gitlab_omniauth-ldap 1.0.2

data/.gitignore

@@ -0,0 +1,2 @@
+.project
+coverage

data/.rspec

@@ -0,0 +1 @@
+--colour

data/.travis.yml

@@ -0,0 +1,6 @@
+branches:
+  only:
+    - 'master'
+rvm:
+  - 1.9.2
+script: "bundle exec rspec spec"

data/Gemfile

@@ -0,0 +1,10 @@
+source 'http://rubygems.org'
+
+gemspec
+
+group :development, :test do
+  gem 'rspec'
+  gem 'pry'
+  gem 'rake'
+  gem 'rack-test'
+end

data/Gemfile.lock

@@ -0,0 +1,49 @@
+PATH
+  remote: .
+  specs:
+    gitlab_omniauth-ldap (1.0.2)
+      net-ldap (~> 0.2.2)
+      omniauth (~> 1.0)
+      pyu-ruby-sasl (~> 0.0.3.1)
+      rubyntlm (~> 0.1.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    coderay (1.0.8)
+    diff-lcs (1.1.3)
+    hashie (1.2.0)
+    method_source (0.8.1)
+    net-ldap (0.2.2)
+    omniauth (1.1.1)
+      hashie (~> 1.2)
+      rack
+    pry (0.9.10)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.3.1)
+    pyu-ruby-sasl (0.0.3.3)
+    rack (1.4.1)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rake (10.0.3)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.2)
+    rspec-expectations (2.12.1)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.12.1)
+    rubyntlm (0.1.1)
+    slop (3.3.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  gitlab_omniauth-ldap!
+  pry
+  rack-test
+  rake
+  rspec

data/Guardfile

@@ -0,0 +1,11 @@
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end
+
+
+guard 'bundler' do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/README.md

@@ -0,0 +1,64 @@
+# GitLab fork | OmniAuth LDAP [![build status](https://secure.travis-ci.org/gitlabhq/omniauth-ldap.png)](https://travis-ci.org/gitlabhq/omniauth-ldap)
+
+### LDAP
+
+Use the LDAP strategy as a middleware in your application:
+
+    use OmniAuth::Strategies::LDAP, 
+        :title => "My LDAP", 
+        :host => '10.101.10.1',
+        :port => 389,
+        :method => :plain,
+        :base => 'dc=intridea, dc=com',
+        :uid => 'sAMAccountName',
+        :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+        :bind_dn => 'default_bind_dn'
+        :password => 'password'
+
+All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
+Allowed values of :method are: :plain, :ssl, :tls.
+
+:bind_dn and :password is the default credentials to perform user lookup.
+  most LDAP servers require that you supply a complete DN as a binding-credential, along with an authenticator
+  such as a password. But for many applications, you often don’t have a full DN to identify the user. 
+  You usually get a simple identifier like a username or an email address, along with a password. 
+  Since many LDAP servers don't allow anonymous access, search function will require a bound connection, 
+  :bind_dn and :password will be required for searching on the username or email to retrieve the DN attribute 
+  for the user. If the LDAP server allows anonymous access, you don't need to provide these two parameters.
+
+:uid is the LDAP attribute name for the user name in the login form. 
+  typically AD would be 'sAMAccountName' or 'UserPrincipalName', while OpenLDAP is 'uid'.
+
+:name_proc allows you to match the user name entered with the format of the :uid attributes. 
+  For example, value of 'sAMAccountName' in AD contains only the windows user name. If your user prefers using 
+  email to login, a name_proc as above will trim the email string down to just the windows login name. 
+  In summary, use :name_proc to fill the gap between the submitted username and LDAP uid attribute value.
+ 
+:try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO']
+  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods, 
+  please just avoid them.
+
+Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
+
+
+## License
+
+Copyright (C) 2011 by Ping Yu and Intridea, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,9 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new

