adap 0.0.12

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ee6e3514fa3c73373536ae3998baa47a70c1a2e528274d7a0b78f49a6a24188d
+  data.tar.gz: 226aed513502e093d6b53bbe3e959ce56b123ac5292643e0497a45d50556694d
+SHA512:
+  metadata.gz: 55950748cc4a1c3fb4fd2c6cea48a432760808b26e42773937beb6786771842c433f2e9f62b5923bc529acc35a98eb1d17c8df5a5ab7ef92a330f9045114f404
+  data.tar.gz: d3254d935e294f91dd803ba4128cdec7e29d0e9fe34cee6dfaaf9895ec819a7b2299d7def2ac23e102bf4fa4850aedefd636e9e63a87fba9d4c9b0c008133b1e

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+adap-*.gem

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.5
+before_install: gem install bundler -v 2.0.2

data/Gemfile

@@ -0,0 +1,10 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in adap.gemspec
+gemspec
+
+gem "unix-crypt", "~> 1.3"
+
+gem "net-ldap", "~> 0.16.2"
+
+gem "mocha", "~> 1.10"

data/Gemfile.lock

@@ -0,0 +1,28 @@
+PATH
+  remote: .
+  specs:
+    adap (0.0.7)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    minitest (5.14.0)
+    mocha (1.11.2)
+    net-ldap (0.16.2)
+    rake (10.5.0)
+    unix-crypt (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  adap!
+  bundler (~> 2.0)
+  minitest (~> 5.0)
+  mocha (~> 1.10)
+  net-ldap (~> 0.16.2)
+  rake (~> 10.0)
+  unix-crypt (~> 1.3)
+
+BUNDLED WITH
+   2.1.4

data/README.md

@@ -0,0 +1,122 @@
+# Adap
+Adap is a program that synchronize user data on Samba Active Directory (AD) to LDAP.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'adap'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install adap
+
+## Usage
+
+To build this modules, run the command like below.
+
+```
+gem build adap.gemspec
+```
+
+Then include this module and use it like below.
+
+```ruby
+require "adap"
+
+adap = Adap.new({
+  :ad_host   => "localhost",                                                # Host name or IP of your Active Directory(AD)
+  :ad_binddn => "CN=Administrator,CN=Users,DC=mysite,DC=example,DC=com",    # Bind dn of your AD
+  :ad_basedn => "CN=Users,DC=mysite,DC=example,DC=com",                     # Base dn of your AD
+  :ad_password => "ad_secret",                                              # Password of your AD's bind dn
+  :ldap_host   => "ldap_server",                                            # Host name or IP of your LDAP
+  :ldap_binddn => "uid=Administrator,ou=Users,dc=mysite,dc=example,dc=com", # Bind dn of your LDAP
+  :ldap_basedn => "dc=mysite,dc=example,dc=com",                            # Base dn of your LDAP
+  :ldap_password => "ldap_secret"                                           # Password of your LDAP's bind dn
+})
+
+# This operation will synchronize a user taro-suzuki to LDAP from AD
+adap.sync_user("taro-suzuki")
+```
+
+## Requirements and limitations
+
+This program has some requirements and limitations like below.
+
+### Not all attributes are synchronized
+
+Data synchronized to LDAP from AD are limited such as dn, cn uid and uidNumber etc.
+These attributes are enough to authenticate users to login to Unix-like systems that used an LDAP for authenticating users.
+
+### AD must be set not to require strong auth
+
+AD must allow setting `ldap server require strong auth = no` for getting user data.
+
+* smb.conf of your AD
+```
+ldap server require strong auth = no
+```
+
+This program will fail to get user data from AD if you did not allow this setting.
+
+### AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP
+
+AD must allow storing password as CryptSHA256 or CryptSHA512 by setting smb.conf like below.
+
+* your AD's smb.conf
+```
+    password hash userPassword schemes = CryptSHA256 CryptSHA512
+```
+
+And LDAP have to be configured to store password as sha256(CryptSHA256) or sha512(CryptSHA512).
+
+For example, you use OpneLDAP, you have to set configuration like below when you store password as sha256.
+
+```
+$ ldapmodify -Y EXTERNAL -H ldapi:/// << 'EOF'
+dn: cn=config
+add: olcPasswordHash
+olcPasswordHash: {CRYPT}
+-
+add: olcPasswordCryptSaltFormat
+olcPasswordCryptSaltFormat: $5$%.16s
+EOF
+```
+
+This instruction allows us to save password as sha256 with a salt that length is 16 characters.
+Or you can store user's password as sha512 with a salt that length is 16 characters like below.
+
+```
+$ ldapmodify -Y EXTERNAL -H ldapi:/// << 'EOF'
+dn: cn=config
+add: olcPasswordHash
+olcPasswordHash: {CRYPT}
+-
+add: olcPasswordCryptSaltFormat
+olcPasswordCryptSaltFormat: $6$%.16s
+EOF
+```
+
+### This program must be located in AD server
+
+This program must be located in AD server because samba-tool on AD only support getting hashed password only from `ldapi://` or `tdb://`.
+
+### This program only supports syncing user data. Syncing group data does not support yet
+
+Syncing group data might be supported and implemented if some people demand it.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/TsutomuNakamura/adap.

