          @options[:guest] ||= user_class::DOMAIN_GUEST_NAME
+          @options[:guest_uid] ||=
+            user_class.rid2uid(user_class::DOMAIN_GUEST_RID)
+          @options[:guest_gid] ||=
+            group_class.rid2gid(group_class::DOMAIN_GUESTS_RID)
+          @options[:default_user_gid] ||= config[:default_user_gid]
+          @options[:default_computer_gid] ||= config[:default_computer_gid]
+        end
+
+        def ensure_container_base(dn, target_name, klass, ignore_base=false)
+          entries = []
+          suffixes = []
+          dn.split(/,/).reverse_each do |suffix|
+            name, value = suffix.split(/=/, 2)
+            next unless name == target_name
+            container_class = Class.new(klass)
+            prefix = suffixes.reverse.join(",")
+            suffixes << suffix
+            if ignore_base
+              container_class.ldap_mapping :prefix => "", :scope => :base
+              container_class.base = prefix
+            else
+              container_class.ldap_mapping :prefix => prefix, :scope => :base
+            end
+            next if container_class.exists?(value, :prefix => suffix)
+            container = container_class.new(value)
+            yield(container) if block_given?
+            container.save!
+            entries << container
+          end
+          entries
+        end
+
+        def ensure_base
+          ensure_container_base(@base.base, "dc", Dc, true) do |dc|
+            dc.o = dc.dc
+          end
+        end
+
+        def ensure_ou_base(dn)
+          ensure_container_base(dn, "ou", Ou)
+        end
+
+        def ensure_user_base
+          ensure_ou_base(user_class.prefix)
+        end
+
+        def ensure_group_base
+          ensure_ou_base(group_class.prefix)
+        end
+
+        def ensure_computer_base
+          ensure_ou_base(computer_class.prefix)
+        end
+
+        def ensure_idmap_base
+          ensure_ou_base(idmap_class.prefix)
+        end
+
+        def make_user(user_class, name, uid, group)
+          if user_class.exists?(name)
+            user = user_class.find(name)
+            group = nil
+          else
+            user = user_class.new(name)
+            user.fill_default_values(:uid_number => uid, :group => group)
+            user.save!
+            group.users << user
+          end
+          [user, group]
+        end
+
+        def make_users
+          user_class = @options[:user_class]
+          group_class = @options[:group_class]
+          entries = []
+          [
+           [@options[:administrator], @options[:administrator_uid],
+            @options[:administrator_gid]],
+           [@options[:guest], @options[:guest_uid], @options[:guest_gid]],
+          ].each do |name, uid, gid|
+            user, group = make_user(user_class, name, uid,
+                                    group_class.find_by_gid_number(gid))
+            entries << user
+            if group
+              old_group = entries.find do |entry|
+                entry.is_a?(group_class) and entry.cn == group.cn
+              end
+              index = entries.index(old_group)
+              if index
+                entries[index] = group
+              else
+                entries << group
+              end
+            end
+          end
+          entries
+        end
+
+        def make_group(group_class, name, gid, description=nil, type=nil)
+          if group_class.exists?(name)
+            group = group_class.find(name)
+          else
+            group = group_class.new(name)
+            group.change_type(type || "domain")
+            group.display_name = name
+            group.description = name || description
+            group.change_gid_number(gid)
+
+            group.save!
