adap 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +93 -3
- data/lib/adap/adap.rb +2 -2
- data/lib/adap/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5902e0cff391896473b36f3c70291da1f649517ecb9086e0876d795602d961de
|
4
|
+
data.tar.gz: f4779fef13ca503c0a1529a6f128e11306202d0e822a4b77038e7738e75624f0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f70534ab1eb79938881066d121514c9f04f20fd9e9e8fed3852399fcf7d9d746ec678fcb883d878f12b91bc5e77036e62cca836412ea02e15715b37a2cf1b637
|
7
|
+
data.tar.gz: 17c77cb0d8748dd3eb0cc07903458bde6cdc66679513f411aedc590b91be2b27df4022853ea67bf77b514d2666e6ff1a6ca910f3548fed0d9958a1af51c962ce
|
data/README.md
CHANGED
@@ -42,9 +42,73 @@ adap = Adap.new({
|
|
42
42
|
})
|
43
43
|
|
44
44
|
# This operation will synchronize a user taro-suzuki to LDAP from AD
|
45
|
-
adap.sync_user("
|
45
|
+
adap.sync_user("john", "secret")
|
46
46
|
```
|
47
47
|
|
48
|
+
## Attributes to be synched by default
|
49
|
+
Attributes to be synched by default are like below.
|
50
|
+
|
51
|
+
| Name of attribute in AD | | Name of attribute in LDAP | Note |
|
52
|
+
| ----------------------- | ------- | ------------------------- | ---- |
|
53
|
+
| cn | → | cn | |
|
54
|
+
| sn | → | sn | |
|
55
|
+
| uid | → | uid | |
|
56
|
+
| uidNumber | → | uidNumber | |
|
57
|
+
| gidNumber | → | gidNumber | |
|
58
|
+
| displayName | → | displayName | |
|
59
|
+
| loginShell | → | loginShell | |
|
60
|
+
| gecos | → | gecos | |
|
61
|
+
| givenName | → | givenName | |
|
62
|
+
| description | → | description | |
|
63
|
+
| mail | → | mail | |
|
64
|
+
| employeeNumber | → | employeeNumber | |
|
65
|
+
| unixHomeDirectory | → | homeDirectory | Synched by different names of attributes between AD and LDAP |
|
66
|
+
| - | → | userPassword | Password of users also will be synched with some limitations |
|
67
|
+
|
68
|
+
Some attributes will be added as synched parameters if you add some options, for example options of phonetics.
|
69
|
+
|
70
|
+
## Other options
|
71
|
+
### Password hash algorithm
|
72
|
+
There are some supported password hash algorithms like `:md5(MD5)`, `:sha(SHA1)`, `:ssha(SSHA)`, `:virtual_crypt_sha256(virtualCryptSHA256)`, `:virtual_crypt_sha512(virtualCryptSHA512)`.
|
73
|
+
`:ssha(SSHA)` will be chosen if you didn't specify any method.
|
74
|
+
|
75
|
+
```ruby
|
76
|
+
adap = Adap.new({
|
77
|
+
# Abbreviate other necessary attributes...
|
78
|
+
:password_hash_algorithm => :sha
|
79
|
+
})
|
80
|
+
```
|
81
|
+
|
82
|
+
But please be careful, even if you choose any method, you will encounter some limitations.
|
83
|
+
|
84
|
+
* [You have to give plain password if you choose password hash algorithm as :md5, :sha or :ssha](https://github.com/TsutomuNakamura/adap/#you-have-to-give-plain-password-if-you-choose-password-hash-algorithm-as-md5-sha-or-ssha)
|
85
|
+
* [AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you chose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512](https://github.com/TsutomuNakamura/adap/#ad-must-allow-cryptsha256-or-cryptsha512-to-store-password-and-they-have-to-be-same-as-a-storing-method-in-ldap)
|
86
|
+
|
87
|
+
### Phonetics
|
88
|
+
adap can sync phonetics from AD to LDAP if you specify attribute names.
|
89
|
+
|
90
|
+
```ruby
|
91
|
+
adap = Adap.new({
|
92
|
+
# Abbreviate other necessary attributes...
|
93
|
+
:map_msds_phonetics => {
|
94
|
+
# This will sync the value of :'msds-phoneticdisplayname'(msDS-PhoneticDisplayName) in AD to the value of "displayname;lang-ja;phonetic" in LDAP
|
95
|
+
:'msds-phoneticdisplayname' => :'displayname;lang-ja;phonetic'
|
96
|
+
}
|
97
|
+
})
|
98
|
+
```
|
99
|
+
|
100
|
+
All supported phonetics in AD are like below.