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task :default => :test

data/adap.gemspec

@@ -0,0 +1,29 @@
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "adap/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "adap"
+  spec.version       = ModAdap::VERSION
+  spec.authors       = ["Tsutomu Nakamura"]
+  spec.email         = ["tsuna.0x00@gmail.com"]
+
+  spec.summary       = %q{LDAP migration tool from AD to NT schema}
+  spec.description   = %q{This tool migrate AD LDAP entries to NT LDAP entries.}
+  spec.homepage      = "https://github.com/TsutomuNakamura/adap"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest", "~> 5.0"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "adap"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/docker-compose.yml

@@ -0,0 +1,21 @@
+version: '3'
+
+services:
+  ruby:
+    container_name: ad-ruby
+    image: tsutomu/adap:docker_bundle_v2.1.2
+    hostname: ruby
+    depends_on:
+      - nt
+    entrypoint:
+      - /opt/entrypoint.sh
+    volumes:
+      - .:/opt/app
+    privileged: true
+
+  nt:
+    container_name: nt
+    hostname: nt
+    image: tsutomu/docker-samba-nt
+    privileged: true
+

data/dockerfile/Dockerfile

@@ -0,0 +1,13 @@
+FROM tsutomu/docker-samba-ad
+LABEL maintainer "Tsutomu Nakamura<tsuna.0x00@gmail.com>"
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get -y install \
+        curl ruby-full ruby-bundler \
+    && gem update --system \
+    && rm -rf /usr/share/rubygems-integration/all/specifications/rake-* \
+    && apt-get clean
+
+ENV LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
+

data/dockerfile/README.md

@@ -0,0 +1,14 @@
+# For testing
+after the container up, you can test connectivity by executing command like below.
+
+```
+ldapsearch -x -LLL -o 'ldif-wrap=no' -h ad -w "p@ssword0" \
+        -D "CN=Administrator,CN=Users,DC=mysite,DC=example,DC=com" \
+        -b "CN=Users,DC=mysite,DC=example,DC=com" \
+        '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mysite,DC=example,DC=com)'
+```
+
+```
+samba-tool user getpassword taro-suzuki --attribute virtualCryptSHA512
+```
+

data/lib/adap.rb

@@ -0,0 +1,7 @@
+require "adap/version"
+require "adap/adap.rb"
+
+module ModAdap
+  class Error < StandardError; end
+  # Your code goes here...
+end

