github-ldap 1.0.16 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1fe44b5c68117c2b0d616f164f8b40901d2ad2dd
-  data.tar.gz: a61c80ebbaabb8ff06793f13910440d403209a7b
+  metadata.gz: 5094836df33821281e971a9d3f1028df7cba6d71
+  data.tar.gz: f681bea4b0ae307888cd037db8b232e4e08af462
 SHA512:
-  metadata.gz: 060534d71ad7bfcbd1682699cfa81cebb3552366bd661b94127df79542f97b9c640ebf4414785055ad88923931588bd89ac274a03fc635cb757353c1a717a133
-  data.tar.gz: b20400377b5b2d508a910ba6acc3ffeec0a18e5aae7918290c2622be7536a5f625c74a06a31fc2f3d73c0a65cf425ce89e3de4c037a993c2f343c0c1a2bd82d4
+  metadata.gz: a6464449256546e16d1962bba8b3c6599a5eb3e6f41d965225c540a98c2d1f19313e90da62c3ca84a09ae374fdde525d68089da73c251681b28053c09e23e9b6
+  data.tar.gz: 6830909544c79613b8ea4626032303b6ef8a3aa8d25ea95fe6347257bae7ca9c2e3ca881c6711a3cd27836d866ae8e3bdfe18d7035053b78f7628a2760ad776c

data/README.md

@@ -60,7 +60,26 @@ When we have the domain, we can check if a user can log in with a given password
 Or whether a user is member of the given groups:
 
 ```ruby
-  domain.is_member? 'uid=calavera,dc=github,dc=com', %w(Enterprise)
+  entry = ldap.domain('uid=calavera,dc=github,dc=com').bind
+  domain.is_member? entry, %w(Enterprise)
+```
+
+### Virtual Attributes
+
+Some LDAP servers have support for virtual attributes, or overlays. These allow to perform queries more efficiently on the server.
+
+To enable virtual attributes you can set the option `virtual_attributes` initializing the ldap connection.
+We use our default set of virtual names if this option is just set to `true`.
+
+```ruby
+  ldap = GitHub::Ldap.new {virtual_attributes: true}
+```
+
+You can also override our defaults by providing your server mappings into a Hash.
+The only mapping supported for now is to check virtual membership of individuals in groups.
+
+```ruby
+  ldap = GitHub::Ldap.new {virtual_attributes: {virtual_membership: 'memberOf'}}
 ```
 
 ### Testing support

data/github-ldap.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |spec|
   spec.name          = "github-ldap"
-  spec.version       = "1.0.16"
+  spec.version       = "1.1.0"
   spec.authors       = ["David Calavera"]
   spec.email         = ["david.calavera@gmail.com"]
   spec.description   = %q{Ldap authentication for humans}

data/lib/github/ldap.rb

@@ -5,12 +5,14 @@ module GitHub
     require 'github/ldap/filter'
     require 'github/ldap/domain'
     require 'github/ldap/group'
+    require 'github/ldap/virtual_group'
+    require 'github/ldap/virtual_attributes'
 
     extend Forwardable
 
     # Utility method to perform searches against the ldap server.
     #
-    # It takes the same arguments than Net:::LDAP#search.
+    # It takes the same arguments than Net::LDAP::Connection#search.
     # Returns an Array with the entries that match the search.
     # Returns nil if there are no entries that match the search.
     def_delegator :@connection, :search
@@ -21,6 +23,13 @@ module GitHub
     # If `code` is 0, the operation succeeded and there is no message.
     def_delegator :@connection, :get_operation_result, :last_operation_result
 
+    # Utility method to bind entries in the ldap server.
+    #
+    # It takes the same arguments than Net::LDAP::Connection#bind.
+    # Returns a Net::LDAP::Entry if the operation succeeded.
+    def_delegator :@connection, :bind
+
+    attr_reader :virtual_attributes
 
     def initialize(options = {})
       @uid = options[:uid] || "sAMAccountName"
@@ -34,6 +43,8 @@ module GitHub
       if encryption = check_encryption(options[:encryption])
         @connection.encryption(encryption)
       end
+
+      configure_virtual_attributes(options[:virtual_attributes])
     end
 
