dm-ldap-adapter 0.2.0

data/History.txt

@@ -0,0 +1,10 @@
+version 0.2.0
+=============
+
+* switched to Slf4r logger
+
+* the whole thing became a gem
+
+* cleaned up example
+
+* moved the SHA and SSHA calculation into its own helper class (incompatible change to older version)

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Kristian Meier
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,24 @@
+History.txt
+MIT-LICENSE
+Manifest.txt
+README-example.markdown
+README.txt
+Rakefile
+example/identity_map.rb
+example/posix.rb
+ldap-commands.txt
+lib/adapters/ldap_adapter.rb
+lib/adapters/memory_adapter.rb
+lib/adapters/simple_adapter.rb
+lib/dummy_ldap_resource.rb
+lib/ldap/digest.rb
+lib/ldap/ldap_facade.rb
+lib/ldap/ldap_facade_mock.rb
+lib/ldap/version.rb
+lib/ldap_resource.rb
+spec/assiociations_ldap_adapter_spec.rb
+spec/authentication_ldap_adapter_spec.rb
+spec/ldap_adapter_spec.rb
+spec/spec.opts
+spec/spec_helper.rb
+test.ldif

data/README-example.markdown

@@ -0,0 +1,18 @@
+posix accounts/groups example
+=============================
+
+first you need to adjust the configuration for ldap adapter in `example/posix.rb` and then start irb
+
+    $ LDAP_PWD='secret' irb
+
+     require 'example/posix.rb'
+     u = User.create(:login=>'test', :name => "name", :password => "pwd")
+     User.all
+     g = Group.create(:name => "test")
+     Group.all
+     u.groups << g
+     u.groups
+     g.users
+     u.authenticate("wrong-pwd")
+     u.authenticate("pwd")
+

