charanya-devise_ldap_authenticatable 0.4.6

data/lib/generators/devise_ldap_authenticatable/templates/ldap.yml

@@ -0,0 +1,75 @@
+## Authorizations
+# Uncomment out the merging for each enviornment that you'd like to include.
+# You can also just copy and paste the tree (do not include the "authorizations") to each
+# enviornment if you need something different per enviornment.
+authorizations: &AUTHORIZATIONS
+  group_base: ou=groups,dc=test,dc=com
+  ## Requires config.ldap_check_group_membership in devise.rb be true
+  # Can have multiple values, must match all to be authorized
+  required_groups:
+    # If only a group name is given, membership will be checked against "uniqueMember"
+    - cn=admins,ou=groups,dc=test,dc=com
+    - cn=users,ou=groups,dc=test,dc=com
+    # If an array is given, the first element will be the attribute to check against, the second the group name
+    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
+  ## Requires config.ldap_check_attributes in devise.rb to be true
+  ## Can have multiple attributes and values, must match all to be authorized
+  require_attribute:
+    objectClass: inetOrgPerson
+    authorizationRole: postsAdmin
+
+# Application specific attributes and changes.
+
+    #attribute: => attribute of the ldap
+    #attribute_to_compare => attribute of the ldap with which the knome specific field should be compared.
+    #attributes_to_persist => attributes that need to be fed to the user table from ldap
+
+## Enviornments
+
+development:
+  host: localhost
+  port: 389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  #admin_user: cn=admin,dc=test,dc=com
+  #admin_password: admin_password
+  #attribute: mail
+  #attribute_to_compare: mail
+  #attributes_to_persist:
+       #- ["mail", "email"]
+       #- ["givenName", "first_name"]
+       #- ["sn", "last_name"]
+  ssl: false
+  # <<: *AUTHORIZATIONS
+
+test:
+  host: localhost
+  port: 3389
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  #admin_user: cn=admin,dc=test,dc=com
+  #admin_password: admin_password
+  #attribute: mail
+  #attribute_to_compare: mail
+  #attributes_to_persist:
+       #- ["mail", "email"]
+       #- ["givenName", "first_name"]
+       #- ["sn", "last_name"]
+  ssl: false
+  # <<: *AUTHORIZATIONS
+
+production:
+  host: localhost
+  port: 636
+  attribute: cn
+  base: ou=people,dc=test,dc=com
+  #admin_user: cn=admin,dc=test,dc=com
+  #admin_password: admin_password
+  #attribute: mail
+  #attribute_to_compare: mail
+  #attributes_to_persist:
+       #- ["mail", "email"]
+       #- ["givenName", "first_name"]
+       #- ["sn", "last_name"]
+  ssl: true
+  # <<: *AUTHORIZATIONS

data/rails/init.rb

@@ -0,0 +1,2 @@
+# Include hook code here
+require 'devise_ldap_authenticatable'

data/test/devise_ldap_authenticatable_test.rb

@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class DeviseLdapAuthenticatableTest < ActiveSupport::TestCase
+  # Replace this with your real tests.
+  test "the truth" do
+    assert true
+  end
+end

data/test/ldap/base.ldif

@@ -0,0 +1,73 @@
+# ldapadd -x -h localhost -p 3389 -D "cn=admin,dc=test,dc=com" -w secret -f base.ldif
+
+dn: dc=test,dc=com
+objectClass: dcObject
+objectClass: organizationalUnit
+dc: test
+ou: Test
+
+dn: ou=people,dc=test,dc=com
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=others,dc=test,dc=com
+objectClass: organizationalUnit
+ou: others
+
+dn: ou=groups,dc=test,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+# example.user@test.com, people, test.com
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+sn: User
+uid: example_user
+mail: example.user@test.com
+cn: example.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NTSEF9ZXRYaE9NcjRjOGFiTjlqYUxyczZKSll5MFlaZUF1NURCVWhhY0E9PQ=
+ =
+
+# other.user@test.com
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Other
+uid: other_user
+cn: other.user@test.com
+authorizationRole: blogUser
+userPassword:: e1NIQX1IQXdtdk13RGF1ZUpyZDhwakxXMzZ6Yi9jTUU9
+
+# example.admin@test.com, people, test.com
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+objectClass: inetOrgPerson
+objectClass: authorizations
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+sn: Admin
+uid: example_admin
+cn: example.admin@test.com
+authorizationRole: blogAdmin
+userPassword:: e1NIQX0wcUNXaERISGFwWmc3ekJxZWRRanBzNW1EUDA9
+
+# users, groups, test.com
+dn: cn=users,ou=groups,dc=test,dc=com
+objectClass: authorizations
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.user@test.com,ou=people,dc=test,dc=com
+authorizationRole: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: users
+
+# users, groups, test.com
+dn: cn=admins,ou=groups,dc=test,dc=com
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: cn=example.admin@test.com,ou=people,dc=test,dc=com
+cn: admins