data/lib/adap/adap.rb

@@ -0,0 +1,471 @@
+require 'net-ldap'
+
+class Adap
+
+  # :unixhomedirectory and :homedirectory are the attributes that has same meaning between AD and LDAP.
+  USER_REQUIRED_ATTRIBUTES = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :unixhomedirectory, :homedirectory]
+  #USER_REQUIRED_ATTRIBUTES = ['cn', 'sn', 'uid', 'uidNumber', 'gidNumber', 'homeDirectory', 'loginShell', 'gecos', 'givenName']
+  GROUP_OF_USER_REQUIRED_ATTRIBUTES = [:objectclass, :gidnumber, :cn, :description, :memberuid]
+
+  #
+  # params {
+  #   :ad_host     required                                     IP or hostname of AD.
+  #   :ad_port     optional (default:389)                       Port of AD host.
+  #   :ad_binddn   required                                     Binddn of AD.
+  #   :ad_basedn   required                                     Basedn of AD users.
+  #   :ad_password optional (default:(empty))                   Password of AD with :ad_binddn.
+  #   :ldap_host     required                                   IP or hostname of NT.
+  #   :ldap_port     optional (default:389)                     Port of NT host.
+  #   :ldap_binddn   required                                   Binddn of NT.
+  #   :ldap_basedn   required                                   Basedn of NT users.
+  #   :ldap_password optional (default:(same as :ad_password))  Password of NT with :ldap_binddn
+  #   :password_hash_algorithm (default:virtualCryptSHA512)     Password hash algorithm. It must be same between AD and LDAP, and only support virtualCryptSHA512 or virtualCryptSHA256 now.
+  # }
+  #
+  def initialize(params)
+    raise "Initialize Adap was failed. params must not be nil" if params == nil
+    #raise 'Adap requires keys of parameter "ad_host" "ad_binddn" "ad_basedn"' \
+    [:ad_host, :ad_binddn, :ad_basedn, :ldap_host, :ldap_binddn, :ldap_basedn].each { |k|
+      raise 'Adap requires keys in params ":ad_host", ":ad_binddn", ":ad_basedn", ":ldap_host", ":ldap_binddn", ":ldap_basedn"' if !params.key?(k)
+    }
+
+    @ad_host                  = params[:ad_host]
+    @ad_port                  = (params[:ad_port] ? params[:ad_port] : 389)
+    @ad_binddn                = params[:ad_binddn]
+    @ad_basedn                = params[:ad_basedn]
+    @ad_auth                  = (params.has_key?(:ad_password) ? { :method => :simple, :username => @ad_binddn, :password => params[:ad_password] } : nil)
+    @ldap_host                = params[:ldap_host]
+    @ldap_port                = (params[:ldap_port] ? params[:ldap_port] : 389)
+    @ldap_binddn              = params[:ldap_binddn]
+    @ldap_basedn              = params[:ldap_basedn]
+    @ldap_user_basedn         = params[:ldap_user_basedn]
+    @ldap_auth                = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
+    @password_hash_algorithm  = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : 'virtualCryptSHA512')
+
+    @ad_client    = Adap::get_ad_client_instance(@ad_host, @ad_port, @ad_auth)
+    @ldap_client  = Adap::get_ldap_client_instance(@ldap_host, @ldap_port, @ldap_auth)
+  end
+
+  def self.get_ad_client_instance(ad_host, ad_port, ad_auth)
+    Net::LDAP.new(:host => ad_host, :port => ad_port, :auth => ad_auth)
+  end
+
+  def self.get_ldap_client_instance(ldap_host, ldap_port, ldap_auth)
+    Net::LDAP.new(:host => ldap_host, :port => ldap_port, :auth => ldap_auth)
+  end
+
+  def get_ad_dn(username)
+    "CN=#{username},CN=Users,#{@ad_basedn}"
+  end
+
+  def get_ldap_dn(username)
+    "uid=#{username},ou=Users,#{@ldap_basedn}"
+  end
+
+  def create_ldap_attributes(entry)
+    attributes = {
+      :objectclass => ["top", "person", "organizationalPerson", "inetOrgPerson", "posixAccount", "shadowAccount"]
+    }
+
+   entry.each do |attribute, values|
+      # Change string to lower case symbols to compare each attributes correctly
+      attribute = attribute.downcase.to_sym
+
+      if USER_REQUIRED_ATTRIBUTES.include?(attribute) then
+        if attribute == :unixhomedirectory then
+          attributes[:homedirectory] = values
+        else
+          attributes[attribute] = values
+        end
+      end
+    end
+
+    attributes
+  end
+
+  def get_password(username)
+    password = get_raw_password(username, @password_hash_algorithm)
+
+    if password == nil || password.empty?