     # Determine whether to use encryption or not.
@@ -68,7 +79,7 @@ module GitHub
     #
     # Returns a new Domain object.
     def domain(base_name)
-      Domain.new(base_name, @connection, @uid)
+      Domain.new(self, base_name, @uid)
     end
 
     # Creates a new group object to perform operations
@@ -77,7 +88,28 @@ module GitHub
     #
     # Returns a new Group object.
     def group(base_name)
-      Group.new(self, domain(base_name).bind)
+      if @virtual_attributes.enabled?
+        VirtualGroup.new(self, domain(base_name).bind)
+      else
+        Group.new(self, domain(base_name).bind)
+      end
+    end
+
+    # Configure virtual attributes for this server.
+    # If the option is `true`, we'll use the default virual attributes.
+    # If it's a Hash we'll map the attributes in the hash.
+    #
+    # attributes: is the option set when Ldap is initialized.
+    #
+    # Returns a VirtualAttributes.
+    def configure_virtual_attributes(attributes)
+      @virtual_attributes = if attributes == true
+        VirtualAttributes.new(true)
+      elsif attributes.is_a?(Hash)
+        VirtualAttributes.new(true, attributes)
+      else
+        VirtualAttributes.new(false)
+      end
     end
   end
 end

data/lib/github/ldap/domain.rb

@@ -14,8 +14,8 @@ module GitHub
     class Domain
       include Filter
 
-      def initialize(base_name, connection, uid)
-        @base_name, @connection, @uid = base_name, connection, uid
+      def initialize(ldap, base_name, uid)
+        @ldap, @base_name, @uid = ldap, base_name, uid
       end
 
       # List all groups under this tree, including subgroups.
@@ -43,26 +43,36 @@ module GitHub
 
       # List the groups that a user is member of.
       #
-      # user_dn: is the dn for the user ldap entry.
+      # user_entry: is the entry for the user in the server.
       # group_names: is an array of group CNs.
       #
       # Return an Array with the groups that the given user is member of that belong to the given group list.
-      def membership(user_dn, group_names)
-        search(filter: group_filter(group_names, user_dn))
+      def membership(user_entry, group_names)
+        all_groups = search(filter: group_filter(group_names))
+        groups_map = all_groups.each_with_object({}) {|entry, hash| hash[entry.dn] = entry}
+
+        if @ldap.virtual_attributes.enabled?
+          member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.user_membership]
+          member_of.map {|dn| group_map[dn]}
+        else
+          groups_map.each_with_object([]) do |(dn, group), acc|
+            acc << group if Group.new(@ldap, group).is_member?(user_entry.dn)
+          end
+        end
       end
 
       # Check if the user is include in any of the configured groups.
       #
-      # user_dn: is the dn for the user ldap entry.
+      # user_entry: is the entry for the user in the server.
       # group_names: is an array of group CNs.
       #
       # Returns true if the user belongs to any of the groups.
       # Returns false otherwise.
-      def is_member?(user_dn, group_names)
+      def is_member?(user_entry, group_names)
         return true if group_names.nil?
         return true if group_names.empty?
 
-        user_membership = membership(user_dn, group_names)
+        user_membership = membership(user_entry, group_names)
 
         !user_membership.empty?
       end
@@ -97,7 +107,7 @@ module GitHub
       #
       # Returns true if the user can be bound.
       def auth(user, password)
-        @connection.bind(method: :simple, username: user.dn, password: password)
+        @ldap.bind(method: :simple, username: user.dn, password: password)
       end
 
       # Authenticate a user with the ldap server.
@@ -112,7 +122,7 @@ module GitHub
       def authenticate!(login, password, group_names = nil)
         user = valid_login?(login, password)
 
-        return user if user && is_member?(user.dn, group_names)
+        return user if user && is_member?(user, group_names)
       end
 
       # Search entries using this domain as base.
@@ -127,7 +137,7 @@ module GitHub
         options[:ignore_server_caps] ||= true
         options[:paged_searches_supported] ||= true
 
-        Array(@connection.search(options))
+        Array(@ldap.search(options))
       end
 
