adtools 0.0.1pre

data/lib/adtools/field_type/timestamp.rb

@@ -0,0 +1,45 @@
+#-- license
+#
+#  Based on original code by Justin Mecham and James Hunt
+#  at http://rubyforge.org/projects/activedirectory
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module Adtools
+	module FieldType
+		class Timestamp
+			AD_DIVISOR = 10_000_000     #:nodoc:
+			AD_OFFSET  = 11_644_473_600 #:nodoc:
+
+			#
+			# Encodes a local Time object (or the number of seconds since January
+			# 1, 1970) into a timestamp that the Active Directory server can
+			# understand (number of 100 nanosecond time units since January 1, 1600)
+			# 
+			def self.encode(local_time)
+				(local_time.to_i + AD_OFFSET) * AD_DIVISOR
+			end
+
+			#
+			# Decodes an Active Directory timestamp (the number of 100 nanosecond time
+			# units since January 1, 1600) into a Ruby Time object.
+			#
+			def self.decode(remote_time)
+				Time.at( (remote_time.to_i / AD_DIVISOR) - AD_OFFSET )
+			end
+		end
+	end
+end

data/lib/adtools/field_type/user_dn_array.rb

@@ -0,0 +1,40 @@
+#-- license
+#
+#  Based on original code by Justin Mecham and James Hunt
+#  at http://rubyforge.org/projects/activedirectory
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module Adtools
+	module FieldType
+		class UserDnArray
+			#
+			# Encodes an array of objects into a list of dns
+			# 
+			def self.encode(obj_array)
+				obj_array.collect { |obj| obj.dn }
+			end
+
+			#
+			# Decodes a list of DNs into the objects that they are
+			#
+			def self.decode(dn_array)
+				# How to do user or group?
+				User.find(:all, :distinguishedname => dn_array)
+			end
+		end
+	end
+end

data/lib/adtools/group.rb

@@ -0,0 +1,137 @@
+#-- license
+#
+#  Based on original code by Justin Mecham and James Hunt
+#  at http://rubyforge.org/projects/activedirectory
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module Adtools
+	class Group < Base
+		include Member
+
+		def self.filter # :nodoc:
+			Net::LDAP::Filter.eq(:objectClass,'group')
+		end
+
+		def self.required_attributes # :nodoc:
+			{ :objectClass => [ 'top', 'group' ] }
+		end
+
+		def reload # :nodoc:
+			@member_users_non_r  = nil
+			@member_users_r      = nil
+			@member_groups_non_r = nil
+			@member_groups_r     = nil
+			@groups              = nil
+			super
+		end
+
+		#
+		# Returns true if the passed User or Group object belongs to
+		# this group. For performance reasons, the check is handled
+		# by the User or Group object passed.
+		#
+		def has_member?(user)
+			user.member_of?(self)
+		end
+
+		#
+		# Add the passed User or Group object to this Group. Returns true if
+		# the User or Group is already a member of the group, or if the operation
+		# to add them succeeds.
+		#
+		def add(new_member)
+			return false unless new_member.is_a?(User) || new_member.is_a?(Group)
+			if @@ldap.modify(:dn => distinguishedName, :operations => [
+				[ :add, :member, new_member.distinguishedName ]
+			])
+				return true
+			else
+				return has_member?(new_member)
+			end
+		end
+
+		#
+		# Remove a User or Group from this Group. Returns true if the User or
+		# Group does not belong to this Group, or if the oepration to remove them
+		# succeeds.
+		#
+		def remove(member)
+			return false unless member.is_a?(User) || member.is_a?(Group)
+			if @@ldap.modify(:dn => distinguishedName, :operations => [
+				[ :delete, :member, member.distinguishedName ]
+			])
+				return true
+			else
+				return !has_member?(member)
+			end
+		end
+
+		def has_members?
+			begin
+				return (@entry.member.nil? || @entry.member.empty?) ? false : true
+			rescue NoMethodError
+				return false
+			end
+		end
+
+		#
+		# Returns an array of all User objects that belong to this group.
+		#
+		# If the recursive argument is passed as false, then only Users who
+		# belong explicitly to this Group are returned.
+		#
+		# If the recursive argument is passed as true, then all Users who
+		# belong to this Group, or any of its subgroups, are returned.
+		# 
+		def member_users(recursive = false)
+                        @member_users = User.find(:all, :distinguishedname => @entry.member).delete_if { |u| u.nil? }
+                        if recursive then
+                          self.member_groups.each do |group|
+                            @member_users.concat(group.member_users(true))
+                          end
+                        end
+                        return @member_users
+		end
+
+		#
+		# Returns an array of all Group objects that belong to this group.
+		#
+		# If the recursive argument is passed as false, then only Groups that
+		# belong explicitly to this Group are returned.
+		#
+		# If the recursive argument is passed as true, then all Groups that
+		# belong to this Group, or any of its subgroups, are returned.
+		# 
+		def member_groups(recursive = false)
+                        @member_groups ||= Group.find(:all, :distinguishedname => @entry.member).delete_if { |g| g.nil? }
+                        if recursive then
+                          self.member_groups.each do |group|
+                            @member_groups.concat(group.member_groups(true))
+                          end
+                        end
+                        return @member_groups
+		end
+
+		#
+		# Returns an array of Group objects that this Group belongs to.
+		#
+		def groups
+			return [] if memberOf.nil?
+			@groups ||= Group.find(:all, :distinguishedname => @entry.memberOf).delete_if { |g| g.nil? }
+		end
+	end
+end