+      raise "Failed to get password of #{username} from AD. Did you enabled AD password option virtualCryptSHA512 and/or virtualCryptSHA256?"
+    end
+    password = password.chomp
+
+    password
+  end
+
+  def get_raw_password(username, algo)
+    `samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
+  end
+
+  def sync_user(uid)
+    ad_entry    = nil
+    ldap_entry  = nil
+    ad_dn       = get_ad_dn(uid)
+    ldap_dn     = get_ldap_dn(uid)
+
+    # dn: CN=user-name,CN=Users,DC=mysite,DC=example,DC=com
+    @ad_client.search(:base => ad_dn) do |entry|
+      ad_entry = entry
+    end
+    ret_code = @ad_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => nil,
+      :message => "Failed to get a user #{ad_dn} from AD - " + @ad_client.get_operation_result.error_message
+    } if ret_code != 0 && ret_code != 32
+
+    @ldap_client.search(:base => ldap_dn) do |entry|
+      ldap_entry = entry
+    end
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => nil,
+      :message => "Failed to get a user #{ldap_dn} from LDAP - " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0 && ret_code != 32
+
+    ret = nil
+    if !ad_entry.nil? and ldap_entry.nil? then
+      ret = add_user(ldap_dn, ad_entry, get_password(uid))
+    elsif ad_entry.nil? and !ldap_entry.nil? then
+      ret = delete_user(ldap_dn)
+    elsif !ad_entry.nil? and !ldap_entry.nil? then
+      ret = modify_user(ldap_dn, ad_entry, ldap_entry, get_password(uid))
+    else
+      # ad_entry.nil? and ldap_entry.nil? then
+      return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
+    end
+
+    return ret if ret[:code] != 0
+
+    # Sync groups belonging the user next if syncing data of the user has succeeded.
+    ret_sync_group = sync_group_of_user(uid, get_primary_gidnumber(ad_entry))
+
+    return {
+      :code => ret_sync_group[:code],
+      :operations => ret[:operations].concat(ret_sync_group[:operations]),
+      :message => (
+        ret_sync_group[:code] == 0 ?
+          nil : "Syncing a user #{uid} has succeeded but syncing its groups have failed. Message: " + ret_sync_group[:message]
+      )
+    }
+  end
+
+  def add_user(ldap_user_dn, ad_entry, password)
+    attributes = create_ldap_attributes(ad_entry)
+
+    @ldap_client.add(
+      :dn => ldap_user_dn,
+      :attributes => attributes
+    )
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:add_user],
+      :message => "Failed to add a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    @ldap_client.modify(
+      :dn => ldap_user_dn,
+      :operations => [
+        [:add, :userPassword, password]
+      ]
+    )
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:add_user],
+      :message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    return {:code => ret_code, :operations => [:add_user], :message => nil}
+  end
+
+  def modify_user(ldap_user_dn, ad_entry, ldap_entry, password)
+    # An attribute objectClass will not be sync because it assumed already added by add_user() function or another method in LDAP.
+    operations = create_modify_operations(ad_entry, ldap_entry, password)
+
+    @ldap_client.modify(
+      :dn => ldap_user_dn,
+      :operations => operations
+    )
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:modify_user],
+      :message => "Failed to modify a user #{ldap_user_dn} in modify_user() - " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    return {:code => ret_code, :operations => [:modify_user], :message => nil}
+  end
+
+  def create_modify_operations(ad_entry, ldap_entry, password)
+    operations = []
+
+    ad_entry.each do |key, value|
+      ad_key_sym    = key.downcase.to_sym
+      ldap_key      = (key != :unixhomedirectory ? key : :homedirectory)
+      ldap_key_sym  = ldap_key.downcase.to_sym
+
+      if USER_REQUIRED_ATTRIBUTES.include?(ad_key_sym)
+        next if value == ldap_entry[ldap_key]
+        operations.push((ldap_entry[ldap_key] != nil ? [:replace, ldap_key_sym, value] : [:add, ldap_key_sym, value]))
+      end
+    end
+
+    ldap_entry.each do |key, value|
+      ldap_key_sym  = key.downcase.to_sym
+      ad_key        = (key != :homedirectory ? key : :unixhomedirectory)
+
+      if USER_REQUIRED_ATTRIBUTES.include?(ldap_key_sym)
+        operations.push([:delete, ldap_key_sym, nil]) if ad_entry[ad_key] == nil
+      end
+    end
+
+    # AD does not have password as simple ldap attribute.