       # Provide a meaningful result after a protocol operation (for example,
@@ -137,7 +147,7 @@ module GitHub
       # human-readable string.
       # See http://tools.ietf.org/html/rfc4511#appendix-A
       def get_operation_result
-        @connection.get_operation_result
+        @ldap.get_operation_result
       end
 
       # Get the entry for this domain.

data/lib/github/ldap/filter.rb

@@ -49,6 +49,26 @@ module GitHub
       def group_contains_filter(query)
         Net::LDAP::Filter.contains("cn", query) & ALL_GROUPS_FILTER
       end
+
+      # Filter to get all the members of a group using the virtual attribute `memberOf`.
+      #
+      # group_dn: is the group dn to look members for.
+      # attr: is the membership attribute.
+      #
+      # Returns a Net::LDAP::Filter
+      def members_of_group(group_dn, attr = 'memberOf')
+        Net::LDAP::Filter.eq(attr, group_dn)
+      end
+
+      # Filter to get all the members of a group that are groups using the virtual attribute `memberOf`.
+      #
+      # group_dn: is the group dn to look members for.
+      # attr: is the membership attribute.
+      #
+      # Returns a Net::LDAP::Filter
+      def subgroups_of_group(group_dn, attr = 'memberOf')
+        Net::LDAP::Filter.eq(attr, group_dn) & ALL_GROUPS_FILTER
+      end
     end
   end
 end

data/lib/github/ldap/group.rb

@@ -16,36 +16,50 @@ module GitHub
         @ldap, @entry = ldap, entry
       end
 
-      # Get all members that belong to a group.
+      # Public - Get all members that belong to a group.
       # This list also includes the members of subgroups.
       #
       # Returns an array with all the member entries.
       def members
-        groups, members = member_entries.partition {|e| group?(e[:objectclass])}
+        groups, members = groups_and_members
         results = members
 
-        groups.each do |result|
-          results.concat @ldap.group(result.dn).members
+        cache = load_cache(groups)
+
+        loop_cached_groups(groups, cache) do |_, users|
+          results.concat users
         end
 
         results.uniq {|m| m.dn }
       end
 
-      # Get all the subgroups from a group recursively.
+      # Public - Get all the subgroups from a group recursively.
       #
       # Returns an array with all the subgroup entries.
       def subgroups
-        groups, _ = member_entries.partition {|e| group?(e[:objectclass])}
+        groups, _ = groups_and_members
         results = groups
 
-        groups.each do |result|
-          results.concat @ldap.group(result.dn).subgroups
+        cache = load_cache(groups)
+
+        loop_cached_groups(groups, cache) do |subgroups, _|
+          results.concat subgroups
         end
 
         results
       end
 
-      # Get all the member entries for a group.
+      # Public - Check if a user dn is included in the members of this group and its subgroups.
+      #
+      # user_dn: is the dn to check.
+      #
+      # Returns true if the dn is in the list of members.
+      def is_member?(user_dn)
+        members.detect {|entry| entry.dn == user_dn}
+      end
+
+
+      # Internal - Get all the member entries for a group.
       #
       # Returns an array of Net::LDAP::Entry.
       def member_entries
@@ -54,20 +68,56 @@ module GitHub
         end
       end
 
-      # Get all the names under `member` and `uniqueMember`.
+      # Internal - Get all the names under `member` and `uniqueMember`.
       #
       # Returns an array with all the DN members.
       def member_names
         @entry[:member] + @entry[:uniqueMember]
       end
 
