adap 0.0.19 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79f0099367a12ae334622a2de2da08349595a29295bdbab740df1436a5049c3e
-  data.tar.gz: b1038603bd55124f3d2179736755e72e26d4015da212b7866942ced393335022
+  metadata.gz: 5902e0cff391896473b36f3c70291da1f649517ecb9086e0876d795602d961de
+  data.tar.gz: f4779fef13ca503c0a1529a6f128e11306202d0e822a4b77038e7738e75624f0
 SHA512:
-  metadata.gz: 54ffe5f02ce54bbdc962c176452091e37d6bad1ee56e73b0447b462535d2e09d356843e61f5d5ae6e30408ee6731ac76ad054d80b1ba69e781e748f63a322362
-  data.tar.gz: 9c519f4d69255a9d9bc58012d0181f35b1ccbf4427956b10bcf8d35cfb5906047e3bed4457bdd7a704fc7c1f2bfa7aec154d71e3d149285f15976cb86a0700bb
+  metadata.gz: f70534ab1eb79938881066d121514c9f04f20fd9e9e8fed3852399fcf7d9d746ec678fcb883d878f12b91bc5e77036e62cca836412ea02e15715b37a2cf1b637
+  data.tar.gz: 17c77cb0d8748dd3eb0cc07903458bde6cdc66679513f411aedc590b91be2b27df4022853ea67bf77b514d2666e6ff1a6ca910f3548fed0d9958a1af51c962ce

data/.circleci/config.yml

@@ -0,0 +1,16 @@
+version: 2.1
+orbs:
+  ruby: circleci/ruby@0.1.2 
+
+jobs:
+  build:
+    docker:
+      - image: ruby:2.7
+    executor: ruby/default
+    steps:
+      - checkout
+      - run: bundle check || bundle install
+      - run:
+          command: bundle exec rake test
+          when: always
+

data/README.md

@@ -42,9 +42,73 @@ adap = Adap.new({
 })
 
 # This operation will synchronize a user taro-suzuki to LDAP from AD
-adap.sync_user("taro-suzuki")
+adap.sync_user("john", "secret")
 ```
 
+## Attributes to be synched by default
+Attributes to be synched by default are like below.
+
+| Name of attribute in AD |         | Name of attribute in LDAP | Note |
+| ----------------------- | ------- | ------------------------- | ---- |
+| cn                      | → | cn                        |      |
+| sn                      | → | sn                        |      |
+| uid                     | → | uid                       |      |
+| uidNumber               | → | uidNumber                 |      |
+| gidNumber               | → | gidNumber                 |      |
+| displayName             | → | displayName               |      |
+| loginShell              | → | loginShell                |      |
+| gecos                   | → | gecos                     |      |
+| givenName               | → | givenName                 |      |
+| description             | → | description               |      |
+| mail                    | → | mail                      |      |
+| employeeNumber          | → | employeeNumber            |      |
+| unixHomeDirectory       | → | homeDirectory             | Synched by different names of attributes between AD and LDAP |
+| -                       | → | userPassword              | Password of users also will be synched with some limitations |
+
+Some attributes will be added as synched parameters if you add some options, for example options of phonetics.
+
+## Other options
+### Password hash algorithm
+There are some supported password hash algorithms like `:md5(MD5)`, `:sha(SHA1)`, `:ssha(SSHA)`, `:virtual_crypt_sha256(virtualCryptSHA256)`, `:virtual_crypt_sha512(virtualCryptSHA512)`.
+`:ssha(SSHA)` will be chosen if you didn't specify any method.
+
+```ruby
+adap = Adap.new({
+  # Abbreviate other necessary attributes...
+  :password_hash_algorithm => :sha
+})
+```
+
+But please be careful, even if you choose any method, you will encounter some limitations.
+
+* [You have to give plain password if you choose password hash algorithm as :md5, :sha or :ssha](https://github.com/TsutomuNakamura/adap/#you-have-to-give-plain-password-if-you-choose-password-hash-algorithm-as-md5-sha-or-ssha)
+* [AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you chose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512](https://github.com/TsutomuNakamura/adap/#ad-must-allow-cryptsha256-or-cryptsha512-to-store-password-and-they-have-to-be-same-as-a-storing-method-in-ldap)
+
+### Phonetics
+adap can sync phonetics from AD to LDAP if you specify attribute names.
+
+```ruby
+adap = Adap.new({
+  # Abbreviate other necessary attributes...
+  :map_msds_phonetics => {
+    # This will sync the value of :'msds-phoneticdisplayname'(msDS-PhoneticDisplayName) in AD to the value of "displayname;lang-ja;phonetic" in LDAP
+    :'msds-phoneticdisplayname' => :'displayname;lang-ja;phonetic'
+  }
+})
+```
+
+All supported phonetics in AD are like below.
+
+| Symbol                      | Name of attribute        | General name of attribute in LDAP(ex:ja) |
+| --------------------------- | ------------------------ | ---------------------------------------- |
+| :'msds-phoneticcompanyname' | msDS-PhoneticCompanyName | companyName;lang-ja;phonetic             |
+| :'msds-phoneticdepartment'  | msDS-PhoneticDepartment  | department;lang-ja;phonetic              |
+| :'msds-phoneticfirstname'   | msDS-PhoneticFirstName   | firstname;lang-ja;phonetic               |
+| :'msds-phoneticlastname'    | msDS-PhoneticLastName    | lastname;lang-ja;phonetic                |
+| :'msds-phoneticdisplayname' | msDS-PhoneticDisplayName | displayname;lang-ja;phonetic             |
+
+Ofcourse, you can change the name of attributes that will be synced in LDAP(General name of attribute in LDAP) depends on your environment.
+
 ## Requirements and limitations
 
 This program has some requirements and limitations like below.
@@ -65,12 +129,27 @@ ldap server require strong auth = no
 
 This program will fail to get user data from AD if you did not allow this setting.
 
-### AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP
+### You have to give a plain password of the user that will be synched if you choose password hash algorithm as :md5, :sha or :ssha
+AD never be able to have passwords as :md5(MD5), :sha(SHA1) or :ssha(SSHA) that same as LDAP(OpenLDAP).
+So this program can not sync user password from only parameters in AD to LDAP.
+You have to pass the plain password to sync passwords to LDAP.
+
+```ruby
+adap = Adap.new({
+  # Abbreviate other necessary attributes...
+})
+
+adap.sync_user("john", "secret")    # You have to give a plain password as a second parameter of the sync_user().
+```
+
+### AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you choose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
 
 AD must allow storing password as CryptSHA256 or CryptSHA512 by setting smb.conf like below.
 
 * your AD's smb.conf
 ```
+[global]
+    # ......
     password hash userPassword schemes = CryptSHA256 CryptSHA512
 ```
 
@@ -103,7 +182,18 @@ olcPasswordCryptSaltFormat: $6$%.16s
 EOF
 ```
 