+    # So password will always be updated for this reason.
+    operations.push([:replace, :userpassword, password])
+
+    operations
+  end
+
+  def delete_user(ldap_user_dn)
+    @ldap_client.delete(:dn => ldap_user_dn)
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:delete_user],
+      :message => "Failed to delete a user #{ldap_user_dn} in delete_user() - " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    return {:code => ret_code, :operations => [:delete_user], :message => nil}
+  end
+
+  def sync_group_of_user(uid, primary_gid_number)
+    ad_group_map = {}
+    ldap_group_map = {}
+
+    # Creating AD ldapsearch filter
+
+    ad_filter = if primary_gid_number == nil then
+      Net::LDAP::Filter.construct(
+          "(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,#{@ad_basedn})(member=CN=#{uid},CN=Users,#{@ad_basedn}))")
+    else
+      Net::LDAP::Filter.construct(
+          "(&(objectCategory=CN=Group,CN=Schema,CN=Configuration,#{@ad_basedn})(|(member=CN=#{uid},CN=Users,#{@ad_basedn})(gidNumber=#{primary_gid_number})))")
+    end
+
+    # Get groups from AD
+    # entry = {
+    #   :gidnumber => xxx,
+    # }
+    #
+    @ad_client.search(:base => @ad_basedn, :filter => ad_filter) do |entry|
+      ad_group_map[entry[:name].first] = {:gidnumber => entry[:gidnumber]}
+      #ad_group_map[entry[:name]] = nil
+    end
+    ret_code = @ad_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:search_groups_from_ad],
+      :message => "Failed to get groups of a user #{uid} from AD to sync them. " + @ad_client.get_operation_result.error_message
+    } if ret_code != 0 && ret_code != 32
+
+    # Create LDAP ldapsearch filter
+    ldap_filter = Net::LDAP::Filter.construct("(memberUid=#{uid})")
+
+    # Get groups from LDAP
+    @ldap_client.search(:base => "ou=Groups," + @ldap_basedn, :filter => ldap_filter) do |entry|
+      # gidnumber is not necessary for LDAP entry
+      ldap_group_map[entry[:cn].first] = nil
+    end
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:search_groups_from_ldap],
+      :message => "Failed to get groups of a user #{uid} from LDAP to sync them. " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    # Comparing name of AD's entry and cn of LDAP's entry
+    operation_pool = create_sync_group_of_user_operation(ad_group_map, ldap_group_map, uid)
+    ret = do_sync_group_of_user_operation(operation_pool)
+
+    return {
+      :code => ret[:code],
+      :operations => [:modify_group_of_user],
+      :message => (ret[:code] == 0 ? nil: ret[:message])
+    }
+  end
+
+  # {
+  #   "cn=foo,ou=Groups,dc=mysite,dc=example,dc=com": {
+  #     :cn => "foo",
+  #     :gidnumber => xxx,
+  #     :operations => [[:add, :memberuid, uid]]
+  #   }
+  #   "cn=bar,ou=Groups,dc=mysite,dc=example,dc=com": {
+  #     :cn => "bar",
+  #     :gidnumber => yyy,
+  #     :operations => [[:delete, :memberuid, uid]]
+  #   }
+  # }
+  def create_sync_group_of_user_operation(ad_group_map, ldap_group_map, uid)
+    operation_pool = {}
+
+    ad_group_map.each_key do |key|
+      dn = "cn=#{key},ou=Groups,#{@ldap_basedn}"
+      # Convert AD entries to LDAP entries to create operation to update LDAP data.
+      operation_pool[dn] = {
+        :cn => key,
+        :gidnumber => ad_group_map[key][:gidnumber],
+        :operations => [[:add, :memberuid, uid]]
+      } if !ldap_group_map.has_key?(key)
+    end
+
+    ldap_group_map.each_key do |key|
+      operation_pool["cn=#{key},ou=Groups,#{@ldap_basedn}"] = {
+        # :cn and :gidnumber are not necessary
+        :operations => [[:delete, :memberuid, uid]]
+      } if !ad_group_map.has_key?(key)
+    end
+
+    operation_pool
+  end
+
+  def do_sync_group_of_user_operation(operation_pool)
+    return {
+      :code => 0,
+      :operations => nil,
+      :message => "There are not any groups of user to sync"
+    } if operation_pool.length == 0
+
+    # ex)
+    #   entry_key = "cn=bar,ou=Groups,dc=mysite,dc=example,dc=com"
+    operation_pool.each_key do |entry_key|
+
+      # ex)
+      #   entry = {
+      #     :cn => "bar",
+      #     :gidnumber => 1000,
+      #     :operations => [[:add, :memberuid, uid]]  # or [[:delete, :memberuid, uid]]
+      #   }
+      entry = operation_pool[entry_key]
+
+      if entry[:operations].first.first == :add then
+        ret = add_group_if_not_existed(entry_key, entry)
