adap 0.0.17 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/adap/adap.rb +59 -16
  3. data/lib/adap/version.rb +1 -1
  4. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: eb2fcdd72d7a4db1b739fc15626ecabe47d7edce0c6334e4d93dfdb761b6e704
4
- data.tar.gz: 5a39c0f4a148fff4ffd26acabec05bacba6efeb9efa8fe002f9be4cdb1f75e2a
3
+ metadata.gz: 1e4bb42dc06a861a5f1965c45dfa5d4bb0a3cb78b7243c6308b3d00554911b0f
4
+ data.tar.gz: 36bedddcc2deb57b92fa451d9c1ee736095bfc2dd5adf79a9457c887403e5f58
5
5
  SHA512:
6
- metadata.gz: 4c63526e952da1c41d38a650554a6fe13b3cf62d69e18998c09e4cbda3ec209b921cae3085c872f2210bc62b1586bc168c48526238fe4f9af97b3353d4f9ab16
7
- data.tar.gz: cef344d7dbe7097345395d3381c8356015324e503b46e264fa9d727be13b0741e96a00ed6a1133a3195a5c504161e6f016a4211523d3341118df2df9d0f629f9
6
+ metadata.gz: f07b96cbe81656483463b75f01a582514790d9fa629d7ed7a892baa2f0942008cf3222fea2c72db3673cb08628d6457476350b3a60282047697b4a53caed6830
7
+ data.tar.gz: e11fe0e9c844c0a42bd9d57f90e79b40a99fe76fe9f5e5f0233276542b07f4672e1f7339cab4fea357653765b1d8e5f44cdfd70d379050aa3473c75a33e60849
@@ -24,9 +24,20 @@ class Adap
24
24
  }
25
25
 
26
26
  # List of attributes for user in AD
27
- @ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :unixhomedirectory]
27
+ @ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :unixhomedirectory]
28
28
  # List of attributes for user in LDAP
29
- @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :homedirectory]
29
+ @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :homedirectory]
30
+
31
+ # List of supported hash algorithms keys and string values to operate
32
+ @supported_hash_algorithms_map = {
33
+ :md5 => "{MD5}",
34
+ :sha => "{SHA}",
35
+ :ssha => "{SSHA}",
36
+ :virtual_crypt_sha256 => "virtualCryptSHA256",
37
+ :virtual_crypt_sha512 => "virtualCryptSHA512"
38
+ }
39
+ # List of unsupported hash algorithms in AD but OpenLDAP support
40
+ @unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
30
41
 
31
42
  @ad_host = params[:ad_host]
32
43
  @ad_port = (params[:ad_port] ? params[:ad_port] : 389)
@@ -40,8 +51,17 @@ class Adap
40
51
  @ldap_basedn = params[:ldap_basedn]
41
52
  @ldap_user_basedn = params[:ldap_user_basedn]
42
53
  @ldap_auth = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
43
- # This attribute converted in generally ... :'msds-phoneticdisplayname' -> :'displayname;lang-ja;phonetic'
44
- @password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : 'virtualCryptSHA512')
54
+
55
+ # A password-hash algorithm to sync to the LDAP.
56
+ # Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
57
+ # If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
58
+ @password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
59
+ # TODO: Check a hash algorithm is supported or not
60
+ unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
61
+ raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
62
+ + "as :password_hash_algorithm. " \
63
+ + "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
64
+ end
45
65
 
46
66
  # Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
47
67
  @map_ad_msds_phonetics = {}
@@ -112,22 +132,33 @@ class Adap
112
132
  attributes
113
133
  end
114
134
 
115
- def get_password(username)
116
- password = get_raw_password(username, @password_hash_algorithm)
135
+ def get_password_hash(username, password)
136
+ case @password_hash_algorithm
137
+ when :md5, :sha, :ssha then
138
+ if password.nil? then
139
+ raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
140
+ end
141
+ result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
142
+ else
143
+ # Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
144
+ result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
145
+ end
117
146
 
