adap 0.0.16 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 907364c192378f50871a6c1e5248db8382a53c2b876d9f3ff6823c6b2dad2de6
-  data.tar.gz: ff142c11c0b48cb722614a0d850a2a7cd9570577b9f0322f7cd2a40d06e95f70
+  metadata.gz: 3158307760aaffe02f99a06d508783b569321759652824029bf91615cdfea9ea
+  data.tar.gz: 96bf2d0170c919e0a1946d5532c1d9e929dba0003548d6b091ba7d242d3238fd
 SHA512:
-  metadata.gz: bacf1a764a793be1039e58344ede45baad6cd59539f0e9911158f2bfe76489096b134475c174c0e825f1c4645652602defd9ea68d8f4453f9e87d53ba246293e
-  data.tar.gz: e4fad9ea602012095e434959d852e8bd94e360f81cb678cec92b86326c617fdcd80abc0f282dbad3f068e2e4c64cb3b35fcb714b82b536732cb303ce1ccb3524
+  metadata.gz: b22800cef66237c05002282ee1b63cc2e6070d151ef899ed67af75a4069b994aeb2f11987b13ff2882864b237fccc8dca9274dba0a35fa25b8da897618dc998e
+  data.tar.gz: fd5bbdb231aa7c046335c8849af2898c30dd0e564a6b82faab86a4a63a77c8ebd2bd63611c28c8fe5c7ea70bcbad35019ec843497ef54f187051f1034cf2c775

data/Gemfile

@@ -8,3 +8,5 @@ gem "unix-crypt", "~> 1.3"
 gem "net-ldap", "~> 0.16.2"
 
 gem "mocha", "~> 1.10"
+
+gem "rake", "~> 13.0"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    adap (0.0.15)
+    adap (0.0.16)
 
 GEM
   remote: https://rubygems.org/
@@ -9,7 +9,7 @@ GEM
     minitest (5.14.0)
     mocha (1.11.2)
     net-ldap (0.16.2)
-    rake (10.5.0)
+    rake (13.0.1)
     unix-crypt (1.3.0)
 
 PLATFORMS
@@ -21,7 +21,7 @@ DEPENDENCIES
   minitest (~> 5.0)
   mocha (~> 1.10)
   net-ldap (~> 0.16.2)
-  rake (~> 10.0)
+  rake (~> 13.0)
   unix-crypt (~> 1.3)
 
 BUNDLED WITH

data/lib/adap/adap.rb

@@ -24,9 +24,18 @@ class Adap
     }
 
     # List of attributes for user in AD
-    @ad_user_required_attributes   = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :unixhomedirectory]
+    @ad_user_required_attributes   = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :unixhomedirectory]
     # List of attributes for user in LDAP
-    @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :homedirectory]
+    @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :homedirectory]
+
+    # List of supported hash algorithms keys and string values to operate
+    @supported_hash_algorithms_map = {
+      :md5                  => "{MD5}",
+      :sha                  => "{SHA}",
+      :ssha                 => "{SSHA}",
+      :virtual_crypt_sha256 => "virtualCryptSHA256",
+      :virtual_crypt_sha512 => "virtualCryptSHA512"
+    }
 
     @ad_host                  = params[:ad_host]
     @ad_port                  = (params[:ad_port] ? params[:ad_port] : 389)
@@ -40,8 +49,17 @@ class Adap
     @ldap_basedn              = params[:ldap_basedn]
     @ldap_user_basedn         = params[:ldap_user_basedn]
     @ldap_auth                = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
-    # This attribute converted in generally ... :'msds-phoneticdisplayname' -> :'displayname;lang-ja;phonetic'
-    @password_hash_algorithm  = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : 'virtualCryptSHA512')
+
+    # A password-hash algorithm to sync to the LDAP.
+    # Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
+    # If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
+    @password_hash_algorithm  = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
+    # TODO: Check a hash algorithm is supported or not
+    unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
+      raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
+            + "as :password_hash_algorithm. " \
+            + "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
+    end
 
     # Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
     @map_ad_msds_phonetics = {}
@@ -112,22 +130,33 @@ class Adap
     attributes
   end
 
-  def get_password(username)
-    password = get_raw_password(username, @password_hash_algorithm)
+  def get_password_hash(username, password)
+    case @password_hash_algorithm
+    when :md5, :sha, :ssha then
+      if password.nil? then
+        raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
+      end
+      result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
+    else
+      # Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
+      result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
+    end
 
-    if password == nil || password.empty?
-      raise "Failed to get password of #{username} from AD. Did you enabled AD password option virtualCryptSHA512 and/or virtualCryptSHA256?"
+    if result.nil? or result.empty? then
+      raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
+        "Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
+        "did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
+        "This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
     end
-    password = password.chomp
 
-    password
+    result.chomp
   end
 
-  def get_raw_password(username, algo)
+  def get_raw_password_from_ad(username, algo)
     `samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
   end
 
-  def sync_user(uid)
+  def sync_user(uid, password=nil)
     ad_entry    = nil
     ldap_entry  = nil
     ad_dn       = get_ad_dn(uid)
@@ -139,6 +168,7 @@ class Adap
     end
     ret_code = @ad_client.get_operation_result.code
 
+    # Return 32 means that the object does not exist
     return {
       :code => ret_code,
       :operations => nil,
@@ -158,11 +188,11 @@ class Adap
 
     ret = nil
     if !ad_entry.nil? and ldap_entry.nil? then
-      ret = add_user(ldap_dn, ad_entry, get_password(uid))
+      ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
     elsif ad_entry.nil? and !ldap_entry.nil? then
       ret = delete_user(ldap_dn)
     elsif !ad_entry.nil? and !ldap_entry.nil? then
-      ret = modify_user(ldap_dn, ad_entry, ldap_entry, get_password(uid))
+      ret = modify_user(ldap_dn, ad_entry, ldap_entry, get_password_hash(uid, password))
     else
       # ad_entry.nil? and ldap_entry.nil? then
       return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
@@ -184,6 +214,10 @@ class Adap
   end
 
   def add_user(ldap_user_dn, ad_entry, password)
+    if password == nil || password.empty?
+      raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
+    end
+
     attributes = create_ldap_attributes(ad_entry)
 
     @ldap_client.add(
@@ -209,7 +243,7 @@ class Adap
     return {
       :code => ret_code,
       :operations => [:add_user],
-      :message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
+      :message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
     } if ret_code != 0
 
     return {:code => ret_code, :operations => [:add_user], :message => nil}
@@ -273,7 +307,9 @@ class Adap
 
     # AD does not have password as simple ldap attribute.
     # So password will always be updated for this reason.
-    operations.push([:replace, :userpassword, password])
+    if not password.nil? and not password.empty? then
+      operations.push([:replace, :userpassword, password])
+    end
 
     operations
   end
@@ -502,12 +538,13 @@ class Adap
 
   def get_primary_gidnumber_from_ad(uid)
     return nil if uid ==nil
+    primary_gid = nil
 
     @ad_client.search(:base => "CN=#{uid},CN=Users,#{@ad_basedn}") do |entry|
       primary_gid = entry[:gidnumber].first
     end
 
-    return primary_gid
+    primary_gid
   end
 
 end

data/lib/adap/version.rb

@@ -1,3 +1,3 @@
 module ModAdap
-  VERSION = "0.0.16"
+  VERSION = "0.1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: adap
 version: !ruby/object:Gem::Version
-  version: 0.0.16
+  version: 0.1.0
 platform: ruby
 authors:
 - Tsutomu Nakamura
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-02-22 00:00:00.000000000 Z
+date: 2020-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -79,7 +79,7 @@ homepage: https://github.com/TsutomuNakamura/adap
 licenses: []
 metadata:
   homepage_uri: https://github.com/TsutomuNakamura/adap
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -94,8 +94,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.1.3
+signing_key:
 specification_version: 4
 summary: LDAP migration tool from AD to NT schema
 test_files: []