+        return ret if ret[:code] != 0
+      end
+      # The operation will be like...
+      # [[:add, :memberuid, "username"]] or [[:delete, :memberuid, "username"]]
+
+      @ldap_client.modify({
+        :dn => entry_key,
+        :operations => entry[:operations]
+      })
+      ret_code = @ldap_client.get_operation_result.code
+
+      return {
+        :code => ret_code,
+        :operations => [:modify_group_of_user],
+        :message => "Failed to modify group \"#{entry_key}\" of user #{entry[:cn]}. " + @ldap_client.get_operation_result.error_message
+      } if ret_code != 0
+
+      if entry[:operations].first.first == :delete then
+        ret = delete_group_if_existed_as_empty(entry_key)
+        return ret if ret[:code] != 0
+      end
+    end
+
+    return {:code => 0, :operations => [:modify_group_of_user], :message => nil}
+  end
+
+  def add_group_if_not_existed(group_dn, entry)
+    @ldap_client.search(:base => group_dn)
+    ret_code = @ldap_client.get_operation_result.code
+
+    # The group already existed
+    return {:code => 0, :operations => nil, :message => nil} if ret_code == 0
+
+    # Failed to query ldapsearch for some reason
+    return {
+      :code => ret_code,
+      :operations => nil,
+      :message => "Failed to search LDAP in add_group_if_not_existed(). " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 32
+
+    attributes = {:objectclass => ["top", "posixGroup"]}
+    attributes[:gidnumber] = entry[:gidnumber] if entry[:gidnumber] != nil
+    attributes[:cn] = entry[:cn] if entry[:cn] != nil
+
+    @ldap_client.add(
+      :dn => group_dn,
+      :attributes => attributes
+    )
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:add_group],
+      :message => (ret_code == 0 ? nil : "Failed to add a group in add_group_if_not_existed(). " + @ldap_client.get_operation_result.error_message)
+    }
+  end
+
+  def delete_group_if_existed_as_empty(group_dn)
+    is_no_memberuid = false
+    # Check whether the group has memberuid
+    @ldap_client.search(:base => group_dn, :filter => "(!(memberUid=*))") do |e|
+      is_no_memberuid = true
+    end
+
+    ret_code = @ldap_client.get_operation_result.code
+    return {:code => 0, :operations => nil, :message => nil} \
+      if (ret_code == 0 && is_no_memberuid == false) || ret_code == 32
+
+    return {
+      :code => ret_code,
+      :operations => nil,
+      :message => "Failed to search group in delete_group_if_existed_as_empty(). " + @ldap_client.get_operation_result.error_message
+    } if ret_code != 0
+
+    @ldap_client.delete(:dn => group_dn)
+    ret_code = @ldap_client.get_operation_result.code
+
+    return {
+      :code => ret_code,
+      :operations => [:delete_group],
+      :message => (ret_code == 0 ? nil: "Failed to delete a group in delete_group_if_existed_as_empty(). " + @ldap_client.get_operation_result.error_message)
+    }
+  end
+
+  def get_primary_gidnumber(entry)
+    return nil if entry == nil
+
+    if entry[:primarygroupid] == nil then
+      ad_result = get_primary_gidnumber_from_ad(entry[:uid].first)
+      return ad_result
+    end
+
+    return entry[:primarygroupid].first
+  end
+
+  def get_primary_gidnumber_from_ad(uid)
+    return nil if uid ==nil
+
+    @ad_client.search(:base => "CN=#{uid},CN=Users,#{@ad_basedn}") do |entry|
+      primary_gid = entry[:gidnumber].first
+    end
+
+    return primary_gid
+  end
+
+end
+

data/lib/adap/version.rb

@@ -0,0 +1,3 @@
+module ModAdap
+  VERSION = "0.0.12"
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: adap
+version: !ruby/object:Gem::Version
+  version: 0.0.12
+platform: ruby
+authors:
+- Tsutomu Nakamura
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-01-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+description: This tool migrate AD LDAP entries to NT LDAP entries.
+email:
+- tsuna.0x00@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- adap.gemspec
+- bin/console
+- bin/setup
+- docker-compose.yml
+- dockerfile/Dockerfile
+- dockerfile/README.md
+- dockerfile/entrypoint.sh
+- lib/adap.rb
+- lib/adap/adap.rb
+- lib/adap/version.rb
+homepage: https://github.com/TsutomuNakamura/adap
+licenses: []
+metadata:
+  homepage_uri: https://github.com/TsutomuNakamura/adap
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: LDAP migration tool from AD to NT schema
+test_files: []