adap 0.0.18 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +16 -0
- data/lib/adap/adap.rb +57 -16
- data/lib/adap/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ce5b7ff2ede942bec739521afc2534af9abcadfec9567a376581cce32319e369
|
|
4
|
+
data.tar.gz: c93e837dc275ec25f84740d0cb6b778febf647a36049ea0fab4f6b0cd100ab83
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 58346136755bdafe352d120a3aeda3c379e57d42fe6eefa324aa1d6e7d95a7e111f5eb401599aa641d802684685772362d3d8a75700efb1a009284f3d16cbb53
|
|
7
|
+
data.tar.gz: 5e39f5cdfe969c293ac0b2e080daebde30793c37f566ce16982bc4a2a39fde8702695dcd171e543a916a7bea95df4ba893b3c0b685c397718fe96c064b1214a6
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
version: 2.1
|
|
2
|
+
orbs:
|
|
3
|
+
ruby: circleci/ruby@0.1.2
|
|
4
|
+
|
|
5
|
+
jobs:
|
|
6
|
+
build:
|
|
7
|
+
docker:
|
|
8
|
+
- image: ruby:2.7
|
|
9
|
+
executor: ruby/default
|
|
10
|
+
steps:
|
|
11
|
+
- checkout
|
|
12
|
+
- run: bundle check || bundle install
|
|
13
|
+
- run:
|
|
14
|
+
command: bundle exec rake test
|
|
15
|
+
when: always
|
|
16
|
+
|
data/lib/adap/adap.rb
CHANGED
|
@@ -24,9 +24,20 @@ class Adap
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
# List of attributes for user in AD
|
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :unixhomedirectory]
|
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :unixhomedirectory]
|
|
28
28
|
# List of attributes for user in LDAP
|
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :homedirectory]
|
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :homedirectory]
|
|
30
|
+
|
|
31
|
+
# List of supported hash algorithms keys and string values to operate
|
|
32
|
+
@supported_hash_algorithms_map = {
|
|
33
|
+
:md5 => "{MD5}",
|
|
34
|
+
:sha => "{SHA}",
|
|
35
|
+
:ssha => "{SSHA}",
|
|
36
|
+
:virtual_crypt_sha256 => "virtualCryptSHA256",
|
|
37
|
+
:virtual_crypt_sha512 => "virtualCryptSHA512"
|
|
38
|
+
}
|
|
39
|
+
# List of unsupported hash algorithms in AD but OpenLDAP support
|
|
40
|
+
@unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
|
|
30
41
|
|
|
31
42
|
@ad_host = params[:ad_host]
|
|
32
43
|
@ad_port = (params[:ad_port] ? params[:ad_port] : 389)
|
|
@@ -40,8 +51,17 @@ class Adap
|
|
|
40
51
|
@ldap_basedn = params[:ldap_basedn]
|
|
41
52
|
@ldap_user_basedn = params[:ldap_user_basedn]