118
- if password == nil || password.empty?
119
- raise "Failed to get password of #{username} from AD. Did you enabled AD password option virtualCryptSHA512 and/or virtualCryptSHA256?"
147
+ if result.nil? or result.empty? then
148
+ raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
149
+ "Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
150
+ "did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
151
+ "This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
120
152
  end
121
- password = password.chomp
122
153
 
123
- password
154
+ result.chomp
124
155
  end
125
156
 
126
- def get_raw_password(username, algo)
157
+ def get_raw_password_from_ad(username, algo)
127
158
  `samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
128
159
  end
129
160
 
130
- def sync_user(uid)
161
+ def sync_user(uid, password=nil)
131
162
  ad_entry = nil
132
163
  ldap_entry = nil
133
164
  ad_dn = get_ad_dn(uid)
@@ -139,6 +170,7 @@ class Adap
139
170
  end
140
171
  ret_code = @ad_client.get_operation_result.code
141
172
 
173
+ # Return 32 means that the object does not exist
142
174
  return {
143
175
  :code => ret_code,
144
176
  :operations => nil,
@@ -158,11 +190,16 @@ class Adap
158
190
 
159
191
  ret = nil
160
192
  if !ad_entry.nil? and ldap_entry.nil? then
161
- ret = add_user(ldap_dn, ad_entry, get_password(uid))
193
+ ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
162
194
  elsif ad_entry.nil? and !ldap_entry.nil? then
163
195
  ret = delete_user(ldap_dn)
164
196
  elsif !ad_entry.nil? and !ldap_entry.nil? then
165
- ret = modify_user(ldap_dn, ad_entry, ldap_entry, get_password(uid))
197
+ ret = modify_user(
198
+ ldap_dn,
199
+ ad_entry,
200
+ ldap_entry,
201
+ ( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
202
+ )
166
203
  else
167
204
  # ad_entry.nil? and ldap_entry.nil? then
168
205
  return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
@@ -184,6 +221,10 @@ class Adap
184
221
  end
185
222
 
186
223
  def add_user(ldap_user_dn, ad_entry, password)
224
+ if password == nil || password.empty?
225
+ raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
226
+ end
227
+
187
228
  attributes = create_ldap_attributes(ad_entry)
188
229
 
189
230
  @ldap_client.add(
@@ -209,7 +250,7 @@ class Adap
209
250
  return {
210
251
  :code => ret_code,
211
252
  :operations => [:add_user],
212
- :message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
253
+ :message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
213
254
  } if ret_code != 0
214
255
 
215
256
  return {:code => ret_code, :operations => [:add_user], :message => nil}
@@ -273,7 +314,9 @@ class Adap
273
314
 
274
315
  # AD does not have password as simple ldap attribute.
275
316
  # So password will always be updated for this reason.
276
- operations.push([:replace, :userpassword, password])
317
+ if not password.nil? and not password.empty? then
318
+ operations.push([:replace, :userpassword, password])
319
+ end
277
320
 
278
321
  operations
279
322
  end
@@ -1,3 +1,3 @@
1
1
  module ModAdap
2
- VERSION = "0.0.17"
2
+ VERSION = "0.1.1"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: adap
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.17
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tsutomu Nakamura
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-03-01 00:00:00.000000000 Z
11
+ date: 2020-08-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -79,7 +79,7 @@ homepage: https://github.com/TsutomuNakamura/adap
79
79
  licenses: []
80
80
  metadata:
81
81
  homepage_uri: https://github.com/TsutomuNakamura/adap
82
- post_install_message:
82
+ post_install_message:
83
83
  rdoc_options: []
84
84
  require_paths:
85
85
  - lib
@@ -94,8 +94,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
94
94
  - !ruby/object:Gem::Version
95
95
  version: '0'
96
96
  requirements: []
97
- rubygems_version: 3.1.2
98
- signing_key:
97
+ rubygems_version: 3.1.3
98
+ signing_key:
99
99
  specification_version: 4
100
100
  summary: LDAP migration tool from AD to NT schema
101
101
  test_files: []