data/README.txt

@@ -0,0 +1,188 @@
+= dm-ldap-adapter
+
+*Homepage*:  [http://dm-ldap-adapter.rubyforge.org]
+
+*Git*:       [http://github.com/mkristian/dm-ldap-adapter]
+
+*Author*:    Kristian Meier  
+
+*Copyright*: 2008-2009
+
+== DESCRIPTION:
+
+=== usecase
+
+the usecase for that implementation was using an ldap server for user authentication and authorization. the ldap server is configured to have posixAccounts and posixGroups. on the datamapper side these accounts/groups are modeled with many-to-many relationship. further more the model classes should be in such a way that they can be used with another repository as well, i.e. they carry some ldap related configuration but this is only relevant for the ldap-adapter.
+
+=== low level ldap library
+
+the ldap library which does the actual ldap protocol stuff is [http://rubyforge.org/projects/net-ldap] and it is hidden behind a facade, so one could replace it with a different library or make it pluggable.
+
+=== examples
+
+see 'example/posix.rb' for user/group setup works with default installation of openldap on ubuntu (just change your password as needed in the code)
+
+the 'example/identity_maps.rb' shows the usage of identity maps, see also below.
+
+== FEATURES/PROBLEMS:
+
+* the net-ldap has some issues with not closing the connections when an exception/error got raised
+
+* error from the ldap server are only logged and do not raise any exceptions (to be changed in next release)
+
+== SYNOPSIS:
+
+=== distinguished name (DN) of a model
+
+there are three parts which makes the DN of a model, the base from the ldap conncetion, the `treebase` of the model and `dn_prefix` of an instance.
+
+    class User
+      include DataMapper::Resource
+      property :id, Serial, :field => "uidnumber"
+      dn_prefix { |user| "uid=#{user.login}"}
+      treebase "ou=people"
+    end
+
+with a base `dc=example,dc=com` we get a DN like the user 'admin'
+
+    uid=admin,ou=people,dc=example,dc=com
+
+=== ldap entities are bigger than the model
+
+for example the ldap posixGroup has more attributes than the model class, it needs the `objectclass` attribute set to `posixGroup`.
+
+    class Group
+      include DataMapper::Resource
+      property :id, Serial, :field => "gidnumber"
+      property :name,     String, :field => "cn"
+      dn_prefix { |group| "cn=#{group.name}" }
+      treebase "ou=groups"
+      ldap_properties {{ :objectclass => "posixGroup"}}
+    end
+
+so with the help of the `ldap_properties` you can define a block which returns an hash with extra attributes. with such block you can make some calculations if needed, i.e. :homedirectory => "/home/#{login}" for the posixAccount.
+
+=== authentication
+
+this uses the underlying bind of a ldap connection. so on any model where you have the `dn_prefix` and the `treebase` configured, you can call the method `authenticate(password)`. this will forward the request to the ldap server.
+
+=== queries
+
+conditions in ldap depend on the attributes definition in the ldap schema. here is the list of what is working with that ldap adapter side and the usual AND between the conditions:  
+                                                               
+* :eql
+* :not
+* :like
+* :in
+* Range
+
+not working are `:lt, :lte, :gt, :gte`
+
+*note*: sql handles `NULL` different from values, i.e.
+
+     select * from users where name = 'sd';
+
+and
+
+     select * from users where name != 'sd';
+
+gives the same result when *all* names are `NULL` !!!
+
+=== multiple repositories
+
+most probably you have to work with ldap as one repository and a database as a second repository. for me it worked best to define the `default_repository` for each model in the model itself:
+
+    class User
+      . . .     
+      def self.default_repository_name
+        :ldap
+      end
+    end
+
+    class Config
+      . . .   
+      def self.default_repository_name
+        :db
+      end
+    end
+
+if you want to benefit from the advantages of the identidy maps you need to wrap your actions for *merb* see http://www.datamapper.org/doku.php?id=docs:identity_map or for *rails* put an `around_filter` inside application.rb
+
+     around_filter :repositories
+     
+     def repositories
+       DataMapper.repository(:ldap) do
+         DataMapper.repository(:db) do
+           yield
+         end 
+       end 
+     end
+
+and to let the ldap resources use the ldap respository it is best to bind it to that repository like this
+
+  class User
+    . . .
+    def self.repository_name
+      :ldap
+    end
+  end
+   
+=== transactions
+
+the adapter offers a noop transaction, i.e. you can wrap everything into a transaction but the ldap part has no functionality.
+
+*note*: the ldap protocol does not know transactions
+
+=== many-to-many associations
+
+staying with posix example there the groups has a memberuid attribute BUT unlike with relational databases it can have multiple values. to achieve a relationship with these values the underlying adapter needs to know that this specific attribute needs to be handled differently. for this `multivalue_field` comes into play. the ldap adapter clones the model and places the each memberuid in its own clone.
+
+    class GroupUser
+      include DataMapper::Resource    
+      property :memberuid, String, :key => true
+      property :gidnumber, Integer, :key => true
+      dn_prefix { |group_user| "cn=#{group_user.group.name}" }
+      treebase "ou=groups"
+      ldap_properties do |group_user|
+        {:cn=>"#{group_user.group.name}",  :objectclass => "posixGroup"}
+      end
+    
+      multivalue_field :memberuid
+          
+    end
+
+== REQUIREMENTS:
+
+* slf4r the logging facade
+* net-ldap pure ruby ldap library
+* logging (optional) if logging via logging is desired
+* log4r (optional) if logging via log4r is desired
+
+== INSTALL:
+
+* sudo gem install dm-ldap-adapter
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2009 Kristian Meier
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,35 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+require './lib/ldap/version.rb'
+
+require 'spec'
+require 'spec/rake/spectask'
+require 'pathname'
+
+Hoe.new('dm-ldap-adapter', Ldap::VERSION) do |p|
+  p.developer('mkristian', 'm.kristian@web.de')
+  p.extra_deps = ['ruby-net-ldap','slf4r']
+  p.remote_rdoc_dir = '' # Release to root
+end
+
+desc 'Install the package as a gem.'
+task :install => [:clean, :package] do
+  gem = Dir['pkg/*.gem'].first
+  sh "gem install --local #{gem} --no-ri --no-rdoc"
+end
+
+desc 'Run specifications'
+Spec::Rake::SpecTask.new(:spec) do |t|
+  if File.exists?('spec/spec.opts')
+    t.spec_opts << '--options' << 'spec/spec.opts'
+  end
+  t.spec_files = Pathname.glob('./spec/**/*_spec.rb')
+end
+
+require 'yard'
+
+YARD::Rake::YardocTask.new
+
+# vim: syntax=Ruby

data/example/identity_map.rb

@@ -0,0 +1,76 @@
+require 'example/posix.rb'
+
+USER_REPO = :default
+
+class User
+  
+  def self.ddefault_repository_name
+    USER_REPO
+  end
+  
+  def self.repository_name
+    USER_REPO
+  end
+
+  def authenticate(pwd)
+    require 'base64'
+    Base64.encode64(Digest::SHA1.digest(pwd)).gsub(/\n/, '') == attribute_get(:hashed_password)[5,1000]
+  end
+end
+
+class GroupUser
+  
+  def self.ddefault_repository_name
+    USER_REPO
+  end
+  
+  def self.repository_name
+    USER_REPO
+  end
+
+end
+
+class Group
+  
+  def self.ddefault_repository_name
+    USER_REPO
+  end
+  
+  def self.repository_name
+    USER_REPO
+  end
+
+end
+
+require 'adapters/memory_adapter'
+DATA_REPO=:store
+DataMapper.setup(DATA_REPO, {:adapter  => 'memory'})
+
+class Item
+  include DataMapper::Resource
+  property :id, Serial
+end
+
+
+DataMapper.repository(USER_REPO) do |repository|
+  repository.adapter.open_ldap_connection do
+    DataMapper.repository(DATA_REPO) do
+        
+      root = User.create(:id => 0, :login => :root, :name => 'root', :password => 'none')
+      admin = Group.create(:name => :admin)
+      root.groups << admin
+
+      p DataMapper.repository(USER_REPO).identity_map(User)
+      
+      p DataMapper.repository(USER_REPO).identity_map(Group)
+      
+      p root.authenticate('none')
+      
+      p root.groups
+      
+      (1..10).each {Item.create}
+
+      p DataMapper.repository(DATA_REPO).identity_map(Item)
+    end
+  end
+end

