adap 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +93 -3
- data/lib/adap/adap.rb +2 -2
- data/lib/adap/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5902e0cff391896473b36f3c70291da1f649517ecb9086e0876d795602d961de
|
|
4
|
+
data.tar.gz: f4779fef13ca503c0a1529a6f128e11306202d0e822a4b77038e7738e75624f0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f70534ab1eb79938881066d121514c9f04f20fd9e9e8fed3852399fcf7d9d746ec678fcb883d878f12b91bc5e77036e62cca836412ea02e15715b37a2cf1b637
|
|
7
|
+
data.tar.gz: 17c77cb0d8748dd3eb0cc07903458bde6cdc66679513f411aedc590b91be2b27df4022853ea67bf77b514d2666e6ff1a6ca910f3548fed0d9958a1af51c962ce
|
data/README.md
CHANGED
|
@@ -42,9 +42,73 @@ adap = Adap.new({
|
|
|
42
42
|
})
|
|
43
43
|
|
|
44
44
|
# This operation will synchronize a user taro-suzuki to LDAP from AD
|
|
45
|
-
adap.sync_user("
|
|
45
|
+
adap.sync_user("john", "secret")
|
|
46
46
|
```
|
|
47
47
|
|
|
48
|
+
## Attributes to be synched by default
|
|
49
|
+
Attributes to be synched by default are like below.
|
|
50
|
+
|
|
51
|
+
| Name of attribute in AD | | Name of attribute in LDAP | Note |
|
|
52
|
+
| ----------------------- | ------- | ------------------------- | ---- |
|
|
53
|
+
| cn | → | cn | |
|
|
54
|
+
| sn | → | sn | |
|
|
55
|
+
| uid | → | uid | |
|
|
56
|
+
| uidNumber | → | uidNumber | |
|
|
57
|
+
| gidNumber | → | gidNumber | |
|
|
58
|
+
| displayName | → | displayName | |
|
|
59
|
+
| loginShell | → | loginShell | |
|
|
60
|
+
| gecos | → | gecos | |
|
|
61
|
+
| givenName | → | givenName | |
|
|
62
|
+
| description | → | description | |
|
|
63
|
+
| mail | → | mail | |
|
|
64
|
+
| employeeNumber | → | employeeNumber | |
|
|
65
|
+
| unixHomeDirectory | → | homeDirectory | Synched by different names of attributes between AD and LDAP |
|
|
66
|
+
| - | → | userPassword | Password of users also will be synched with some limitations |
|
|
67
|
+
|
|
68
|
+
Some attributes will be added as synched parameters if you add some options, for example options of phonetics.
|
|
69
|
+
|
|
70
|
+
## Other options
|
|
71
|
+
### Password hash algorithm
|
|
72
|
+
There are some supported password hash algorithms like `:md5(MD5)`, `:sha(SHA1)`, `:ssha(SSHA)`, `:virtual_crypt_sha256(virtualCryptSHA256)`, `:virtual_crypt_sha512(virtualCryptSHA512)`.
|
|
73
|
+
`:ssha(SSHA)` will be chosen if you didn't specify any method.
|
|
74
|
+
|
|
75
|
+
```ruby
|
|
76
|
+
adap = Adap.new({
|
|
77
|
+
# Abbreviate other necessary attributes...
|
|
78
|
+
:password_hash_algorithm => :sha
|
|
79
|
+
})
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
But please be careful, even if you choose any method, you will encounter some limitations.
|
|
83
|
+
|
|
84
|
+
* [You have to give plain password if you choose password hash algorithm as :md5, :sha or :ssha](https://github.com/TsutomuNakamura/adap/#you-have-to-give-plain-password-if-you-choose-password-hash-algorithm-as-md5-sha-or-ssha)
|
|
85
|
+
* [AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you chose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512](https://github.com/TsutomuNakamura/adap/#ad-must-allow-cryptsha256-or-cryptsha512-to-store-password-and-they-have-to-be-same-as-a-storing-method-in-ldap)
|
|
86
|
+
|
|
87
|
+
### Phonetics
|
|
88
|
+
adap can sync phonetics from AD to LDAP if you specify attribute names.
|
|
89
|
+
|
|
90
|
+
```ruby
|
|
91
|
+
adap = Adap.new({
|
|
92
|
+
# Abbreviate other necessary attributes...
|
|
93
|
+
:map_msds_phonetics => {
|
|
94
|
+
# This will sync the value of :'msds-phoneticdisplayname'(msDS-PhoneticDisplayName) in AD to the value of "displayname;lang-ja;phonetic" in LDAP
|
|
95
|
+
:'msds-phoneticdisplayname' => :'displayname;lang-ja;phonetic'
|
|
96
|
+
}
|
|
97
|
+
})
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
All supported phonetics in AD are like below.
