adap 0.0.17 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/adap/adap.rb +59 -16
- data/lib/adap/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1e4bb42dc06a861a5f1965c45dfa5d4bb0a3cb78b7243c6308b3d00554911b0f
|
|
4
|
+
data.tar.gz: 36bedddcc2deb57b92fa451d9c1ee736095bfc2dd5adf79a9457c887403e5f58
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f07b96cbe81656483463b75f01a582514790d9fa629d7ed7a892baa2f0942008cf3222fea2c72db3673cb08628d6457476350b3a60282047697b4a53caed6830
|
|
7
|
+
data.tar.gz: e11fe0e9c844c0a42bd9d57f90e79b40a99fe76fe9f5e5f0233276542b07f4672e1f7339cab4fea357653765b1d8e5f44cdfd70d379050aa3473c75a33e60849
|
data/lib/adap/adap.rb
CHANGED
|
@@ -24,9 +24,20 @@ class Adap
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
# List of attributes for user in AD
|
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :unixhomedirectory]
|
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :unixhomedirectory]
|
|
28
28
|
# List of attributes for user in LDAP
|
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :homedirectory]
|
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :homedirectory]
|
|
30
|
+
|
|
31
|
+
# List of supported hash algorithms keys and string values to operate
|
|
32
|
+
@supported_hash_algorithms_map = {
|
|
33
|
+
:md5 => "{MD5}",
|
|
34
|
+
:sha => "{SHA}",
|
|
35
|
+
:ssha => "{SSHA}",
|
|
36
|
+
:virtual_crypt_sha256 => "virtualCryptSHA256",
|
|
37
|
+
:virtual_crypt_sha512 => "virtualCryptSHA512"
|
|
38
|
+
}
|
|
39
|
+
# List of unsupported hash algorithms in AD but OpenLDAP support
|
|
40
|
+
@unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
|
|
30
41
|
|
|
31
42
|
@ad_host = params[:ad_host]
|
|
32
43
|
@ad_port = (params[:ad_port] ? params[:ad_port] : 389)
|
|
@@ -40,8 +51,17 @@ class Adap
|
|
|
40
51
|
@ldap_basedn = params[:ldap_basedn]
|
|
41
52
|
@ldap_user_basedn = params[:ldap_user_basedn]
|
|
42
53
|
@ldap_auth = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
|
|
43
|
-
|
|
44
|
-
|
|
54
|
+
|
|
55
|
+
# A password-hash algorithm to sync to the LDAP.
|
|
56
|
+
# Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
|
|
57
|
+
# If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
|
|
58
|
+
@password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
|
|
59
|
+
# TODO: Check a hash algorithm is supported or not
|
|
60
|
+
unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
|
|
61
|
+
raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
|
|
62
|
+
+ "as :password_hash_algorithm. " \
|
|
63
|
+
+ "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
|
|
64
|
+
end
|
|
45
65
|
|
|
46
66
|
# Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
|
|
47
67
|
@map_ad_msds_phonetics = {}
|
|
@@ -112,22 +132,33 @@ class Adap
|
|
|
112
132
|
attributes
|
|
113
133
|
end
|
|
114
134
|
|
|
115
|
-
def
|
|
116
|
-
|
|
135
|
+
def get_password_hash(username, password)
|
|
136
|
+
case @password_hash_algorithm
|
|
137
|
+
when :md5, :sha, :ssha then
|
|
138
|
+
if password.nil? then
|
|
139
|
+
raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
|
|
140
|
+
end
|
|
141
|
+
result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
|
|
142
|
+
else
|
|
143
|
+
# Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
|
|
144
|
+
result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
|
|
145
|
+
end
|
|
117
146
|
|
|
118
|
-
if
|
|
119
|
-
raise "Failed to get password of #{username}
|
|
147
|
+
if result.nil? or result.empty? then
|
|
148
|
+
raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
|
|
149
|
+
"Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
|
|
150
|
+
"did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
|
|
151
|
+