+          end
+          group
+        end
+
+        def make_groups
+          entries = []
+          [
+           ["Domain Admins", @options[:administrator_gid],
+            "Netbios Domain Administrators"],
+           ["Domain Users", @options[:default_user_gid],
+            "Netbios Domain Users"],
+           ["Domain Guests", @options[:guest_gid],
+            "Netbios Domain Guest Users"],
+           ["Domain Computers", @options[:default_computer_gid],
+            "Netbios Domain Computers"],
+           ["Administrators", nil, nil, "builtin",
+            group_class::LOCAL_ADMINS_RID],
+           ["Users", nil, nil, "builtin", group_class::LOCAL_USERS_RID],
+           ["Guests", nil, nil, "builtin", group_class::LOCAL_GUESTS_RID],
+           ["Power Users", nil, nil, "builtin",
+            group_class::LOCAL_POWER_USERS_RID],
+           ["Account Operators", nil, nil, "builtin",
+            group_class::LOCAL_ACCOUNT_OPERATORS_RID],
+           ["System Operators", nil, nil, "builtin",
+            group_class::LOCAL_SYSTEM_OPERATORS_RID],
+           ["Print Operators", nil, nil, "builtin",
+            group_class::LOCAL_PRINT_OPERATORS_RID],
+           ["Backup Operators", nil, nil, "builtin",
+            group_class::LOCAL_BACKUP_OPERATORS_RID],
+           ["Replicators", nil, nil, "builtin",
+            group_class::LOCAL_REPLICATORS_RID],
+          ].each do |name, gid, description, type, rid|
+            gid ||= group_class.rid2gid(rid)
+            entries << make_group(group_class, name, gid, description, type)
+          end
+          entries
+        end
+
+        def make_pool
+          config = @base.configuration
+          klass = @options[:unix_id_pool_class]
+          name = config[:samba_domain]
+          if klass.exists?(name)
+            pool = klass.find(name)
+          else
+            pool = klass.new(name)
+            pool.samba_sid = config[:sid]
+            pool.uid_number = @options[:start_uid]
+            pool.gid_number = @options[:start_gid]
+            pool.save!
+          end
+          [pool]
+        end
+      end
+    end
+  end
+end

data/lib/active_samba_ldap/samba_account.rb

@@ -0,0 +1,200 @@
+module ActiveSambaLdap
+  module SambaAccount
+    def self.included(base)
+      super
+      base.extend(ClassMethods)
+    end
+
+    # from source/include/rpc_misc.c in Samba
+    DOMAIN_ADMIN_RID = 0x000001F4
+    DOMAIN_GUEST_RID = 0x000001F5
+
+    # from source/rpc_server/srv_util.c in Samba
+    DOMAIN_ADMIN_NAME = "Administrator"
+    DOMAIN_GUEST_NAME = "Guest"
+
+    WELL_KNOWN_RIDS = []
+    WELL_KNOWN_NAMES = []
+    constants.each do |name|
+      case name
+      when /_RID$/
+        WELL_KNOWN_RIDS << const_get(name)
+      when /_NAME$/
+        WELL_KNOWN_NAMES << const_get(name)
+      end
+    end
+
+    FAR_FUTURE_TIME = Time.parse("2050/01/01").to_i.to_s
+    ACCOUNT_FLAGS_RE = /\A\[([NDHTUMWSLXI ]+)\]\z/
+
+    module ClassMethods
+      def uid2rid(uid)
+        uid = Integer(uid)
+        if WELL_KNOWN_RIDS.include?(uid)
+          uid
+        else
+          2 * uid + 1000
+        end
+      end
+
+      def rid2uid(rid)
+        rid = Integer(rid)
+        if WELL_KNOWN_RIDS.include?(rid)
+          rid
+        else
+          (Integer(rid) - 1000) / 2
+        end
+      end
+
+      def start_rid
+        uid2rid(start_uid)
+      end
+
+      private
+      def default_classes
+        super + ["sambaSamAccount"]
+      end
+
+      def primary_group_options(options)
+        super.merge(:extend => PrimaryGroupProxy)
+      end
+
+      module PrimaryGroupProxy
+        def replace(entry)
+          super
+          if @target
+            if @target.samba_sid.to_s.empty?
+              raise GroupDoesNotHaveSambaSID.new(@target.gid_number)
+            end
+            @owner.samba_primary_group_sid = @target.samba_sid
+          else
+            @owner.samba_primary_group_sid = nil
+          end
+          entry
+        end
+      end
+    end
+
+    def fill_default_values(options={})
+      super
+
+      self.samba_logon_time ||= "0"
+      self.samba_logoff_time ||= FAR_FUTURE_TIME
+      self.samba_kickoff_time ||= nil
+
+      password = options[:password]
+      change_samba_password(password) if password
+      self.samba_lm_password ||= "XXX"
+      self.samba_nt_password ||= "XXX"
+      self.samba_pwd_last_set ||= "0"
+
+      account_flags_is_not_set = samba_acct_flags.nil?
