adap 0.0.17 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/adap/adap.rb +59 -16
- data/lib/adap/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1e4bb42dc06a861a5f1965c45dfa5d4bb0a3cb78b7243c6308b3d00554911b0f
|
|
4
|
+
data.tar.gz: 36bedddcc2deb57b92fa451d9c1ee736095bfc2dd5adf79a9457c887403e5f58
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f07b96cbe81656483463b75f01a582514790d9fa629d7ed7a892baa2f0942008cf3222fea2c72db3673cb08628d6457476350b3a60282047697b4a53caed6830
|
|
7
|
+
data.tar.gz: e11fe0e9c844c0a42bd9d57f90e79b40a99fe76fe9f5e5f0233276542b07f4672e1f7339cab4fea357653765b1d8e5f44cdfd70d379050aa3473c75a33e60849
|
data/lib/adap/adap.rb
CHANGED
|
@@ -24,9 +24,20 @@ class Adap
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
# List of attributes for user in AD
|
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :unixhomedirectory]
|
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :unixhomedirectory]
|
|
28
28
|
# List of attributes for user in LDAP
|
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :homedirectory]
|
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :homedirectory]
|
|
30
|
+
|
|
31
|
+
# List of supported hash algorithms keys and string values to operate
|
|
32
|
+
@supported_hash_algorithms_map = {
|
|
33
|
+
:md5 => "{MD5}",
|
|
34
|
+
:sha => "{SHA}",
|
|
35
|
+
:ssha => "{SSHA}",
|
|
36
|
+
:virtual_crypt_sha256 => "virtualCryptSHA256",
|
|
37
|
+
:virtual_crypt_sha512 => "virtualCryptSHA512"
|
|
38
|
+
}
|
|
39
|
+
# List of unsupported hash algorithms in AD but OpenLDAP support
|
|
40
|
+
@unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
|
|
30
41
|
|
|
31
42
|
@ad_host = params[:ad_host]
|
|
32
43
|
@ad_port = (params[:ad_port] ? params[:ad_port] : 389)
|
|
@@ -40,8 +51,17 @@ class Adap
|
|
|
40
51
|
@ldap_basedn = params[:ldap_basedn]
|
|
41
52
|
@ldap_user_basedn = params[:ldap_user_basedn]
|
|
42
53
|
@ldap_auth = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
|
|
43
|
-
|
|
44
|
-
|
|
54
|
+
|
|
55
|
+
# A password-hash algorithm to sync to the LDAP.
|
|
56
|
+
# Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
|
|
57
|
+
# If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
|
|
58
|
+
@password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
|
|
59
|
+
# TODO: Check a hash algorithm is supported or not
|
|
60
|
+
unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
|
|
61
|
+
raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
|
|
62
|
+
+ "as :password_hash_algorithm. " \
|
|
63
|
+
+ "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
|
|
64
|
+
end
|
|
45
65
|
|
|
46
66
|
# Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
|
|
47
67
|
@map_ad_msds_phonetics = {}
|
|
@@ -112,22 +132,33 @@ class Adap
|
|
|
112
132
|
attributes
|
|
113
133
|
end
|
|
114
134
|
|
|
115
|
-
def
|
|
116
|
-
|
|
135
|
+
def get_password_hash(username, password)
|
|
136
|
+
case @password_hash_algorithm
|
|
137
|
+
when :md5, :sha, :ssha then
|
|
138
|
+
if password.nil? then
|
|
139
|
+
raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
|
|
140
|
+
end
|
|
141
|
+
result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
|
|
142
|
+
else
|
|
143
|
+
# Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
|
|
144
|
+
result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
|
|
145
|
+
end
|
|
117
146
|
|
|
118
|
-
if
|
|
119
|
-
raise "Failed to get password of #{username}
|
|
147
|
+
if result.nil? or result.empty? then
|
|
148
|
+
raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
|
|
149
|
+
"Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
|
|
150
|
+
"did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
|
|
151
|
+