-### This program must be located in AD server
+After you have set them, you can sync a user and password between AD and LDAP like below.
+
+```ruby
+adap = Adap.new({
+  # Abbreviate other necessary attributes...
+  :password_hash_algorithm => :virtual_crypt_sha512
+})
+
+adap.sync_user("john")    # You don't have to give a plain password.
+```
+
+### This program must be located in AD server if you chose a password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
 
 This program must be located in AD server because samba-tool on AD only support getting hashed password only from `ldapi://` or `tdb://`.
 

data/lib/adap/adap.rb

@@ -24,9 +24,20 @@ class Adap
     }
 
     # List of attributes for user in AD
-    @ad_user_required_attributes   = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :unixhomedirectory]
+    @ad_user_required_attributes   = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :unixhomedirectory]
     # List of attributes for user in LDAP
-    @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :homedirectory]
+    @ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :homedirectory]
+
+    # List of supported hash algorithms keys and string values to operate
+    @supported_hash_algorithms_map = {
+      :md5                  => "{MD5}",
+      :sha                  => "{SHA}",
+      :ssha                 => "{SSHA}",
+      :virtual_crypt_sha256 => "virtualCryptSHA256",
+      :virtual_crypt_sha512 => "virtualCryptSHA512"
+    }
+    # List of unsupported hash algorithms in AD but OpenLDAP support
+    @unsupported_hash_algorithms_in_ad = [:md5, :sha, :ssha]
 
     @ad_host                  = params[:ad_host]
     @ad_port                  = (params[:ad_port] ? params[:ad_port] : 389)
@@ -40,8 +51,17 @@ class Adap
     @ldap_basedn              = params[:ldap_basedn]
     @ldap_user_basedn         = params[:ldap_user_basedn]
     @ldap_auth                = (params.has_key?(:ldap_password) ? { :method => :simple, :username => @ldap_binddn, :password => params[:ldap_password] } : nil )
-    # This attribute converted in generally ... :'msds-phoneticdisplayname' -> :'displayname;lang-ja;phonetic'
-    @password_hash_algorithm  = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : 'virtualCryptSHA512')
+
+    # A password-hash algorithm to sync to the LDAP.
+    # Popular LDAP products like Open LDAP usually supports md5({MD5}), sha1({SHA}) and ssha({SSHA}) algorithms.
+    # If you want to use virtualCryptSHA256 or virtualCryptSHA512, you have to set additional configurations to OpenLDAP.
+    @password_hash_algorithm  = (params[:password_hash_algorithm] ? params[:password_hash_algorithm] : :ssha)
+    # TODO: Check a hash algorithm is supported or not
+    unless @supported_hash_algorithms_map.has_key?(@password_hash_algorithm) then
+      raise "This program only supports :md5, :sha, :ssha(default), :virtual_crypt_sha256 and :virtual_crypt_sha512 " \
+            + "as :password_hash_algorithm. " \
+            + "An algorithm you chose #{@password_hash_algorithm.is_a?(Symbol) ? ":" : ""}#{@password_hash_algorithm} was unsupported."
+    end
 