data/gitlab_omniauth-ldap.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth-ldap/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Ping Yu"]
+  gem.email         = ["ping@intridea.com"]
+  gem.description   = %q{A LDAP strategy for OmniAuth.}
+  gem.summary       = %q{A LDAP strategy for OmniAuth.}
+  gem.homepage      = "https://github.com/gitlabhq/omniauth-ldap"
+
+  gem.add_runtime_dependency     'omniauth', '~> 1.0'
+  gem.add_runtime_dependency     'net-ldap', '~> 0.2.2'
+  gem.add_runtime_dependency     'pyu-ruby-sasl', '~> 0.0.3.1'
+  gem.add_runtime_dependency     'rubyntlm', '~> 0.1.1'
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "gitlab_omniauth-ldap"
+  gem.require_paths = ["lib"]
+  gem.version       = OmniAuth::LDAP::VERSION
+end

data/lib/omniauth/strategies/ldap.rb

@@ -0,0 +1,93 @@
+require 'omniauth'
+
+module OmniAuth
+  module Strategies
+    class LDAP
+      class MissingCredentialsError < StandardError; end
+      include OmniAuth::Strategy
+      @@config = {
+        'name' => 'cn',
+        'first_name' => 'givenName',
+        'last_name' => 'sn',
+        'email' => ['mail', "email", 'userPrincipalName'],
+        'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
+        'mobile' => ['mobile', 'mobileTelephoneNumber'],
+        'nickname' => ['uid', 'userid', 'sAMAccountName'],
+        'title' => 'title',
+        'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
+        'uid' => 'dn',
+        'url' => ['wwwhomepage'],
+        'image' => 'jpegPhoto',
+        'description' => 'description'
+      }
+      option :title, "LDAP Authentication" #default title for authentication form
+      option :port, 389
+      option :method, :plain
+      option :uid, 'sAMAccountName'
+      option :name_proc, lambda {|n| n}
+
+      def request_phase
+        OmniAuth::LDAP::Adaptor.validate @options
+        f = OmniAuth::Form.new(:title => (options[:title] || "LDAP Authentication"), :url => callback_path)
+        f.text_field 'Login', 'username'
+        f.password_field 'Password', 'password'
+        f.button "Sign In"
+        f.to_response
+      end
+
+      def callback_phase
+        @adaptor = OmniAuth::LDAP::Adaptor.new @options
+
+        begin
+          # GITLAB security patch
+          # Dont allow blank password for ldap auth
+          if request['username'].nil? || request['username'].empty? || request['password'].nil? || request['password'].empty?
+            raise MissingCredentialsError.new("Missing login credentials")
+          end
+
+          @ldap_user_info = @adaptor.bind_as(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @options[:name_proc].call(request['username'])),:size => 1, :password => request['password'])
+          return fail!(:invalid_credentials) if !@ldap_user_info
+
+          @user_info = self.class.map_user(@@config, @ldap_user_info)
+          super
+        rescue Exception => e
+          return fail!(:ldap_error, e)
+        end
+      end
+
+      uid {
+        @user_info["uid"]
+      }
+      info {
+        @user_info
+      }
+      extra {
+        { :raw_info => @ldap_user_info }
+      }
+
+      def self.map_user(mapper, object)
+        user = {}
+        mapper.each do |key, value|
+          case value
+          when String
+            user[key] = object[value.downcase.to_sym].first if object[value.downcase.to_sym]
+          when Array
+            value.each {|v| (user[key] = object[v.downcase.to_sym].first; break;) if object[v.downcase.to_sym]}
+          when Hash
+            value.map do |key1, value1|
+              pattern = key1.dup
+              value1.each_with_index do |v,i|
+                part = ''; v.collect(&:downcase).collect(&:to_sym).each {|v1| (part = object[v1].first; break;) if object[v1]}
+                pattern.gsub!("%#{i}",part||'')
+              end
+              user[key] = pattern
+            end
+          end
+        end
+        user
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'ldap', 'LDAP'