"This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
|
|
120
152
|
end
|
|
121
|
-
password = password.chomp
|
|
122
153
|
|
|
123
|
-
|
|
154
|
+
result.chomp
|
|
124
155
|
end
|
|
125
156
|
|
|
126
|
-
def
|
|
157
|
+
def get_raw_password_from_ad(username, algo)
|
|
127
158
|
`samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
|
|
128
159
|
end
|
|
129
160
|
|
|
130
|
-
def sync_user(uid)
|
|
161
|
+
def sync_user(uid, password=nil)
|
|
131
162
|
ad_entry = nil
|
|
132
163
|
ldap_entry = nil
|
|
133
164
|
ad_dn = get_ad_dn(uid)
|
|
@@ -139,6 +170,7 @@ class Adap
|
|
|
139
170
|
end
|
|
140
171
|
ret_code = @ad_client.get_operation_result.code
|
|
141
172
|
|
|
173
|
+
# Return 32 means that the object does not exist
|
|
142
174
|
return {
|
|
143
175
|
:code => ret_code,
|
|
144
176
|
:operations => nil,
|
|
@@ -158,11 +190,16 @@ class Adap
|
|
|
158
190
|
|
|
159
191
|
ret = nil
|
|
160
192
|
if !ad_entry.nil? and ldap_entry.nil? then
|
|
161
|
-
ret = add_user(ldap_dn, ad_entry,
|
|
193
|
+
ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
|
|
162
194
|
elsif ad_entry.nil? and !ldap_entry.nil? then
|
|
163
195
|
ret = delete_user(ldap_dn)
|
|
164
196
|
elsif !ad_entry.nil? and !ldap_entry.nil? then
|
|
165
|
-
ret = modify_user(
|
|
197
|
+
ret = modify_user(
|
|
198
|
+
ldap_dn,
|
|
199
|
+
ad_entry,
|
|
200
|
+
ldap_entry,
|
|
201
|
+
( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
|
|
202
|
+
)
|
|
166
203
|
else
|
|
167
204
|
# ad_entry.nil? and ldap_entry.nil? then
|
|
168
205
|
return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
|
|
@@ -184,6 +221,10 @@ class Adap
|
|
|
184
221
|
end
|
|
185
222
|
|
|
186
223
|
def add_user(ldap_user_dn, ad_entry, password)
|
|
224
|
+
if password == nil || password.empty?
|
|
225
|
+
raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
|
|
226
|
+
end
|
|
227
|
+
|
|
187
228
|
attributes = create_ldap_attributes(ad_entry)
|
|
188
229
|
|
|
189
230
|
@ldap_client.add(
|
|
@@ -209,7 +250,7 @@ class Adap
|
|
|
209
250
|
return {
|
|
210
251
|
:code => ret_code,
|
|
211
252
|
:operations => [:add_user],
|
|
212
|
-
:message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
253
|
+
:message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
213
254
|
} if ret_code != 0
|
|
214
255
|
|
|
215
256
|
return {:code => ret_code, :operations => [:add_user], :message => nil}
|
|
@@ -273,7 +314,9 @@ class Adap
|
|
|
273
314
|
|
|
274
315
|
# AD does not have password as simple ldap attribute.
|
|
275
316
|
# So password will always be updated for this reason.
|
|
276
|
-
|
|
317
|
+
if not password.nil? and not password.empty? then
|
|
318
|
+
operations.push([:replace, :userpassword, password])
|
|
319
|
+
end
|
|
277
320
|
|
|
278
321
|
operations
|
|
279
322
|
end
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: adap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tsutomu Nakamura
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-08-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -79,7 +79,7 @@ homepage: https://github.com/TsutomuNakamura/adap
|
|
|
79
79
|
licenses: []
|
|
80
80
|
metadata:
|
|
81
81
|
homepage_uri: https://github.com/TsutomuNakamura/adap
|
|
82
|
-
post_install_message:
|
|
82
|
+
post_install_message:
|
|
83
83
|
rdoc_options: []
|
|
84
84
|
require_paths:
|
|
85
85
|
- lib
|
|
@@ -94,8 +94,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
94
94
|
- !ruby/object:Gem::Version
|
|
95
95
|
version: '0'
|
|
96
96
|
requirements: []
|
|
97
|
-
rubygems_version: 3.1.
|
|
98
|
-
signing_key:
|
|
97
|
+
rubygems_version: 3.1.3
|
|
98
|
+
signing_key:
|
|
99
99
|
specification_version: 4
|
|
100
100
|
summary: LDAP migration tool from AD to NT schema
|
|
101
101
|
test_files: []
|