ldap_fluff 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ldap_fluff might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/LICENSE +10 -0
- data/README.rdoc +90 -0
- data/lib/ldap_fluff/freeipa_member_service.rb +3 -2
- data/test/ipa_member_services_test.rb +3 -1
- data/test/lib/ldap_test_helper.rb +7 -1
- metadata +7 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1813d6a8c6305c63861d7b7c4f63abb99944dc4a
|
4
|
+
data.tar.gz: b4743486823c086e543ff1dae906f2e51184b3f2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5c920b7e19001983a61243cab1046e5a0098f74755a1744ccaed723f659182eb35aa85a261944994f66907fda1f778fc18b19d6f75da2fbe235d530ee9a67215
|
7
|
+
data.tar.gz: 3299e24f284c3645167ac8ad1ff1f8072f91ca06d032dbf37e7495a5ace7fbbf51f129e1ad5aa41c6ff56fa3f5dc35b036b929b8d664aee496c4e4cbb98c8a6f
|
data/LICENSE
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
Copyright 2012 Red Hat, Inc.
|
2
|
+
|
3
|
+
This software is licensed to you under the GNU General Public
|
4
|
+
License as published by the Free Software Foundation; either version
|
5
|
+
2 of the License (GPLv2) or (at your option) any later version.
|
6
|
+
There is NO WARRANTY for this software, express or implied,
|
7
|
+
including the implied warranties of MERCHANTABILITY,
|
8
|
+
NON-INFRINGEMENT, or FITNESS FOR A PARTICULAR PURPOSE. You should
|
9
|
+
have received a copy of GPLv2 along with this software; if not, see
|
10
|
+
http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
|
data/README.rdoc
ADDED
@@ -0,0 +1,90 @@
|
|
1
|
+
= LDAP Fluff
|
2
|
+
|
3
|
+
Provides multiple implementations of LDAP queries for various backends
|
4
|
+
|
5
|
+
Supports Active Directory, FreeIPA and posix-style LDAP
|
6
|
+
|
7
|
+
== Installation
|
8
|
+
|
9
|
+
Now available in the rubygems.org repo, https://rubygems.org/gems/ldap_fluff
|
10
|
+
|
11
|
+
$ gem install ldap_fluff
|
12
|
+
|
13
|
+
== Rails Application Configuration
|
14
|
+
|
15
|
+
You'll have to configure the gem a little bit to get it hooked into your LDAP
|
16
|
+
server.
|
17
|
+
|
18
|
+
It exposes these methods:
|
19
|
+
authenticate?(username, password)
|
20
|
+
returns true if the username & password combo bind correctly
|
21
|
+
|
22
|
+
group_list(uid)
|
23
|
+
returns the set of LDAP groups a user belongs to in a string list
|
24
|
+
|
25
|
+
user_list(gid)
|
26
|
+
returns the set of users that belong to an LDAP group
|
27
|
+
|
28
|
+
is_in_groups?(uid, grouplist)
|
29
|
+
returns true if the user provided is in all of the groups listed in grouplist
|
30
|
+
|
31
|
+
valid_user?(uid)
|
32
|
+
returns true if the user provided exists
|
33
|
+
|
34
|
+
valid_group?(uid)
|
35
|
+
returns true if the group provided exists
|
36
|
+
|
37
|
+
find_user(uid)
|
38
|
+
returns the LDAP entry of the user if found, nil if not found
|
39
|
+
|
40
|
+
find_group(gid)
|
41
|
+
returns the LDAP entry of the group if found, nil if not found
|
42
|
+
|
43
|
+
These methods are handy for using LDAP for both authentication and authorization.
|
44
|
+
|
45
|
+
This gem integrates with warden/devise quite nicely.
|
46
|
+
|
47
|
+
Your global configuration must provide information about your LDAP host to function properly.
|
48
|
+
|
49
|
+
host: # ip address or hostname
|
50
|
+
port: # port
|
51
|
+
encryption: # blank, :simple_tls, or :start_tls
|
52
|
+
base_dn: # base DN for LDAP auth, eg dc=redhat,dc=com
|
53
|
+
group_base: # base DN for your LDAP groups, eg ou=Groups,dc=redhat,dc=com
|
54
|
+
server_type: # type of server. default == posix. :active_directory, :posix, :free_ipa
|
55
|
+
ad_domain: # domain for your users if using active directory, eg redhat.com
|
56
|
+
service_user: # service account for authenticating LDAP calls. required unless you enable anon
|
57
|
+
service_pass: # service password for authenticating LDAP calls. required unless you enable anon
|
58
|
+
anon_queries: # false by default, true if you don't want to use the service user
|
59
|
+
|
60
|
+
You can pass these arguments as a hash to LdapFluff to get a valid LdapFluff object.