data/lib/omniauth-ldap/adaptor.rb

@@ -0,0 +1,149 @@
+#this code borrowed pieces from activeldap and net-ldap
+
+require 'rack'
+require 'net/ldap'
+require 'net/ntlm'
+require 'uri'
+require 'sasl'
+require 'kconv'
+module OmniAuth
+  module LDAP
+    class Adaptor
+      class LdapError < StandardError; end
+      class ConfigurationError < StandardError; end
+      class AuthenticationError < StandardError; end
+      class ConnectionError < StandardError; end
+
+      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous]
+
+      MUST_HAVE_KEYS = [:host, :port, :method, :uid, :base]
+
+      METHOD = {
+        :ssl => :simple_tls,
+        :tls => :start_tls,
+        :plain => nil,
+      }
+
+      attr_accessor :bind_dn, :password
+      attr_reader :connection, :uid, :base, :auth
+      def self.validate(configuration={})
+        message = []
+        MUST_HAVE_KEYS.each do |name|
+           message << name if configuration[name].nil?
+        end
+        raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+      end
+      def initialize(configuration={})
+        Adaptor.validate(configuration)
+        @configuration = configuration.dup
+        @configuration[:allow_anonymous] ||= false
+        @logger = @configuration.delete(:logger)
+        VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
+          instance_variable_set("@#{name}", @configuration[name])
+        end
+        method = ensure_method(@method)
+        config = {
+          :host => @host,
+          :port => @port,
+          :encryption => method,
+          :base => @base
+        }
+        @uri = construct_uri(@host, @port, @method != :plain)
+
+        @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
+
+
+        @auth = sasl_auths({:username => @bind_dn, :password => @password}).first if @bind_method == :sasl
+        @auth ||= { :method => @bind_method,
+                    :username => @bind_dn,
+                    :password => @password
+                  }
+        config[:auth] = @auth
+        @connection = Net::LDAP.new(config)
+      end
+
+      #:base => "dc=yourcompany, dc=com",
+      # :filter => "(mail=#{user})",
+      # :password => psw
+      def bind_as(args = {})
+        result = false
+        @connection.open do |me|
+          rs = me.search args
+          if rs and rs.first and dn = rs.first.dn
+            password = args[:password]
+            method = args[:method] || @method
+            password = password.call if password.respond_to?(:call)
+            if method == 'sasl'
+            result = rs.first if me.bind(sasl_auths({:username => dn, :password => password}).first)
+            else
+            result = rs.first if me.bind(:method => :simple, :username => dn,
+                                :password => password)
+            end
+          end
+        end
+        result
+      end
+
+      private
+      def ensure_method(method)
+          method ||= "plain"
+          normalized_method = method.to_s.downcase.to_sym
+          return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+
+          available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+          format = "%s is not one of the available connect methods: %s"
+          raise ConfigurationError, format % [method.inspect, available_methods]
+      end
+
+      def sasl_auths(options={})
+        auths = []
+        sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
+        sasl_mechanisms.each do |mechanism|
+          normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+          sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
+          next unless respond_to?(sasl_bind_setup, true)
+          initial_credential, challenge_response = send(sasl_bind_setup, options)
+          auths << {
+            :method => :sasl,
+            :initial_credential => initial_credential,
+            :mechanism => mechanism,
+            :challenge_response => challenge_response
+          }
+        end
+        auths
+      end
+
+      def sasl_bind_setup_digest_md5(options)
+        bind_dn = options[:username]
+        initial_credential = ""
+        challenge_response = Proc.new do |cred|
+          pref = SASL::Preferences.new :digest_uri => "ldap/#{@host}", :username => bind_dn, :has_password? => true, :password => options[:password]
+          sasl = SASL.new("DIGEST-MD5", pref)
+          response = sasl.receive("challenge", cred)
+          response[1]
+        end
+        [initial_credential, challenge_response]
+      end
+
+      def sasl_bind_setup_gss_spnego(options)
+        bind_dn = options[:username]
+        psw = options[:password]
+        raise LdapError.new( "invalid binding information" ) unless (bind_dn && psw)
+
+        nego = proc {|challenge|
+          t2_msg = Net::NTLM::Message.parse( challenge )
+          bind_dn, domain = bind_dn.split('\\').reverse
+          t2_msg.target_name = Net::NTLM::encode_utf16le(domain) if domain
+          t3_msg = t2_msg.response( {:user => bind_dn, :password => psw}, {:ntlmv2 => true} )
+          t3_msg.serialize
+        }
+        [Net::NTLM::Message::Type1.new.serialize, nego]
+      end
+
+      def construct_uri(host, port, ssl)
+        protocol = ssl ? "ldaps" : "ldap"
+        URI.parse("#{protocol}://#{host}:#{port}").to_s
+      end
+    end
+  end
+end