|
|
42
53
|
@ldap_auth = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
|
|
43
|
-
|
|
44
|
-
|
|
54
|
+
|
|
55
|
+
# A password-hash algorithm to sync to the LDAP.
|
|
56
|
+
# Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
|
|
57
|
+
# If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
|
|
58
|
+
@password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
|
|
59
|
+
# TODO: Check a hash algorithm is supported or not
|
|
60
|
+
unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
|
|
61
|
+
raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
|
|
62
|
+
+ "as :password_hash_algorithm. " \
|
|
63
|
+
+ "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
|
|
64
|
+
end
|
|
45
65
|
|
|
46
66
|
# Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
|
|
47
67
|
@map_ad_msds_phonetics = {}
|
|
@@ -112,20 +132,33 @@ class Adap
|
|
|
112
132
|
attributes
|
|
113
133
|
end
|
|
114
134
|
|
|
115
|
-
def
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
135
|
+
def get_password_hash(username, password)
|
|
136
|
+
case @password_hash_algorithm
|
|
137
|
+
when :md5, :sha, :ssha then
|
|
138
|
+
if password.nil? then
|
|
139
|
+
raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
|
|
140
|
+
end
|
|
141
|
+
result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
|
|
142
|
+
else
|
|
143
|
+
# Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
|
|
144
|
+
result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
|
|
119
145
|
end
|
|
120
146
|
|
|
121
|
-
|
|
147
|
+
if result.nil? or result.empty? then
|
|
148
|
+
raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
|
|
149
|
+
"Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
|
|
150
|
+
"did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
|
|
151
|
+
"This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
result.chomp
|
|
122
155
|
end
|
|
123
156
|
|
|
124
|
-
def
|
|
157
|
+
def get_raw_password_from_ad(username, algo)
|
|
125
158
|
`samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
|
|
126
159
|
end
|
|
127
160
|
|
|
128
|
-
def sync_user(uid)
|
|
161
|
+
def sync_user(uid, password=nil)
|
|
129
162
|
ad_entry = nil
|
|
130
163
|
ldap_entry = nil
|
|
131
164
|
ad_dn = get_ad_dn(uid)
|
|
@@ -137,6 +170,7 @@ class Adap
|
|
|
137
170
|
end
|
|
138
171
|
ret_code = @ad_client.get_operation_result.code
|
|
139
172
|
|
|
173
|
+
# Return 32 means that the object does not exist
|
|
140
174
|
return {
|
|
141
175
|
:code => ret_code,
|
|
142
176
|
:operations => nil,
|
|
@@ -156,11 +190,16 @@ class Adap
|
|
|
156
190
|
|
|
157
191
|
ret = nil
|
|
158
192
|
if !ad_entry.nil? and ldap_entry.nil? then
|
|
159
|
-
ret = add_user(ldap_dn, ad_entry,
|
|
193
|
+
ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
|
|
160
194
|
elsif ad_entry.nil? and !ldap_entry.nil? then
|
|
161
195
|
ret = delete_user(ldap_dn)
|
|
162
196
|
elsif !ad_entry.nil? and !ldap_entry.nil? then
|
|
163
|
-
ret = modify_user(
|
|
197
|
+
ret = modify_user(
|
|
198
|
+
ldap_dn,
|
|
199
|
+
ad_entry,
|
|
200
|
+
ldap_entry,
|
|
201
|
+
( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
|
|
202
|
+
)
|
|
164
203
|
else
|
|
165
204
|
# ad_entry.nil? and ldap_entry.nil? then
|
|
166
205
|
return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
|
|
@@ -183,7 +222,7 @@ class Adap
|
|
|
183
222
|
|
|
184
223
|
def add_user(ldap_user_dn, ad_entry, password)
|
|
185
224
|
if password == nil || password.empty?
|
|
186
|
-
raise "
|
|
225
|
+
raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
|
|
187
226
|
end
|
|
188
227
|
|
|
189
228
|
attributes = create_ldap_attributes(ad_entry)
|
|
@@ -211,7 +250,7 @@ class Adap
|
|
|
211
250
|
return {
|
|
212
251
|
:code => ret_code,
|
|
213
252
|
:operations => [:add_user],
|
|
214
|
-
:message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
253
|
+
:message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
215
254
|
} if ret_code != 0
|
|
216
255
|
|
|
217
256
|
return {:code => ret_code, :operations => [:add_user], :message => nil}
|
|
@@ -275,7 +314,9 @@ class Adap
|
|
|
275
314
|
|
|
276
315
|
# AD does not have password as simple ldap attribute.
|
|
277
316
|
# So password will always be updated for this reason.
|
|
278
|
-
|
|
317
|
+
if not password.nil? and not password.empty? then
|
|
318
|
+
operations.push([:replace, :userpassword, password])
|
|
319
|
+
end
|
|
279
320
|
|
|
280
321
|
operations
|
|
281
322
|
end
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: adap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tsutomu Nakamura
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-08-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -59,6 +59,7 @@ executables: []
|
|
|
59
59
|
extensions: []
|
|
60
60
|
extra_rdoc_files: []
|
|
61
61
|
files:
|
|
62
|
+
- ".circleci/config.yml"
|
|
62
63
|
- ".gitignore"
|
|
63
64
|
- ".travis.yml"
|
|
64
65
|
- Gemfile
|