|
61
|
+
|
62
|
+
ldap_config = { :host => "freeipa.localdomain", :port => 389, :encryption => nil, :base_dn => "DC=mydomain,DC=com",
|
63
|
+
:group_base => "DC=groups,DC=mydomain,DC=com", :attr_login => "uid", :server_type => :freeipa,
|
64
|
+
:service_user => "admin", :search_filter => "(objectClass=*)", :service_pass => "mypass",
|
65
|
+
:anon_queries => false }
|
66
|
+
|
67
|
+
fluff = LdapFluff.new(ldap_config)
|
68
|
+
fluff.valid_user?("admin") # returns true
|
69
|
+
|
70
|
+
=== TLS support
|
71
|
+
|
72
|
+
ldap_fluff fully supports simple_tls and start_tls encryption, but most likely you'll need to add your
|
73
|
+
server's CAs to the local bundle. on a Red Hat style system, it's probably something like this:
|
74
|
+
|
75
|
+
$ cat ldap_server_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
|
76
|
+
|
77
|
+
=== A note on ActiveDirectory
|
78
|
+
|
79
|
+
ldap_fluff does not support searching/binding global catalogs
|
80
|
+
|
81
|
+
service_user (formatted as "ad_domain/username") and service_pass OR anon_queries are required for AD support
|
82
|
+
|
83
|
+
=== A note on FreeIPA
|
84
|
+
|
85
|
+
ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to
|
86
|
+
include this in your base_dn string
|
87
|
+
|
88
|
+
=== License
|
89
|
+
|
90
|
+
ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.
|
@@ -14,8 +14,9 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
|
|
14
14
|
user = find_user(uid)
|
15
15
|
# if group data is missing, they aren't querying with a user
|
16
16
|
# with enough privileges
|
17
|
-
|
18
|
-
|
17
|
+
user.delete_if { |u| u.nil? || !u.respond_to?(:attribute_names) || !u.attribute_names.include?(:memberof) }
|
18
|
+
raise InsufficientQueryPrivilegesException if user.size < 1
|
19
|
+
get_groups(user[0][:memberof])
|
19
20
|
end
|
20
21
|
|
21
22
|
class UIDNotFoundException < LdapFluff::Error
|
@@ -33,7 +33,9 @@ class TestIPAMemberService < MiniTest::Test
|
|
33
33
|
end
|
34
34
|
|
35
35
|
def test_no_groups
|
36
|
-
|
36
|
+
entry = Net::LDAP::Entry.new
|
37
|
+
entry['memberof'] = []
|
38
|
+
@ldap.expect(:search, [ Net::LDAP::Entry.new, entry ], [:filter => ipa_name_filter("john")])
|
37
39
|
@ipams.ldap = @ldap
|
38
40
|
assert_equal([], @ipams.find_user_groups('john'))
|
39
41
|
@ldap.verify
|
@@ -103,7 +103,13 @@ module LdapTestHelper
|
|
103
103
|
end
|
104
104
|
|
105
105
|
def ipa_user_payload
|
106
|
-
|
106
|
+
@ipa_user_payload_cache ||= begin
|
107
|
+
entry_1 = Net::LDAP::Entry.new
|
108
|
+
entry_1['cn'] = 'John'
|
109
|
+
entry_2 = Net::LDAP::Entry.new
|
110
|
+
entry_2['memberof'] = ['cn=group,dc=internet,dc=com', 'cn=bros,dc=internet,dc=com']
|
111
|
+
[ entry_1, entry_2 ]
|
112
|
+
end
|
107
113
|
end
|
108
114
|
|
109
115
|
def ipa_group_payload
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ldap_fluff
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jordan O'Mara
|
@@ -12,7 +12,7 @@ authors:
|
|
12
12
|
autorequire:
|
13
13
|
bindir: bin
|
14
14
|
cert_chain: []
|
15
|
-
date: 2014-
|
15
|
+
date: 2014-10-15 00:00:00.000000000 Z
|
16
16
|
dependencies:
|
17
17
|
- !ruby/object:Gem::Dependency
|
18
18
|
name: net-ldap
|
@@ -79,8 +79,12 @@ email:
|
|
79
79
|
- mhulan@redhat.com
|
80
80
|
executables: []
|
81
81
|
extensions: []
|
82
|
-
extra_rdoc_files:
|
82
|
+
extra_rdoc_files:
|
83
|
+
- README.rdoc
|
84
|
+
- LICENSE
|
83
85
|
files:
|
86
|
+
- LICENSE
|
87
|
+
- README.rdoc
|
84
88
|
- lib/ldap_fluff.rb
|
85
89
|
- lib/ldap_fluff/active_directory.rb
|
86
90
|
- lib/ldap_fluff/ad_member_service.rb
|