data/example/posix.rb

@@ -0,0 +1,166 @@
+require 'pathname'
+require 'rubygems'
+require 'slf4r/logging_logger'
+gem 'data_objects' , "0.9.11"
+require 'dm-core'
+
+$LOAD_PATH << Pathname(__FILE__).dirname.parent.expand_path + 'lib'
+
+Logging.init :debug, :info, :warn, :error
+
+appender = Logging::Appender.stdout
+appender.layout = Logging::Layouts::Pattern.new(:pattern => "%d [%-l] (%c) %m\n")
+logger = Logging::Logger.new(:root)
+logger.add_appenders(appender)
+logger.level = :debug
+logger.info "initialized logger . . ."
+
+dummy = true  #uncomment this to use dummy, i.e. a database instead of ldap
+dummy = false # uncomment this to use ldap
+unless dummy
+  require 'ldap_resource'
+  require 'adapters/ldap_adapter'
+
+  DataMapper.setup(:default, {
+                     :adapter  => 'ldap',
+                     :host => 'localhost',
+                     :port => '389',
+                     :base => ENV['LDAP_BASE'] || "dc=example,dc=com",
+                     :bind_name => "cn=admin," + (ENV['LDAP_BASE'] || "dc=example,dc=com"),
+                     :password => ENV['LDAP_PWD'] || "behappy"   
+                   })
+else
+  require 'dummy_ldap_resource'
+  DataMapper.setup(:default, 'sqlite3::memory:')
+  adapter = DataMapper.repository.adapter
+  def adapter.ldap_connection
+    con = Object.new
+    def con.open
+      yield
+    end
+    con
+  end
+end
+
+class User
+  include DataMapper::Resource
+
+  property :id,     Serial, :field => "uidnumber"
+  property :login,     String, :field => "uid"
+  property :hashed_password,  String, :field => "userpassword", :access => :private
+  property :name,      String, :field => "cn"
+
+  has n, :group_users, :child_key => [:memberuid]
+
+  def groups
+    groups = GroupUser.all(:memberuid => login).collect{ |gu| gu.group }
+    def groups.user=(user)
+      @user = user
+    end
+    groups.user = self
+    def groups.<<(group)
+      unless member? group
+        GroupUser.create(:memberuid => @user.login, :gidnumber => group.id)
+        super
+      end
+      self
+    end
+    def groups.delete(group)
+      gu = GroupUser.first(:memberuid => @user.login, :gidnumber => group.id)
+      if gu
+        gu.destroy
+        super
+      end
+    end
+    groups
+  end
+
+  dn_prefix { |user| "uid=#{user.login}"}
+
+  treebase "ou=people"
+
+  ldap_properties do |user|
+    properties = { :objectclass => ["inetOrgPerson", "posixAccount", "shadowAccount"], :loginshell => "/bin/bash", :gidnumber => "10000" }
+    properties[:sn] = "#{user.name.sub(/.*\ /, "")}"
+    properties[:givenname] = "#{user.name.sub(/\ .*/, "")}"
+    properties[:homedirectory] = "/home/#{user.login}"
+    properties
+  end
+
+  def password=(password)
+    attribute_set(:hashed_password, Ldap::Digest.sha(password)) if password
+  end
+end
+
+class Group
+  include DataMapper::Resource
+  include Slf4r::Logger
+  property :id,       Integer, :serial => true, :field => "gidnumber"
+  property :name,     String, :field => "cn"
+  
+  dn_prefix { |group| "cn=#{group.name}" }
+  
+  treebase "ou=groups"
+  
+  ldap_properties {{ :objectclass => "posixGroup"}}
+
+  def users
+    users = GroupUser.all(:gidnumber => id).collect{ |gu| gu.user }
+    def users.group=(group)
+      @group = group
+    end
+    users.group = self
+    def users.<<(user)
+      unless member? user
+        GroupUser.create(:memberuid => user.login, :gidnumber => @group.id)
+        super
+      end
+      self
+    end
+    def users.delete(user)
+      gu = GroupUser.first(:memberuid => user.login, :gidnumber => @group.id)
+      if gu
+        gu.destroy
+        super
+      end
+    end
+    users
+  end
+end
+ 
+class GroupUser
+  include DataMapper::Resource
+  include Slf4r::Logger
+ 
+  dn_prefix { |group_user| "cn=#{group_user.group.name}" }
+  
+  treebase "ou=groups"
+  
+  multivalue_field :memberuid
+  
+  ldap_properties do |group_user|
+    {:cn=>"#{group_user.group.name}",  :objectclass => "posixGroup"}
+  end
+  property :memberuid, String, :key => true#, :field => "memberuid"
+  property :gidnumber, Integer, :key => true#, :field => "gidnumber"
+
+  def group
+    Group.get!(gidnumber)
+  end
+
+  def group=(group)
+    gidnumber = group.id
+  end
+
+  def user
+    User.first(:login => memberuid)
+  end
+
+  def user=(user)
+    memberuid = user.login
+  end
+end
+
+if dummy
+  DataMapper.auto_migrate!
+end