data/lib/omniauth-ldap/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module LDAP
+    VERSION = "1.0.2"
+  end
+end

data/lib/omniauth-ldap.rb

@@ -0,0 +1,4 @@
+require "omniauth-ldap/version"
+require "omniauth-ldap/adaptor"
+require 'omniauth/strategies/ldap'
+

data/spec/omniauth/strategies/ldap_spec.rb

@@ -0,0 +1,112 @@
+require 'spec_helper'
+
+describe "OmniAuth::Strategies::LDAP" do
+  # :title => "My LDAP",
+  # :host => '10.101.10.1',
+  # :port => 389,
+  # :method => :plain,
+  # :base => 'dc=intridea, dc=com',
+  # :uid => 'sAMAccountName',
+  # :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+  # :bind_dn => 'default_bind_dn'
+  # :password => 'password'
+  class MyLdapProvider < OmniAuth::Strategies::LDAP; end
+
+  def app
+    Rack::Builder.new {
+      use OmniAuth::Test::PhonySession
+      use MyLdapProvider, :name => 'ldap', :title => 'MyLdap Form', :host => '192.168.1.145', :base => 'dc=score, dc=local', :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+      run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+    }.to_app
+  end
+
+  def session
+    last_request.env['rack.session']
+  end
+
+  it 'should add a camelization for itself' do
+    OmniAuth::Utils.camelize('ldap').should == 'LDAP'
+  end
+
+  describe '/auth/ldap' do
+    before(:each){ get '/auth/ldap' }
+
+    it 'should display a form' do
+      last_response.status.should == 200
+      last_response.body.should be_include("<form")
+    end
+
+    it 'should have the callback as the action for the form' do
+      last_response.body.should be_include("action='/auth/ldap/callback'")
+    end
+
+    it 'should have a text field for each of the fields' do
+      last_response.body.scan('<input').size.should == 2
+    end
+    it 'should have a label of the form title' do
+      last_response.body.scan('MyLdap Form').size.should > 1
+    end
+
+  end
+
+  describe 'post /auth/ldap/callback' do
+    before(:each) do
+      @adaptor = mock(OmniAuth::LDAP::Adaptor, {:uid => 'ping'})
+      OmniAuth::LDAP::Adaptor.stub(:new).and_return(@adaptor)
+    end
+
+    context 'failure' do
+      before(:each) do
+        @adaptor.stub(:bind_as).and_return(false)
+      end
+
+      it 'should raise MissingCredentialsError' do
+        post('/auth/ldap/callback', {})
+        last_response.should be_redirect
+        last_response.headers['Location'].should =~ %r{ldap_error}
+      end
+
+      it 'should redirect to error page' do
+        post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+        last_response.should be_redirect
+        last_response.headers['Location'].should =~ %r{invalid_credentials}
+      end
+
+      it 'should redirect to error page when there is exception' do
+        @adaptor.stub(:bind_as).and_throw(Exception.new('connection_error'))
+        post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+        last_response.should be_redirect
+        last_response.headers['Location'].should =~ %r{ldap_error}
+      end
+    end
+
+    context 'success' do
+      let(:auth_hash){ last_request.env['omniauth.auth'] }
+      before(:each) do
+        @adaptor.stub(:bind_as).and_return({:dn => ['cn=ping, dc=intridea, dc=com'], :mail => ['ping@intridea.com'], :givenname => ['Ping'], :sn => ['Yu'],
+                                           :telephonenumber => ['555-555-5555'], :mobile => ['444-444-4444'], :uid => ['ping'], :title => ['dev'], :address =>[ 'k street'],
+                                           :l => ['Washington'], :st => ['DC'], :co => ["U.S.A"], :postofficebox => ['20001'], :wwwhomepage => ['www.intridea.com'],
+                                           :jpegphoto => ['http://www.intridea.com/ping.jpg'], :description => ['omniauth-ldap']})
+        post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+      end
+
+      it 'should raise MissingCredentialsError' do
+        should_not raise_error OmniAuth::Strategies::LDAP::MissingCredentialsError
+      end
+      it 'should map user info' do
+        auth_hash.uid.should == 'cn=ping, dc=intridea, dc=com'
+        auth_hash.info.email.should == 'ping@intridea.com'
+        auth_hash.info.first_name.should == 'Ping'
+        auth_hash.info.last_name.should == 'Yu'
+        auth_hash.info.phone.should == '555-555-5555'
+        auth_hash.info.mobile.should == '444-444-4444'
+        auth_hash.info.nickname.should == 'ping'
+        auth_hash.info.title.should == 'dev'
+        auth_hash.info.location.should == 'k street, Washington, DC, U.S.A 20001'
+        auth_hash.info.url.should == 'www.intridea.com'
+        auth_hash.info.image.should == 'http://www.intridea.com/ping.jpg'
+        auth_hash.info.description.should == 'omniauth-ldap'
+      end
+    end
+  end
+end

