adap 0.0.18 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.circleci/config.yml +16 -0
- data/lib/adap/adap.rb +57 -16
- data/lib/adap/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ce5b7ff2ede942bec739521afc2534af9abcadfec9567a376581cce32319e369
|
|
4
|
+
data.tar.gz: c93e837dc275ec25f84740d0cb6b778febf647a36049ea0fab4f6b0cd100ab83
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 58346136755bdafe352d120a3aeda3c379e57d42fe6eefa324aa1d6e7d95a7e111f5eb401599aa641d802684685772362d3d8a75700efb1a009284f3d16cbb53
|
|
7
|
+
data.tar.gz: 5e39f5cdfe969c293ac0b2e080daebde30793c37f566ce16982bc4a2a39fde8702695dcd171e543a916a7bea95df4ba893b3c0b685c397718fe96c064b1214a6
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
version: 2.1
|
|
2
|
+
orbs:
|
|
3
|
+
ruby: circleci/ruby@0.1.2
|
|
4
|
+
|
|
5
|
+
jobs:
|
|
6
|
+
build:
|
|
7
|
+
docker:
|
|
8
|
+
- image: ruby:2.7
|
|
9
|
+
executor: ruby/default
|
|
10
|
+
steps:
|
|
11
|
+
- checkout
|
|
12
|
+
- run: bundle check || bundle install
|
|
13
|
+
- run:
|
|
14
|
+
command: bundle exec rake test
|
|
15
|
+
when: always
|
|
16
|
+
|
data/lib/adap/adap.rb
CHANGED
|
@@ -24,9 +24,20 @@ class Adap
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
# List of attributes for user in AD
|
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :unixhomedirectory]
|
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :unixhomedirectory]
|
|
28
28
|
# List of attributes for user in LDAP
|
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :homedirectory]
|
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :homedirectory]
|
|
30
|
+
|
|
31
|
+
# List of supported hash algorithms keys and string values to operate
|
|
32
|
+
@supported_hash_algorithms_map = {
|
|
33
|
+
:md5 => "{MD5}",
|
|
34
|
+
:sha => "{SHA}",
|
|
35
|
+
:ssha => "{SSHA}",
|
|
36
|
+
:virtual_crypt_sha256 => "virtualCryptSHA256",
|
|
37
|
+
:virtual_crypt_sha512 => "virtualCryptSHA512"
|
|
38
|
+
}
|
|
39
|
+
# List of unsupported hash algorithms in AD but OpenLDAP support
|
|
40
|
+
@unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
|
|
30
41
|
|
|
31
42
|
@ad_host = params[:ad_host]
|
|
32
43
|
@ad_port = (params[:ad_port] ? params[:ad_port] : 389)
|
|
@@ -40,8 +51,17 @@ class Adap
|
|
|
40
51
|
@ldap_basedn = params[:ldap_basedn]
|
|
41
52
|
@ldap_user_basedn = params[:ldap_user_basedn]