data/lib/adtools/member.rb

@@ -0,0 +1,53 @@
+#-- license
+#
+#  Based on original code by Justin Mecham and James Hunt
+#  at http://rubyforge.org/projects/activedirectory
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module Adtools
+	module Member
+		#
+		# Returns true if this member (User or Group) is a member of
+		# the passed Group object.
+		#
+		def member_of?(usergroup)
+			group_dns = memberOf
+			return false if group_dns.nil? || group_dns.empty?
+			#group_dns = [group_dns] unless group_dns.is_a?(Array)
+			group_dns.include?(usergroup.dn)
+		end
+
+		#
+		# Add the member to the passed Group object. Returns true if this object
+		# is already a member of the Group, or if the operation to add it succeeded.
+		#
+		def join(group)
+			return false unless group.is_a?(Group)
+			group.add(self)
+		end
+
+		#
+		# Remove the member from the passed Group object. Returns true if this
+		# object is not a member of the Group, or if the operation to remove it
+		# succeeded.
+		#
+		def unjoin(group)
+			return false unless group.is_a?(Group)
+			group.remove(self)
+		end
+	end
+end

data/lib/adtools/ou.rb

@@ -0,0 +1,11 @@
+module Adtools
+	class Ou < Base
+		def self.filter
+			Net::LDAP::Filter.eq(:objectClass,'organizationalUnit')
+		end
+
+		def self.required_attributes
+			{ :objectClass => [ 'top', 'organizationalUnit' ] }
+		end
+	end
+end

data/lib/adtools/user.rb

@@ -0,0 +1,152 @@
+#-- license
+#
+#  Based on original code by Justin Mecham and James Hunt
+#  at http://rubyforge.org/projects/activedirectory
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module Adtools
+	class User < Base
+		include Member
+
+		UAC_ACCOUNT_DISABLED = 0x0002
+		UAC_NORMAL_ACCOUNT   = 0x0200 # 512
+
+		def self.filter # :nodoc:
+			Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
+		end
+
+		def self.required_attributes #:nodoc:
+			{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
+		end
+
+		#
+		# Try to authenticate the current User against Active Directory
+		# using the supplied password. Returns false upon failure.
+		#
+		# Authenticate can fail for a variety of reasons, primarily:
+		#
+		# * The password is wrong
+		# * The account is locked
+		# * The account is disabled
+		#
+		# User#locked? and User#disabled? can be used to identify the
+		# latter two cases, and if the account is enabled and unlocked,
+		# Athe password is probably invalid.
+		#
+		def authenticate(password)
+			return false if password.to_s.empty?
+
+			auth_ldap = @@ldap.dup.bind_as(
+				:filter => "(sAMAccountName=#{sAMAccountName})",
+				:password => password
+			)
+		end
+
+		#
+		# Return the User's manager (another User object), depending on
+		# what is stored in the manager attribute.
+		#
+		# Returns nil if the schema does not include the manager attribute
+		# or if no manager has been configured.
+		#
+		def manager
+			return nil if @entry.manager.nil?
+			User.find_by_distinguishedName(@entry.manager.to_s)
+		end
+
+		#
+		# Returns an array of Group objects that this User belongs to.
+		# Only the immediate parent groups are returned, so if the user
+		# Sally is in a group called Sales, and Sales is in a group
+		# called Marketting, this method would only return the Sales group.
+		#
+		def groups
+			@groups ||= Group.find(:all, :distinguishedname => @entry.memberOf)
+		end
+
+		#
+		# Returns an array of User objects that have this
+		# User as their manager.
+		#
+		def direct_reports
+			return [] if @entry.directReports.nil?
+			@direct_reports ||= User.find(:all, @entry.directReports)
+		end
+
+		#
+		# Returns true if this account has been locked out
+		# (usually because of too many invalid authentication attempts).
+		#
+		# Locked accounts can be unlocked with the User#unlock! method.
+		#
+		def locked?
+			!lockoutTime.nil? && lockoutTime.to_i != 0
+		end
+
+		#
+		# Returns true if this account has been disabled.
+		#
+		def disabled?
+			userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
+		end
+
+		#
+		# Returns true if the user should be able to log in with a correct
+		# password (essentially, their account is not disabled or locked
+		# out).
+		#
+		def can_login?
+			!disabled? && !locked?
+		end
+
+		#
+		# Change the password for this account.
+		#
+		# This operation requires that the bind user specified in
+		# Base.setup have heightened privileges. It also requires an
+		# SSL connection.
+		#
+		# If the force_change argument is passed as true, the password will
+		# be marked as 'expired', forcing the user to change it the next
+		# time they successfully log into the domain.
+		#
+		def change_password(new_password, force_change = false)
+			settings = @@settings.dup.merge({
+				:port => 636,
+				:encryption => { :method => :simple_tls }
+			})
+
+			ldap = Net::LDAP.new(settings)
+			ldap.modify(
+				:dn => distinguishedName,
+				:operations => [
+					[ :replace, :lockoutTime, [ '0' ] ],
+					[ :replace, :unicodePwd, [ FieldType::Password.encode(new_password) ] ],
+					[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
+					[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
+				]
+			)
+		end
+
+		#
+		# Unlocks this account.
+		#
+		def unlock!
+			@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
+		end
+	end
+end

data/lib/adtools/version.rb

@@ -0,0 +1,3 @@
+module Adtools
+    Version = '0.0.1pre'
+end