-      # Check if an object class includes the member names
+      # Internal - Check if an object class includes the member names
       # Use `&` rathen than `include?` because both are arrays.
       #
       # Returns true if the object class includes one of the group class names.
       def group?(object_class)
         !(GROUP_CLASS_NAMES & object_class).empty?
       end
+
+      # Internal - Generate a hash with all the group DNs for caching purposes.
+      #
+      # groups: is an array of group entries.
+      #
+      # Returns a hash with the cache groups.
+      def load_cache(groups)
+        groups.each_with_object({}) {|entry, h| h[entry.dn] = true }
+      end
+
+      # Internal - Iterate over a collection of groups recursively.
+      # Remove groups already inspected before iterating over subgroups.
+      #
+      # groups: is an array of group entries.
+      # cache: is a hash where the keys are group dns.
+      # block: is a block to call with the groups and members of subgroups.
+      #
+      # Returns nothing.
+      def loop_cached_groups(groups, cache, &block)
+        groups.each do |result|
+          subgroups, members = @ldap.group(result.dn).groups_and_members
+
+          subgroups.delete_if {|entry| cache[entry.dn]}
+          subgroups.each {|entry| cache[entry.dn] = true}
+
+          block.call(subgroups, members)
+          loop_cached_groups(subgroups, cache, &block)
+        end
+      end
+
+      # Internal - Divide members of a group in user and subgroups.
+      #
+      # Returns two arrays, the first one with subgroups and the second one with users.
+      def groups_and_members
+        member_entries.partition {|e| group?(e[:objectclass])}
+      end
     end
   end
 end

data/lib/github/ldap/virtual_attributes.rb

@@ -0,0 +1,18 @@
+module GitHub
+  class Ldap
+    class VirtualAttributes
+      def initialize(enabled, attributes = {})
+        @enabled = enabled
+        @attributes = attributes
+      end
+
+      def enabled?
+        @enabled
+      end
+
+      def virtual_membership
+        @attributes.fetch(:virtual_membership, "memberOf")
+      end
+    end
+  end
+end

data/lib/github/ldap/virtual_group.rb

@@ -0,0 +1,24 @@
+module GitHub
+  class Ldap
+    class VirtualGroup < Group
+      def members
+        @ldap.search(filter: members_of_group(@entry.dn, membership_attribute))
+      end
+
+      def subgroups
+        @ldap.search(filter: subgroups_of_group(@entry.dn, membership_attribute))
+      end
+
+      def is_member(user_dn)
+        @ldap.search(filter: is_member_of_group(user_dn, @entry.dn, membership_attribute))
+      end
+
+      # Internal - Get the attribute to use for membership filtering.
+      #
+      # Returns a string.
+      def membership_attribute
+        @ldap.virual_attributes.virtual_membership
+      end
+    end
+  end
+end

data/test/domain_test.rb

@@ -2,7 +2,8 @@ require 'test_helper'
 
 module GitHubLdapDomainTestCases
   def setup
-    @domain = GitHub::Ldap.new(options).domain("dc=github,dc=com")
+    @ldap   = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
   end
 
   def test_user_valid_login
@@ -27,22 +28,22 @@ module GitHubLdapDomainTestCases
   def test_user_in_group
     user = @domain.valid_login?('calavera', 'passworD1')
 
-    assert @domain.is_member?(user.dn, %w(Enterprise People)),
+    assert @domain.is_member?(user, %w(Enterprise People)),
       "Expected `Enterprise` or `Poeple` to include the member `#{user.dn}`"
   end
 
   def test_user_not_in_different_group
     user = @domain.valid_login?('calavera', 'passworD1')
 
-    assert !@domain.is_member?(user.dn, %w(People)),
+    assert !@domain.is_member?(user, %w(People)),
       "Expected `Poeple` not to include the member `#{user.dn}`"
   end
 
   def test_user_without_group
     user = @domain.valid_login?('ldaptest', 'secret')
 
-    assert !@domain.is_member?(user.dn, %w(People)),
-      "Expected `Poeple` not to include the member `#{user.dn}`"
+    assert !@domain.is_member?(user, %w(People)),
+      "Expected `People` not to include the member `#{user.dn}`"
   end
 
   def test_authenticate_doesnt_return_invalid_users
@@ -67,12 +68,26 @@ module GitHubLdapDomainTestCases
   end
 
   def test_membership_empty_for_non_members
-    assert @domain.membership('uid=calavera,dc=github,dc=com', %w(People)).empty?,
+    user = @ldap.domain('uid=calavera,dc=github,dc=com').bind
+
+    assert @domain.membership(user, %w(People)).empty?,
       "Expected `calavera` not to be a member of `People`."
   end
 
