cs-ruby-ldap 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 19e574263bc68b0b3eadebc634b65cc0188fd5d4
+  data.tar.gz: 4ca1ff90e220d24d8a4db6cf1f703d48f3b5d1c7
+SHA512:
+  metadata.gz: 8e7bd944ff3e8c3162e04212e241bf239d2ba725af6cd8ef9a28532c25c5c7d0b572619276777107b958036f09904966920f97eda5ae541ea994c43b404f9075
+  data.tar.gz: ca4fa065811f6a649448c5ed5189d63c01e12259fc1391db229f98f536ec028a47038972eabe47b9383566d283ff17a5710570750ccafa2ae93d9371e296e43d

data/lib/cloudscaling/ldap.rb

@@ -0,0 +1,209 @@
+# -*- encoding : utf-8 -*-
+# Utilities for manipulating slapd
+#
+# Author:: Benjamin Staffin <ben@cloudscaling.com>
+#
+# Copyright 2014, The Cloudscaling Group, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'base64'
+require 'digest'
+require 'mixlib/shellout'
+require 'net-ldap'
+require 'openssl'
+require 'stringio'
+
+module Cloudscaling
+  # Tools for manipulating slapd using a ldapi:/// connection
+  class LDAPConfigUtils
+    # Read directly from an on-disk database, even if slapd is not running.
+    def self.slapcat(subtree_dn, filter)
+      scat = Mixlib::ShellOut.new('slapcat', '-o', 'ldif-wrap=no',
+                                  '-H', "ldap:///#{subtree_dn}???#{filter}")
+      scat.run_command
+      scat.error!
+      scat.stdout
+    end
+
+    # Mimic Net::LDAP#search using ldapsearch subprocess so we can use
+    # things like -Y EXTERNAL -H ldapi:///
+    # Returns a Net::LDAP::Dataset object representing the result.
+    def self.ldapsearch(args)
+      cmdargs = %w(ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -o ldif-wrap=no)
+      filter = attributes = nil
+      args.each do |arg, val|
+        case arg.to_s
+        when 'base'
+          cmdargs += ['-b', val]
+        when 'scope'
+          unless [:base, :one, :sub, :children].include? val
+            fail "Unrecognized scope: #{val}"
+          end
+          cmdargs += ['-s', String(val)]
+        when 'filter'
+          filter = val
+        when 'attributes'
+          unless val.is_a?(Array)
+            fail("attributes must be an Array, not #{val.class}")
+          end
+          attributes = val
+        else
+          fail "Unrecognized option: #{arg}"
+        end
+      end
+      cmdargs << filter if filter
+      cmdargs += attributes if attributes
+      lsearch = Mixlib::ShellOut.new(*cmdargs, returns: [0, 32])
+      # exit 32 --> noSuchObject
+      lsearch.run_command
+      lsearch.error!
+      Net::LDAP::Dataset.read_ldif(StringIO.new(lsearch.stdout))
+    end
+
+    # Use this to modify anything in cn=config
+    # ldif: String or Array of Strings
+    # op: :modify (default) or :add
+    def self.ldapmodify_ldif(ldif, op = :modify)
+      ldif = ldif.join("\n") if ldif.is_a?(Array)
+      extraargs = []
+      case op
+      when :add
+        extraargs << '-a'
+      end
+      # Chef::Log.info("applying ldif: #{ldif}")
+      lmod = Mixlib::ShellOut.new(
+        'ldapmodify', *extraargs, '-Q', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
+        input: ldif)
+      lmod.run_command
+      lmod.error!
+    end
+
+    # Check for existence of a cn=config entry
+    def self.dn_exists?(dn)
+      true unless ldapsearch(base: dn,
+                             attributes: 'dn',
+                             scope: :base
+                            ).empty?
+    end
+
+    def self.ldapadd(dn, attrs)
+      ldif = ["dn: #{dn}"]
+      attrs.each do |attr, value|
+        ldif << "#{attr}: #{value}"
+      end
+      ldapmodify_ldif(ldif, :add)
+    end
+
+    # Add or update a cn=config entry
+    def self.add_or_update_entry(dn, attrs)
+      unless dn_exists?(dn)
+        ldapadd(dn, attrs)
+        return
+      end
+      ldif = ["dn: #{dn}",
+              'changeType: modify']
+      attrs.each do |attr, value|
+        ldif << "replace: #{attr}"
+        case value
+        when Array