|
|
101
|
+
|
|
102
|
+
| Symbol | Name of attribute | General name of attribute in LDAP(ex:ja) |
|
|
103
|
+
| --------------------------- | ------------------------ | ---------------------------------------- |
|
|
104
|
+
| :'msds-phoneticcompanyname' | msDS-PhoneticCompanyName | companyName;lang-ja;phonetic |
|
|
105
|
+
| :'msds-phoneticdepartment' | msDS-PhoneticDepartment | department;lang-ja;phonetic |
|
|
106
|
+
| :'msds-phoneticfirstname' | msDS-PhoneticFirstName | firstname;lang-ja;phonetic |
|
|
107
|
+
| :'msds-phoneticlastname' | msDS-PhoneticLastName | lastname;lang-ja;phonetic |
|
|
108
|
+
| :'msds-phoneticdisplayname' | msDS-PhoneticDisplayName | displayname;lang-ja;phonetic |
|
|
109
|
+
|
|
110
|
+
Ofcourse, you can change the name of attributes that will be synced in LDAP(General name of attribute in LDAP) depends on your environment.
|
|
111
|
+
|
|
48
112
|
## Requirements and limitations
|
|
49
113
|
|
|
50
114
|
This program has some requirements and limitations like below.
|
|
@@ -65,12 +129,27 @@ ldap server require strong auth = no
|
|
|
65
129
|
|
|
66
130
|
This program will fail to get user data from AD if you did not allow this setting.
|
|
67
131
|
|
|
68
|
-
###
|
|
132
|
+
### You have to give a plain password of the user that will be synched if you choose password hash algorithm as :md5, :sha or :ssha
|
|
133
|
+
AD never be able to have passwords as :md5(MD5), :sha(SHA1) or :ssha(SSHA) that same as LDAP(OpenLDAP).
|
|
134
|
+
So this program can not sync user password from only parameters in AD to LDAP.
|
|
135
|
+
You have to pass the plain password to sync passwords to LDAP.
|
|
136
|
+
|
|
137
|
+
```ruby
|
|
138
|
+
adap = Adap.new({
|
|
139
|
+
# Abbreviate other necessary attributes...
|
|
140
|
+
})
|
|
141
|
+
|
|
142
|
+
adap.sync_user("john", "secret") # You have to give a plain password as a second parameter of the sync_user().
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
### AD must allow CryptSHA256 or CryptSHA512 to store password and they have to be same as a storing method in LDAP if you choose password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
|
|
69
146
|
|
|
70
147
|
AD must allow storing password as CryptSHA256 or CryptSHA512 by setting smb.conf like below.
|
|
71
148
|
|
|
72
149
|
* your AD's smb.conf
|
|
73
150
|
```
|
|
151
|
+
[global]
|
|
152
|
+
# ......
|
|
74
153
|
password hash userPassword schemes = CryptSHA256 CryptSHA512
|
|
75
154
|
```
|
|
76
155
|
|
|
@@ -103,7 +182,18 @@ olcPasswordCryptSaltFormat: $6$%.16s
|
|
|
103
182
|
EOF
|
|
104
183
|
```
|
|
105
184
|
|
|
106
|
-
|
|
185
|
+
After you have set them, you can sync a user and password between AD and LDAP like below.
|
|
186
|
+
|
|
187
|
+
```ruby
|
|
188
|
+
adap = Adap.new({
|
|
189
|
+
# Abbreviate other necessary attributes...
|
|
190
|
+
:password_hash_algorithm => :virtual_crypt_sha512
|
|
191
|
+
})
|
|
192
|
+
|
|
193
|
+
adap.sync_user("john") # You don't have to give a plain password.
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
### This program must be located in AD server if you chose a password hash algorithm as :virtual_crypt_sha256 or :virtual_crypt_sha512
|
|
107
197
|
|
|
108
198
|
This program must be located in AD server because samba-tool on AD only support getting hashed password only from `ldapi://` or `tdb://`.
|
|
109
199
|
|
data/lib/adap/adap.rb
CHANGED
|
@@ -24,9 +24,9 @@ class Adap
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
# List of attributes for user in AD
|
|
27
|
-
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :unixhomedirectory]
|
|
27
|
+
@ad_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :unixhomedirectory]
|
|
28
28
|
# List of attributes for user in LDAP
|
|
29
|
-
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :homedirectory]
|
|
29
|
+
@ldap_user_required_attributes = [:cn, :sn, :uid, :uidnumber, :gidnumber, :displayname, :loginshell, :gecos, :givenname, :description, :mail, :employeenumber, :businesscategory, :employeeType, :homedirectory]
|
|
30
30
|
|
|
31
31
|
# List of supported hash algorithms keys and string values to operate
|
|
32
32
|
@supported_hash_algorithms_map = {
|
data/lib/adap/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: adap
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tsutomu Nakamura
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-08-
|
|
11
|
+
date: 2020-08-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -95,7 +95,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '0'
|
|
97
97
|
requirements: []
|
|
98
|
-
rubygems_version: 3.1.
|
|
98
|
+
rubygems_version: 3.1.4
|
|
99
99
|
signing_key:
|
|
100
100
|
specification_version: 4
|
|
101
101
|
summary: LDAP migration tool from AD to NT schema
|