|
101
|
+
|
102
|
+
| Symbol | Name of attribute | General name of attribute in LDAP(ex:ja) |
|
103
|
+
| --------------------------- | ------------------------ | ---------------------------------------- |
|
104
|
+
| :'msds-phoneticcompanyname' | msDS-PhoneticCompanyName | companyName;lang-ja;phonetic |
|
105
|
+
| :'msds-phoneticdepartment' | msDS-PhoneticDepartment | department;lang-ja;phonetic |
|
106
|
+
| :'msds-phoneticfirstname' | msDS-PhoneticFirstName | firstname;lang-ja;phonetic |
|
107
|
+
| :'msds-phoneticlastname' | msDS-PhoneticLastName | lastname;lang-ja;phonetic |
|
108
|
+
| :'msds-phoneticdisplayname' | msDS-PhoneticDisplayName | displayname;lang-ja;phonetic |
|
109
|
+
|
110
|
+
Ofcourse, you can change the name of attributes that will be synced in LDAP(General name of attribute in LDAP) depends on your environment.
|
111
|
+
|
48
112
|
## Requirements and limitations
|
49
113
|
|
50
114
|
This program has some requirements and limitations like below.
|
@@ -65,12 +129,27 @@ ldap server require strong auth = no
|
|
65
129
|
|
66
130
|
This program will fail to get user data from AD if you did not allow this setting.
|
67
131
|
|
68
|
-
###
|
132
|
+
### You have to give a plain password of the user that will be synched if you choose password hash algorithm as :md5, :sha or :ssha
|
133
|
+
AD never be able to have passwords as :md5(MD5), :sha(SHA1) or :ssha(SSHA) that same as LDAP(OpenLDAP).
|
134
|
+
So this program can not sync user password from only parameters in AD to LDAP.
|
135
|
+
You have to pass the plain password to sync passwords to LDAP.
|
136
|
+
|
137
|
+
```ruby
|
138
|
+
adap = Adap.new({
|
139
|
+
# Abbreviate other necessary attributes...
|
140
|
+
})
|
141
|
+
|
142
|
+
adap.sync_user("john", "secret") # You have to give a plain password as a second parameter of the sync_user().
|
143
|
+
```
|
144
|
+
|
145
|
+
### AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you choose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
|
69
146
|
|
70
147
|
AD must allow storing password as CryptSHA256 or CryptSHA512 by setting smb.conf like below.
|
71
148
|
|
72
149
|
* your AD's smb.conf
|
73
150
|
```
|
151
|
+
[global]
|
152
|
+
# ......
|
74
153
|
password hash userPassword schemes = CryptSHA256 CryptSHA512
|
75
154
|
```
|
76
155
|
|
@@ -103,7 +182,18 @@ olcPasswordCryptSaltFormat: $6$%.16s
|
|
103
182
|
EOF
|
104
183
|
```
|
105
184
|
|
106
|
-
|
185
|
+
After you have set them, you can sync a user and password between AD and LDAP like below.
|
186
|
+
|
187
|
+
```ruby
|
188
|
+
adap = Adap.new({
|
189
|
+
# Abbreviate other necessary attributes...
|
190
|
+
:password_hash_algorithm => :virtual_crypt_sha512
|
191
|
+
})
|
192
|
+
|
193
|
+
adap.sync_user("john") # You don't have to give a plain password.
|
194
|
+
```
|
195
|
+
|
196
|
+
### This program must be located in AD server if you chose a password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
|
107
197
|
|
108
198
|
This program must be located in AD server because samba-tool on AD only support getting hashed password only from `ldapi://` or `tdb://`.
|
109
199
|
|
data/lib/adap/adap.rb
CHANGED
@@ -24,9 +24,9 @@ class Adap
|
|
24
24
|
}
|
25
25
|
|
26
26
|
# List of attributes for user in AD
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :unixhomedirectory]
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :unixhomedirectory]
|
28
28
|
# List of attributes for user in LDAP
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :homedirectory]
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :homedirectory]
|
30
30
|
|
31
31
|
# List of supported hash algorithms keys and string values to operate
|
32
32
|
@supported_hash_algorithms_map = {
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: adap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tsutomu Nakamura
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-08-
|
11
|
+
date: 2020-08-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -95,7 +95,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
97
|
requirements: []
|
98
|
-
rubygems_version: 3.1.
|
98
|
+
rubygems_version: 3.1.4
|
99
99
|
signing_key:
|
100
100
|
specification_version: 4
|
101
101
|
summary: LDAP migration tool from AD to NT schema
|