data/test/ldap/clear.ldif

@@ -0,0 +1,26 @@
+dn: cn=admins,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=users,ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.admin@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=example.user@test.com,ou=people,dc=test,dc=com
+changetype: delete
+
+dn: cn=other.user@test.com,ou=others,dc=test,dc=com
+changetype: delete
+
+dn: ou=groups,dc=test,dc=com
+changetype: delete
+
+dn: ou=people,dc=test,dc=com
+changetype: delete
+
+dn: ou=others,dc=test,dc=com
+changetype: delete
+
+dn: dc=test,dc=com
+changetype: delete

data/test/ldap/local.schema

@@ -0,0 +1,6 @@
+attributetype ( 1.1.2.2.5 NAME  'authorizationRole' SUP name )
+
+objectclass ( 1.1.2.2.1 NAME 'authorizations'
+        DESC 'mixin authorizations'
+        AUXILIARY
+        MAY authorizationRole )

data/test/ldap/run-server.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+## For OSX:
+PATH=$PATH:/usr/libexec
+
+if [[ $1 == "--ssl" ]]; then
+    slapd -d 1 -f slapd-ssl-test.conf -h ldaps://localhost:3389
+  else
+    slapd -d 1 -f slapd-test.conf -h ldap://localhost:3389 
+fi

data/test/ldap/server.pem

@@ -0,0 +1,38 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/hxFetCTh++3sEwchxuscH5TID0Wj2S/heBjY6RuK5rPrAcUg
+rA7jFEFilEQYpfGe3LIMBkr5pP4aR1NrLuvKZaHuBvRLwOcU7SbuFQ3FQLaJA3UK
+E2IOH9wMg1BMcG1WbzB1nKc650omKo7KqOAIYFFVq3gzlDRUmHF6dCAnvwIDAQAB
+AoGAcOBJfGbu1cCEF/2e1mlFZu214bIeeNInRdphynSXpuUQZBBG/Vpp66qkXlTD
+TUN/gwDObgfHaBm1KAehQioFC9ys1Iymlt8IeRYXH9Tkl7URe30QGAGjdIPohWpZ
+xl/aMrpQVvQukaStRNoJXA32j+tuR2KbxAK6bu9iLzXvCQECQQD6AOzHVDB06ZjF
+iJYB1/CyZBg0Q2aIOwGXwle1t1O7q6nJ6UWkurQF/inBdJdE5SWNEzYsI1tEP0n2
+1ZBIWQxtAkEAxB8WgFjRqYdmUYGQ1k8yxMUTLbZFd6t2UZyB/LAw9CtjH9lrU0z9
+81UK/ywVHkoDDPHbFyvd1jludqbz+suRWwJBAPEL9UCXfwUquf8zm5b5cv09n0y8
+895ELlv5qQHvWg+oC1Q/08NptOvWTMJXPQbTfepQ7LmP+Y6LCzCwZ6YqHd0CQFiW
+flB9Tj9YhNQ+RVE4twMAzhfw5FIY5joZCvI8F/DDBGRnjj4zYeafPHdkzyk+X0Bi
+owdFblAM4yO/aCeZ+k8CQQDdBi+WnpaaSL0NXmAb6+7aQRZ/Gc2O9S2JL/Fxw4EQ
+i7KTRdH/d6Db9SeQEc/uCbJW7fM4KbZcjFdncHFytakt
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAyugAwIBAgIJAP+plC/uCHKkMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEzARBgNVBAcTCkFsZXhhbmRyaWEx
+DTALBgNVBAoTBFRlc3QxDTALBgNVBAsTBFRlc3QxJDAiBgNVBAMUG2RldmlzZV9s
+ZGFwX2F1dGhlbnRpY2F0YWJsZTEiMCAGCSqGSIb3DQEJARYTZHBtY25ldmluQGdt
+YWlsLmNvbTAeFw0xMDA4MDUyMTU1MDVaFw0xMTA4MDUyMTU1MDVaMIGdMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEzARBgNVBAcTCkFsZXhhbmRyaWEx
+DTALBgNVBAoTBFRlc3QxDTALBgNVBAsTBFRlc3QxJDAiBgNVBAMUG2RldmlzZV9s
+ZGFwX2F1dGhlbnRpY2F0YWJsZTEiMCAGCSqGSIb3DQEJARYTZHBtY25ldmluQGdt
+YWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv4cRXrQk4fvt7BMH
+IcbrHB+UyA9Fo9kv4XgY2Okbiuaz6wHFIKwO4xRBYpREGKXxntyyDAZK+aT+GkdT
+ay7rymWh7gb0S8DnFO0m7hUNxUC2iQN1ChNiDh/cDINQTHBtVm8wdZynOudKJiqO
+yqjgCGBRVat4M5Q0VJhxenQgJ78CAwEAAaOCAQYwggECMB0GA1UdDgQWBBRcCNxq
+0PNXgMfYN2RQ2uIrBY03ADCB0gYDVR0jBIHKMIHHgBRcCNxq0PNXgMfYN2RQ2uIr
+BY03AKGBo6SBoDCBnTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRMw
+EQYDVQQHEwpBbGV4YW5kcmlhMQ0wCwYDVQQKEwRUZXN0MQ0wCwYDVQQLEwRUZXN0
+MSQwIgYDVQQDFBtkZXZpc2VfbGRhcF9hdXRoZW50aWNhdGFibGUxIjAgBgkqhkiG
+9w0BCQEWE2RwbWNuZXZpbkBnbWFpbC5jb22CCQD/qZQv7ghypDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBABjztpAgr6QxVCNxhgklrILH+RLxww3dgdra
+J6C6pXl9lbM+XIWiUtzD3Y8z2+tkJtjWCCN7peM2OYFvdChIvRz8XoxHqNB9W8wj
+xZOqBHN8MdI1g6PCD5Z8lK1TDvchTeskqCulE6tMHKaslByhfZS94uWY+NG5JY/Z
+traWmtWh
+-----END CERTIFICATE-----