   def test_membership_groups_for_members
-    groups = @domain.membership('uid=calavera,dc=github,dc=com', %w(Enterprise People))
+    user = @ldap.domain('uid=calavera,dc=github,dc=com').bind
+    groups = @domain.membership(user, %w(Enterprise People))
+
+    assert_equal 1, groups.size
+    assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
+  end
+
+  def test_membership_with_virtual_attributes
+    ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
+    user = @ldap.domain('uid=calavera,dc=github,dc=com').bind
+    user[:memberof] = 'cn=Enterprise,ou=Group,dc=github,dc=com'
+
+    groups = @domain.membership(user, %w(Enterprise People))
 
     assert_equal 1, groups.size
     assert_equal 'cn=Enterprise,ou=Group,dc=github,dc=com', groups.first.dn
@@ -125,3 +140,21 @@ end
 class GitHubLdapDomainUnauthenticatedTest < GitHub::Ldap::UnauthenticatedTest
   include GitHubLdapDomainTestCases
 end
+
+class GitHubLdapDomainNestedGroupsTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {user_fixtures: FIXTURES.join('github-with-subgroups.ldif').to_s}
+  end
+
+  def setup
+    @ldap = GitHub::Ldap.new(options)
+    @domain = @ldap.domain("dc=github,dc=com")
+  end
+
+  def test_membership_in_subgroups
+    user = @ldap.domain('uid=rubiojr,ou=users,dc=github,dc=com').bind
+
+    assert @domain.is_member?(user, %w(enterprise-ops)),
+      "Expected `enterprise-ops` to include the member `#{user.dn}`"
+  end
+end

data/test/filter_test.rb

@@ -25,4 +25,20 @@ class FilterTest < Minitest::Test
     assert_equal "(&(|(member=#{@me})(uniqueMember=#{@me}))(|(cn=Enterprise)(cn=People)))",
       @subject.group_filter(%w(Enterprise People), @me).to_s
   end
+
+  def test_members_of_group
+    assert_equal "(memberOf=cn=group,dc=github,dc=com)",
+      @subject.members_of_group('cn=group,dc=github,dc=com').to_s
+
+    assert_equal "(isMemberOf=cn=group,dc=github,dc=com)",
+      @subject.members_of_group('cn=group,dc=github,dc=com', 'isMemberOf').to_s
+  end
+
+  def test_subgroups_of_group
+    assert_equal "(&(memberOf=cn=group,dc=github,dc=com)#{Subject::ALL_GROUPS_FILTER})",
+      @subject.subgroups_of_group('cn=group,dc=github,dc=com').to_s
+
+    assert_equal "(&(isMemberOf=cn=group,dc=github,dc=com)#{Subject::ALL_GROUPS_FILTER})",
+      @subject.subgroups_of_group('cn=group,dc=github,dc=com', 'isMemberOf').to_s
+  end
 end

data/test/fixtures/github-with-looped-subgroups.ldif

@@ -0,0 +1,91 @@
+version: 1
+
+# Organizations
+
+dn: dc=github,dc=com
+cn: github
+objectClass: dcObject
+objectClass: organization
+dc: github
+o: GitHub Inc.
+
+# Admin user
+
+dn: uid=admin,dc=github,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword: secret
+
+# Groups
+
+dn: ou=groups,dc=github,dc=com
+objectclass: organizationalUnit
+
+dn: cn=enterprise,ou=groups,dc=github,dc=com
+cn: Enterprise
+objectClass: groupOfNames
+member: uid=calavera,ou=users,dc=github,dc=com
+member: cn=enterprise-devs,ou=groups,dc=github,dc=com
+member: cn=enterprise-ops,ou=groups,dc=github,dc=com
+
+dn: cn=enterprise-devs,ou=groups,dc=github,dc=com
+cn: enterprise-devs
+objectClass: groupOfNames
+member: uid=benburkert,ou=users,dc=github,dc=com
+member: cn=enterprise,ou=groups,dc=github,dc=com
+
+dn: cn=enterprise-ops,ou=groups,dc=github,dc=com
+cn: enterprise-ops
+objectClass: groupOfNames
+member: uid=sbryant,ou=users,dc=github,dc=com
+member: cn=spaniards,ou=groups,dc=github,dc=com
+
+dn: cn=spaniards,ou=groups,dc=github,dc=com
+cn: spaniards
+objectClass: groupOfNames
+member: uid=calavera,ou=users,dc=github,dc=com
+member: uid=rubiojr,ou=users,dc=github,dc=com
+
+# Users
+
+dn: ou=users,dc=github,dc=com
+objectclass: organizationalUnit
+
+dn: uid=calavera,ou=users,dc=github,dc=com
+cn: David Calavera
+cn: David
+sn: Calavera
+uid: calavera
+userPassword: passworD1
+mail: calavera@github.com
+objectClass: inetOrgPerson
+
+dn: uid=benburkert,ou=users,dc=github,dc=com
+cn: benburkert
+sn: benburkert
+uid: benburkert
+userPassword: passworD1
+mail: benburkert@github.com
+objectClass: inetOrgPerson
+
+dn: uid=sbryant,ou=users,dc=github,dc=com
+cn: sbryant
+sn: sbryant
+uid: sbryant
+userPassword: passworD1
+mail: sbryant@github.com
+objectClass: inetOrgPerson
+
+dn: uid=rubiojr,ou=users,dc=github,dc=com
+cn: rubiojr
+sn: rubiojr
+uid: rubiojr
+userPassword: passworD1
+mail: rubiojr@github.com
+objectClass: inetOrgPerson