     # Phonetics are listed in https://lists.samba.org/archive/samba/2017-March/207308.html
     @map_ad_msds_phonetics = {}
@@ -112,20 +132,33 @@ class Adap
     attributes
   end
 
-  def get_password(username)
-    result = get_raw_password(username, @password_hash_algorithm)
-    if not result.nil? then
-      result = result.chomp
+  def get_password_hash(username, password)
+    case @password_hash_algorithm
+    when :md5, :sha, :ssha then
+      if password.nil? then
+        raise "Password must not be nil when you chose the algorithm of password-hash is :md5 or :sha or :ssha. Pass password of #{username} please."
+      end
+      result = Net::LDAP::Password.generate(@password_hash_algorithm, password)
+    else
+      # Expects :virtual_crypt_sha256(virtualCryptSHA256) or :virtual_crypt_sha512(virtualCryptSHA512)
+      result = get_raw_password_from_ad(username, @supported_hash_algorithms_map[@password_hash_algorithm])
+    end
+
+    if result.nil? or result.empty? then
+      raise "Failed to get hashed password with algorithm :#{@password_hash_algorithm} of user #{username}. " +
+        "Its result was nil. If you chose hash-algorithm :virtual_crypt_sha256 or :virtual_crypt_sha512, " +
+        "did you enabled AD to store passwords as virtualCryptSHA256 and/or virtualCryptSHA512 in your smb.conf? " +
+        "This program requires the configuration to get password from AD as virtualCryptSHA256 or virtualCryptSHA512."
     end
 
-    return result
+    result.chomp
   end
 
-  def get_raw_password(username, algo)
+  def get_raw_password_from_ad(username, algo)
     `samba-tool user getpassword #{username} --attribute #{algo} 2> /dev/null | grep -E '^virtualCrypt' -A 1 | tr -d ' \n' | cut -d ':' -f 2`
   end
 
-  def sync_user(uid)
+  def sync_user(uid, password=nil)
     ad_entry    = nil
     ldap_entry  = nil
     ad_dn       = get_ad_dn(uid)
@@ -137,6 +170,7 @@ class Adap
     end
     ret_code = @ad_client.get_operation_result.code
 
+    # Return 32 means that the object does not exist
     return {
       :code => ret_code,
       :operations => nil,
@@ -156,11 +190,16 @@ class Adap
 
     ret = nil
     if !ad_entry.nil? and ldap_entry.nil? then
-      ret = add_user(ldap_dn, ad_entry, get_password(uid))
+      ret = add_user(ldap_dn, ad_entry, get_password_hash(uid, password))
     elsif ad_entry.nil? and !ldap_entry.nil? then
       ret = delete_user(ldap_dn)
     elsif !ad_entry.nil? and !ldap_entry.nil? then
-      ret = modify_user(ldap_dn, ad_entry, ldap_entry, get_password(uid))
+      ret = modify_user(
+        ldap_dn,
+        ad_entry,
+        ldap_entry,
+        ( password.nil? and (@unsupported_hash_algorithms_in_ad.include?(@password_hash_algorithm)) ) ? nil : get_password_hash(uid, password)
+      )
     else
       # ad_entry.nil? and ldap_entry.nil? then
       return {:code => 0, :operations => nil, :message => "There are not any data of #{uid} to sync."}
@@ -183,7 +222,7 @@ class Adap
 
   def add_user(ldap_user_dn, ad_entry, password)
     if password == nil || password.empty?
-      raise "Password of #{ldap_user_dn} from AD in add_user is empty or nil. Did you enabled AD password option virtualCryptSHA512 and/or virtualCryptSHA256?"
+      raise "add_user() requires password. Set a hashed password of the user #{ad_entry[:cn]} please."
     end
 
     attributes = create_ldap_attributes(ad_entry)
@@ -211,7 +250,7 @@ class Adap
     return {
       :code => ret_code,
       :operations => [:add_user],
-      :message => "Failed to modify a user #{ldap_user_dn} in add_user() - " + @ldap_client.get_operation_result.error_message
+      :message => "Failed to modify a user #{ldap_user_dn} to add userPassword in add_user() - " + @ldap_client.get_operation_result.error_message
     } if ret_code != 0
 
     return {:code => ret_code, :operations => [:add_user], :message => nil}

data/lib/adap/version.rb

@@ -1,3 +1,3 @@
 module ModAdap
-  VERSION = "0.0.19"
+  VERSION = "0.1.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: adap
 version: !ruby/object:Gem::Version
-  version: 0.0.19
+  version: 0.1.3
 platform: ruby
 authors:
 - Tsutomu Nakamura
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-26 00:00:00.000000000 Z
+date: 2020-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -59,6 +59,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
 - ".travis.yml"
 - Gemfile
@@ -94,7 +95,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.1.4
 signing_key:
 specification_version: 4
 summary: LDAP migration tool from AD to NT schema