data/test/ldap/slapd-ssl-test.conf

@@ -0,0 +1,107 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+include		/etc/openldap/schema/cosine.schema
+include		/etc/openldap/schema/inetorgperson.schema
+include		/etc/openldap/schema/nis.schema
+
+## Local definitions
+# include		/etc/openldap/schema/local.schema
+include   local.schema
+
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile         openldap-data/run/slapd.pid
+argsfile        openldap-data/run/slapd.args
+
+# Load dynamic backend modules:
+modulepath	/usr/lib/openldap
+
+# modules available in openldap-servers-overlays RPM package:
+# moduleload accesslog.la
+# moduleload auditlog.la
+# moduleload denyop.la
+# moduleload dyngroup.la
+# moduleload dynlist.la
+# moduleload lastmod.la
+# moduleload pcache.la
+# moduleload ppolicy.la
+# moduleload refint.la
+# moduleload retcode.la
+# moduleload rwm.la
+# moduleload smbk5pwd.la
+# moduleload syncprov.la
+# moduleload translucent.la
+# moduleload unique.la
+# moduleload valsort.la
+
+# modules available in openldap-servers-sql RPM package:
+# moduleload back_sql.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+
+## For LDAPS
+TLSCACertificateFile server.pem
+TLSCertificateFile server.pem
+TLSCertificateKeyFile server.pem
+
+# TLSVerifyClient never
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+
+# access to dn.base="dc=esc" by * read
+# access to dn.base="cn=Subschema" by * read
+access to *
+	by self write
+	by * read
+	by anonymous auth
+
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# ldbm and/or bdb database definitions
+#######################################################################
+
+database	bdb
+
+suffix          "dc=test,dc=com"
+directory       openldap-data
+rootdn          "cn=admin,dc=test,dc=com"
+## rootpw = secret
+rootpw          {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
+
+# Indices to maintain for this database
+index objectClass                       eq,pres
+index ou,cn,mail,surname,givenname      eq,pres,sub
+index uidNumber,gidNumber,loginShell    eq,pres
+index uid,memberUid                     eq,pres,sub
+index nisMapName,nisMapEntry            eq,pres,sub

data/test/ldap/slapd-test.conf

@@ -0,0 +1,107 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include		/etc/openldap/schema/core.schema
+include		/etc/openldap/schema/cosine.schema
+include		/etc/openldap/schema/inetorgperson.schema
+include		/etc/openldap/schema/nis.schema
+
+## Local definitions
+# include		/etc/openldap/schema/local.schema
+include   local.schema
+
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral	ldap://root.openldap.org
+
+pidfile         openldap-data/run/slapd.pid
+argsfile        openldap-data/run/slapd.args
+
+# Load dynamic backend modules:
+modulepath	/usr/lib/openldap
+
+# modules available in openldap-servers-overlays RPM package:
+# moduleload accesslog.la
+# moduleload auditlog.la
+# moduleload denyop.la
+# moduleload dyngroup.la
+# moduleload dynlist.la
+# moduleload lastmod.la
+# moduleload pcache.la
+# moduleload ppolicy.la
+# moduleload refint.la
+# moduleload retcode.la
+# moduleload rwm.la
+# moduleload smbk5pwd.la
+# moduleload syncprov.la
+# moduleload translucent.la
+# moduleload unique.la
+# moduleload valsort.la
+
+# modules available in openldap-servers-sql RPM package:
+# moduleload back_sql.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+
+# ## For LDAPS
+# TLSCACertificateFile server.pem
+# TLSCertificateFile server.pem
+# TLSCertificateKeyFile server.pem
+# 
+# TLSVerifyClient demand
+
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#	Directives needed to implement policy:
+
+# access to dn.base="dc=esc" by * read
+# access to dn.base="cn=Subschema" by * read
+access to *
+	by self write
+	by * read
+	by anonymous auth
+
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# ldbm and/or bdb database definitions
+#######################################################################
+
+database	bdb
+
+suffix          "dc=test,dc=com"
+directory       openldap-data
+rootdn          "cn=admin,dc=test,dc=com"
+## rootpw = secret
+rootpw          {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
+
+# Indices to maintain for this database
+index objectClass                       eq,pres
+index ou,cn,mail,surname,givenname      eq,pres,sub
+index uidNumber,gidNumber,loginShell    eq,pres
+index uid,memberUid                     eq,pres,sub
+index nisMapName,nisMapEntry            eq,pres,sub