data/test/group_test.rb

@@ -31,3 +31,17 @@ class GitHubLdapGroupTest < GitHub::Ldap::Test
     assert_equal 1, groups.size
   end
 end
+
+class GitHubLdapLoopedGroupTest < GitHub::Ldap::Test
+  def self.test_server_options
+    {user_fixtures: FIXTURES.join('github-with-looped-subgroups.ldif').to_s}
+  end
+
+  def setup
+    @group = GitHub::Ldap.new(options).group("cn=enterprise,ou=groups,dc=github,dc=com")
+  end
+
+  def test_members_from_subgroups
+    assert_equal 4, @group.members.size
+  end
+end

data/test/ldap_test.rb

@@ -31,6 +31,31 @@ module GitHubLdapTestCases
 
     assert_equal 'calavera', result.first[:uid].first
   end
+
+  def test_virtual_attributes_defaults
+    @ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
+
+    assert @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
+    assert_equal 'memberOf', @ldap.virtual_attributes.virtual_membership
+  end
+
+  def test_virtual_attributes_defaults
+    ldap = GitHub::Ldap.new(options.merge(virtual_attributes: true))
+
+    assert ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
+    assert_equal 'memberOf', ldap.virtual_attributes.virtual_membership
+  end
+
+  def test_virtual_attributes_hash
+    ldap = GitHub::Ldap.new(options.merge(virtual_attributes: {virtual_membership: "isMemberOf"}))
+
+    assert ldap.virtual_attributes.enabled?, "Expected to have virtual attributes enabled with defaults"
+    assert_equal 'isMemberOf', ldap.virtual_attributes.virtual_membership
+  end
+
+  def test_virtual_attributes_disabled
+    refute @ldap.virtual_attributes.enabled?, "Expected to have virtual attributes disabled"
+  end
 end
 
 class GitHubLdapTest < GitHub::Ldap::Test

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-ldap
 version: !ruby/object:Gem::Version
-  version: 1.0.16
+  version: 1.1.0
 platform: ruby
 authors:
 - David Calavera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-20 00:00:00.000000000 Z
+date: 2014-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -100,8 +100,11 @@ files:
 - lib/github/ldap/fixtures.ldif
 - lib/github/ldap/group.rb
 - lib/github/ldap/server.rb
+- lib/github/ldap/virtual_attributes.rb
+- lib/github/ldap/virtual_group.rb
 - test/domain_test.rb
 - test/filter_test.rb
+- test/fixtures/github-with-looped-subgroups.ldif
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb
@@ -133,6 +136,7 @@ summary: Ldap client authentication wrapper without all the boilerplate
 test_files:
 - test/domain_test.rb
 - test/filter_test.rb
+- test/fixtures/github-with-looped-subgroups.ldif
 - test/fixtures/github-with-subgroups.ldif
 - test/group_test.rb
 - test/ldap_test.rb