+          value.each { |vvv| ldif << "#{attr}: #{vvv}" }
+        else
+          ldif << "#{attr}: #{value}"
+        end
+        ldif << '-'
+      end
+      ldapmodify_ldif(ldif)
+    end
+  end
+
+  # Tools for interacting with LDAP using a TCP connection
+  class LDAPUtils
+    def initialize(server, port = 389, auth_dn = nil, password = nil,
+                   tls_enable = true)
+      args = { host: server,
+               port: port }
+      auth_dn && args.update(auth: { method: :simple,
+                                     username: auth_dn,
+                                     password: password })
+      tls_enable && args.update(encryption: { method: :start_tls })
+      @ldap = Net::LDAP.new(args)
+      @ldap.bind || fail("LDAP bind failed: #{@ldap.get_operation_result}")
+    end
+
+    def self.openssl_extract_cert(rawcert)
+      OpenSSL::X509::Certificate.new(rawcert).to_s
+    end
+
+    def self.openssl_extract_key(rawcert, passphrase = nil)
+      OpenSSL::PKey.read(rawcert, passphrase).to_s
+    end
+
+    # Generate a rfc2307 SSHA-hashed password in the format that slapd likes
+    # http://www.openldap.org/faq/data/cache/347.html
+    def self.ssha_password(clear_password, salt = nil)
+      unless salt
+        len = 16
+        base = 16
+        # rubocop:disable Style/SingleLineBlockParams
+        salt = len.times.reduce('') { |a| a << rand(base).to_s(base) }
+      end
+      digest = Digest::SHA1.digest("#{clear_password}#{salt}")
+      hash = Base64.encode64("#{digest}#{salt}").chomp
+      "{SSHA}#{hash}"
+    end
+
+    def self.first_item(dn)
+      m = dn.match(/^([^=]+)=([^,]+)/)
+      { m[1] => m[2] }
+    end
+
+    def dn_exists?(dn)
+      @ldap.search(base: dn,
+                   scope: Net::LDAP::SearchScope_BaseObject,
+                   return_result: false)
+    end
+
+    # Add an entry to the directory
+    # dn: Distinguished name of the new entry
+    # attrs: hash of entry attributes
+    def add_entry(dn, attrs)
+      # Chef::Log.info "Add LDAP entry: #{dn} #{attrs}"
+      @ldap.add(dn: dn, attributes: attrs) ||
+        fail("LDAP add failure: #{@ldap.get_operation_result}")
+    end
+
+    # Add or update a directory entry.
+    # If the entry exists, any attributes provided to this function will be
+    # updated with a "replace" operation, which will add the attributes if
+    # necessary, and replace all values of the attribute otherwise.
+    def add_or_update_entry(dn, attrs)
+      ret = @ldap.search(base: dn,
+                         scope: Net::LAP::SearchScope_BaseObject,
+                         return_result: true)
+      entries && entries.size > 1 && fail("#{dn} matches more than one entry")
+      if ret.nil?
+        add_entry(dn, attrs)
+      else
+        entry = ret.first
+        ops = attrs.each_with_object(Array.new) do |(k, v), acc|
+          acc << [:replace, k, v] unless entry[k] == [v].flatten
+        end
+        # Chef::Log.info("Update LDAP entry: dn=#{dn}")
+        @ldap.modify(dn: dn, operations: ops) ||
+          fail("LDAP update failure: #{@ldap.get_operation_result}")
+      end
+    end
+  end
+end

data/lib/cs_ruby_ldap.rb

@@ -0,0 +1,2 @@
+# -*- ruby encoding: utf-8 -*-
+require 'cloudscaling/ldap'

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification
+name: cs-ruby-ldap
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Benjamin Staffin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-07-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: mixlib-shellout
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description: Cloudscaling LDAP tools and helpers
+email: ben@cloudscaling.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.rdoc
+- lib/cloudscaling/ldap.rb
+- lib/cs_ruby_ldap.rb
+homepage: http://pd.cloudscaling.com
+licenses:
+- Apache 2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Cloudscaling LDAP tools and helpers
+test_files: []