+      self.samba_acct_flags ||= default_account_flags
+
+      can_change_password = options[:can_change_password]
+      if can_change_password
+        self.enable_password_change
+      elsif account_flags_is_not_set or can_change_password == false
+        self.disable_password_change
+      end
+
+      must_change_password = options[:must_change_password]
+      if must_change_password
+        self.enable_forcing_password_change
+      elsif account_flags_is_not_set or must_change_password == false
+        self.disable_forcing_password_change
+      end
+
+      enable_account = options[:enable]
+      if enable_account
+        self.enable
+      elsif account_flags_is_not_set or enable_account == false
+        self.disable
+      end
+
+      self
+    end
+
+    def change_uid_number(uid, allow_non_unique=false)
+      super
+      rid = self.class.uid2rid(uid_number.to_s)
+      change_sid(rid, allow_non_unique)
+    end
+
+    def change_uid_number_by_rid(rid, allow_non_unique=false)
+      change_uid_number(self.class.rid2uid(rid), allow_non_unique)
+    end
+
+    def change_sid(rid, allow_non_unique=false)
+      sid = "#{self.class.configuration[:sid]}-#{rid}"
+      # check_unique_sid_number(sid) unless allow_non_unique
+      self.samba_sid = sid
+    end
+
+    def rid
+      Integer(samba_sid.split(/-/).last)
+    end
+
+    def change_samba_password(password)
+      self.samba_lm_password = Samba::Encrypt.lm_hash(password)
+      self.samba_nt_password = Samba::Encrypt.ntlm_hash(password)
+      self.samba_pwd_last_set = Time.now.to_i.to_s
+    end
+
+    def enable_password_change
+      self.samba_pwd_can_change = "0"
+    end
+
+    def disable_password_change
+      self.samba_pwd_can_change = FAR_FUTURE_TIME
+    end
+
+    def can_change_password?
+      samba_pwd_can_change.nil? or
+        Time.at(samba_pwd_can_change.to_i) <= Time.now
+    end
+
+    def enable_forcing_password_change
+      self.samba_pwd_must_change = "0"
+      if /X/ =~ samba_acct_flags.to_s
+        self.samba_acct_flags = samba_acct_flags.sub(/X/, '')
+      end
+      if samba_pwd_last_set.to_i.zero?
+        self.samba_pwd_last_set = FAR_FUTURE_TIME
+      end
+    end
+
+    def disable_forcing_password_change
+      self.samba_pwd_must_change = FAR_FUTURE_TIME
+    end
+
+    def must_change_password?
+      !(/X/ =~ samba_acct_flags.to_s or
+        samba_pwd_must_change.nil? or
+        Time.at(samba_pwd_must_change.to_i) > Time.now)
+    end
+
+    def enable
+      if /D/ =~ samba_acct_flags.to_s
+        self.samba_acct_flags = samba_acct_flags.gsub(/D/, '')
+      end
+    end
+
+    def disable
+      flags = ""
+      if ACCOUNT_FLAGS_RE =~ samba_acct_flags.to_s
+        flags = $1
+        return if /D/ =~ flags
+      end
+      self.samba_acct_flags = "[D#{flags}]"
+    end
+
+    def enabled?
+      !disabled?
+    end
+
+    def disabled?
+      (/D/ =~ samba_acct_flags.to_s) ? true : false
+    end
+  end
+end

data/lib/active_samba_ldap/samba_computer.rb

@@ -0,0 +1,20 @@
+require 'active_samba_ldap/account'
+require 'active_samba_ldap/user_account'
+require 'active_samba_ldap/samba_account'
+
+module ActiveSambaLdap
+  class SambaComputer < Base
+    include Reloadable::Subclasses
+
+    include Entry
+
+    include Account
+    include ComputerAccount
+    include SambaAccount
+
+    private
+    def default_account_flags
+      "[W]"
+    end
+  end
+end