|
|
42
53
|
@ldap_auth = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
|
|
43
|
-
|
|
44
|
-
|
|
54
|
+
|
|
55
|
+
# A password-hash algorithm to sync to the LDAP.
|
|
56
|
+
# Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
|
|
57
|
+
# If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
|
|
58
|
+
@password_hash_algorithm = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
|
|
59
|
+
# TODO: Check a hash algorithm is supported or not
|
|
60
|
+
unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
|
|
61
|
+
raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
|
|
62
|
+
+ "as :password_hash_algorithm. " \
|
|
63
|
+
+ "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
|
|
64
|
+
end
|
|
45
65
|
|
|
46
66
|
# Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
|
|
47
67
|
@map_ad_msds_phonetics = {}
|
|
@@ -112,20 +132,33 @@ class Adap
|
|
|
112
132
|
attributes
|
|
113
133
|
end
|
|
114
134
|
|
|
115
|
-
def
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
135
|
+
def get_password_hash(username, password)
|
|
136
|
+
case @password_hash_algorithm
|
|
137
|
+
when :md5, :sha, :ssha then
|
|
138
|
+
if password.nil? then
|
|
139
|
+
raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
|
|
140
|
+
end
|
|
141
|
+
result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
|
|
142
|
+
else
|
|
143
|
+
# Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
|
|
144
|
+
result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
|
|
119
145
|
end
|
|
120
146
|
|
|
121
|
-
|
|
147
|
+
if result.nil? or result.empty? then
|
|
148
|
+
raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
|
|
149
|
+
"Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
|
|
150
|
+
"did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
|
|
151
|
+
"This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
result.chomp
|
|
122
155
|
end
|
|
123
156
|
|
|
124
|
-
def
|
|
157
|
+
def get_raw_password_from_ad(username, algo)
|
|
125
158
|
`samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
|
|
126
159
|
end
|
|
127
160
|
|
|
128
|
-
def sync_user(uid)
|
|
161
|
+
def sync_user(uid, password=nil)
|
|
129
162
|
ad_entry = nil
|
|
130
163
|
ldap_entry = nil
|
|
131
164
|
ad_dn = get_ad_dn(uid)
|
|
@@ -137,6 +170,7 @@ class Adap
|
|
|
137
170
|
end
|
|
138
171
|
ret_code = @ad_client.get_operation_result.code
|
|
139
172
|
|
|
173
|
+
# Return 32 means that the object does not exist
|
|
140
174
|
return {
|
|
141
175
|
:code => ret_code,
|
|
142
176
|
:operations => nil,
|
|
@@ -156,11 +190,16 @@ class Adap
|
|
|
156
190
|
|
|
157
191
|
ret = nil
|
|
158
192
|
if !ad_entry.nil? and ldap_entry.nil? then
|
|
159
|
-
ret = add_user(ldap_dn, ad_entry,
|
|
193
|
+
ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
|
|
160
194
|
elsif ad_entry.nil? and !ldap_entry.nil? then
|
|
161
195
|
ret = delete_user(ldap_dn)
|
|
162
196
|
elsif !ad_entry.nil? and !ldap_entry.nil? then
|
|
163
|
-
ret = modify_user(
|
|
197
|
+
ret = modify_user(
|
|
198
|
+
ldap_dn,
|
|
199
|
+
ad_entry,
|
|
200
|
+
ldap_entry,
|
|
201
|
+
( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
|
|
202
|
+
)
|
|
164
203
|
else
|
|
165
204
|
# ad_entry.nil? and ldap_entry.nil? then
|
|
166
205
|
return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
|
|
@@ -183,7 +222,7 @@ class Adap
|
|
|
183
222
|
|
|
184
223
|
def add_user(ldap_user_dn, ad_entry, password)
|
|
185
224
|
if password == nil || password.empty?
|
|
186
|
-
raise "
|
|
225
|
+
raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
|
|
187
226
|
end
|
|
188
227
|
|
|
189
228
|
attributes = create_ldap_attributes(ad_entry)
|
|
@@ -211,7 +250,7 @@ class Adap
|
|
|
211
250
|
return {
|
|
212
251
|
:code => ret_code,
|
|
213
252
|
:operations => [:add_user],
|
|
214
|
-
:message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
253
|
+
:message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
|
|
215
254
|
} if ret_code != 0
|
|
216
255
|
|
|
217
256
|
return {:code => ret_code, :operations => [:add_user], :message => nil}
|
|
@@ -275,7 +314,9 @@ class Adap
|
|
|
275
314
|
|
|
276
315
|
# AD does not have password as simple ldap attribute.
|
|
277
316
|
# So password will always be updated for this reason.
|
|
278
|
-
|
|
317
|
+
if not password.nil? and not password.empty? then
|
|
318
|
+
operations.push([:replace, :userpassword, password])
|
|
319
|
+
end
|
|
279
320
|
|
|
280
321
|
operations
|
|
281
322
|
end
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: adap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tsutomu Nakamura
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-08-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -59,6 +59,7 @@ executables: []
|
|
|
59
59
|
extensions: []
|
|
60
60
|
extra_rdoc_files: []
|
|
61
61
|
files:
|
|
62
|
+
- ".circleci/config.yml"
|
|
62
63
|
- ".gitignore"
|
|
63
64
|
- ".travis.yml"
|
|
64
65
|
- Gemfile
|