"This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
|
|
120
152
|
end
|
|
121
|
-
password = password.chomp
|
|
122
153
|
|
|
123
|
-
|
|
154
|
+
result.chomp
|
|
124
155
|
end
|
|
125
156
|
|
|
126
|
-
def
|
|
157
|
+
def get_raw_password_from_ad(username, algo)
|
|
127
158
|
`samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
|
|
128
159
|
end
|
|
129
160
|
|
|
130
|
-
def sync_user(uid)
|
|
161
|
+
def sync_user(uid, password=nil)
|
|
131
162
|
ad_entry = nil
|
|
132
163
|
ldap_entry = nil
|
|
133
164
|
ad_dn = get_ad_dn(uid)
|
|
@@ -139,6 +170,7 @@ class Adap
|
|
|
139
170
|
end
|
|
140
171
|
ret_code = @ad_client.get_operation_result.code
|
|
141
172
|
|
|
173
|
+
# Return 32 means that the object does not exist
|
|
142
174
|
return {
|
|
143
175
|
:code => ret_code,
|
|
144
176
|
:operations => nil,
|
|
@@ -158,11 +190,16 @@ class Adap
|
|
|
158
190
|
|
|
159
191
|
ret = nil
|
|
160
192
|
if !ad_entry.nil? and ldap_entry.nil? then
|
|
161
|
-
ret = add_user(ldap_dn, ad_entry,
|
|
193
|
+
ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
|
|
162
194
|
elsif ad_entry.nil? and !ldap_entry.nil? then
|
|
163
195
|
ret = delete_user(ldap_dn)
|
|
164
196
|
elsif !ad_entry.nil? and !ldap_entry.nil? then
|
|
165
|
-
ret = modify_user(
|
|
197
|
+
ret = modify_user(
|
|
198
|
+
ldap_dn,
|
|
199
|
+
ad_entry,
|
|
200
|
+
ldap_entry,
|
|
201
|
+
( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
|
|
202
|
+
)
|
|
166
203
|
else
|
|
167
204
|
# ad_entry.nil? and ldap_entry.nil? then
|
|
168
205
|
return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
|
|
@@ -184,6 +221,10 @@ class Adap
|
|
|
184
221
|
end
|
|
185
222
|
|
|
186
223
|
def add_user(ldap_user_dn, ad_entry, password)
|
|
224
|
+
if password == nil || password.empty?
|
|
225
|
+
raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
|
|
226
|
+
end
|
|
227
|
+
|
|
187
228
|
attributes = create_ldap_attributes(ad_entry)
|
|
188
229
|
|
|
189
230
|
@ldap_client.add(
|
|
@@ -209,7 +250,7 @@ class Adap
|
|
|
209
250
|
return {
|
|
210
251
|
:code => ret_code,
|
|
211
252
|
:operations => [:add_user],
|
|
212
|
-
:message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
253
|
+
:message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
213
254
|
} if ret_code != 0
|
|
214
255
|
|
|
215
256
|
return {:code => ret_code, :operations => [:add_user], :message => nil}
|
|
@@ -273,7 +314,9 @@ class Adap
|
|
|
273
314
|
|
|
274
315
|
# AD does not have password as simple ldap attribute.
|
|
275
316
|
# So password will always be updated for this reason.
|
|
276
|
-
|
|
317
|
+
if not password.nil? and not password.empty? then
|
|
318
|
+
operations.push([:replace, :userpassword, password])
|
|
319
|
+
end
|
|
277
320
|
|
|
278
321
|
operations
|
|
279
322
|
end
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: adap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tsutomu Nakamura
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-08-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -79,7 +79,7 @@ homepage: https://github.com/TsutomuNakamura/adap
|
|
|
79
79
|
licenses: []
|
|
80
80
|
metadata:
|
|
81
81
|
homepage_uri: https://github.com/TsutomuNakamura/adap
|
|
82
|
-
post_install_message:
|
|
82
|
+
post_install_message:
|
|
83
83
|
rdoc_options: []
|
|
84
84
|
require_paths:
|
|
85
85
|
- lib
|
|
@@ -94,8 +94,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
94
94
|
- !ruby/object:Gem::Version
|
|
95
95
|
version: '0'
|
|
96
96
|
requirements: []
|
|
97
|
-
rubygems_version: 3.1.
|
|
98
|
-
signing_key:
|
|
97
|
+
rubygems_version: 3.1.3
|
|
98
|
+
signing_key:
|
|
99
99
|
specification_version: 4
|
|
100
100
|
summary: LDAP migration tool from AD to NT schema
|
|
101
101
|
test_files: []
|