data/spec/omniauth-ldap/adaptor_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper'
+describe "OmniAuth::LDAP::Adaptor" do
+
+  describe 'initialize' do
+
+    it 'should throw exception when must have field is not set' do
+      #[:host, :port, :method, :bind_dn]
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain'})}.should raise_error(ArgumentError)      
+    end
+    it 'should throw exception when method is not supported' do
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)      
+    end
+
+    it 'should setup ldap connection with anonymous' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth').should == {:method => :anonymous, :username => nil, :password => nil}      
+    end
+    it 'should setup ldap connection with simple' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth').should == {:method => :simple, :username => 'bind_dn', :password => 'password'}      
+    end    
+    it 'should setup ldap connection with sasl-md5' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth')[:method].should == :sasl      
+      adaptor.connection.instance_variable_get('@auth')[:mechanism].should == 'DIGEST-MD5'      
+      adaptor.connection.instance_variable_get('@auth')[:initial_credential].should == ''      
+      adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil      
+    end
+    it 'should setup ldap connection with sasl-gss' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth')[:method].should == :sasl      
+      adaptor.connection.instance_variable_get('@auth')[:mechanism].should == 'GSS-SPNEGO'      
+      adaptor.connection.instance_variable_get('@auth')[:initial_credential].should =~ /^NTLMSSP/      
+      adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil      
+    end
+  end
+  
+  describe 'bind_as' do
+    let(:args) { {:filter => Net::LDAP::Filter.eq('sAMAccountName', 'username'), :password => 'password', :size => 1} }
+    let(:rs) { Struct.new(:dn).new('new dn') }
+    it 'should bind simple' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", method: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
+      adaptor.connection.should_receive(:search).with(args).and_return([rs])      
+      adaptor.connection.should_receive(:bind).with({:username => 'new dn', :password => args[:password], :method => :simple}).and_return(true)
+      adaptor.bind_as(args).should == rs
+    end
+    it 'should bind sasl' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
+      adaptor.connection.should_receive(:search).with(args).and_return([rs])      
+      adaptor.connection.should_receive(:bind).and_return(true)
+      adaptor.bind_as(args).should == rs
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$:.unshift File.expand_path('..', __FILE__)
+$:.unshift File.expand_path('../../lib', __FILE__)
+require 'rspec'
+require 'rack/test'
+require 'omniauth'
+require 'omniauth-ldap'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+  config.extend  OmniAuth::Test::StrategyMacros, :type => :strategy
+end
+

metadata

@@ -0,0 +1,125 @@
+--- !ruby/object:Gem::Specification
+name: gitlab_omniauth-ldap
+version: !ruby/object:Gem::Version
+  version: 1.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Ping Yu
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-12-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.2.2
+- !ruby/object:Gem::Dependency
+  name: pyu-ruby-sasl
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.3.1
+- !ruby/object:Gem::Dependency
+  name: rubyntlm
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+description: A LDAP strategy for OmniAuth.
+email:
+- ping@intridea.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Gemfile
+- Gemfile.lock
+- Guardfile
+- README.md
+- Rakefile
+- gitlab_omniauth-ldap.gemspec
+- lib/omniauth-ldap.rb
+- lib/omniauth-ldap/adaptor.rb
+- lib/omniauth-ldap/version.rb
+- lib/omniauth/strategies/ldap.rb
+- spec/omniauth-ldap/adaptor_spec.rb
+- spec/omniauth/strategies/ldap_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/gitlabhq/omniauth-ldap
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: A LDAP strategy for OmniAuth.
+test_files: []