ldap_fluff 0.3.1 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2c324b59a41c9c84c20302097ac61466fe94db5
-  data.tar.gz: a38ca5f778bbd5ca11fd008bd022d119afdb5c7c
+  metadata.gz: 1813d6a8c6305c63861d7b7c4f63abb99944dc4a
+  data.tar.gz: b4743486823c086e543ff1dae906f2e51184b3f2
 SHA512:
-  metadata.gz: cf3d45867bf6feffabb0843d723ad45cfd2f3eef2068d2b9fee100b5bb25e10d1f12c71f9f5c12953235d654a4a432c564c92d0673e3235b3a27071e528d44b1
-  data.tar.gz: 8678e45d973ef170e4cdeb6d104fe1c9092c9af9449c477eb694f5b496e79dac974cbd128e02c672fd942018a43404b1e46e1d15bb219f82cb9505f568d518ca
+  metadata.gz: 5c920b7e19001983a61243cab1046e5a0098f74755a1744ccaed723f659182eb35aa85a261944994f66907fda1f778fc18b19d6f75da2fbe235d530ee9a67215
+  data.tar.gz: 3299e24f284c3645167ac8ad1ff1f8072f91ca06d032dbf37e7495a5ace7fbbf51f129e1ad5aa41c6ff56fa3f5dc35b036b929b8d664aee496c4e4cbb98c8a6f

data/LICENSE

@@ -0,0 +1,10 @@
+Copyright 2012 Red Hat, Inc.
+
+This software is licensed to you under the GNU General Public
+License as published by the Free Software Foundation; either version
+2 of the License (GPLv2) or (at your option) any later version.
+There is NO WARRANTY for this software, express or implied,
+including the implied warranties of MERCHANTABILITY,
+NON-INFRINGEMENT, or FITNESS FOR A PARTICULAR PURPOSE. You should
+have received a copy of GPLv2 along with this software; if not, see
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.

data/README.rdoc

@@ -0,0 +1,90 @@
+= LDAP Fluff
+
+Provides multiple implementations of LDAP queries for various backends
+
+Supports Active Directory, FreeIPA and posix-style LDAP
+
+== Installation
+
+Now available in the rubygems.org repo, https://rubygems.org/gems/ldap_fluff
+
+  $ gem install ldap_fluff
+
+== Rails Application Configuration
+
+You'll have to configure the gem a little bit to get it hooked into your LDAP
+server.
+
+It exposes these methods:
+  authenticate?(username, password)
+    returns true if the username & password combo bind correctly
+
+  group_list(uid)
+    returns the set of LDAP groups a user belongs to in a string list
+
+  user_list(gid)
+    returns the set of users that belong to an LDAP group
+
+  is_in_groups?(uid, grouplist)
+    returns true if the user provided is in all of the groups listed in grouplist
+
+  valid_user?(uid)
+    returns true if the user provided exists
+
+  valid_group?(uid)
+    returns true if the group provided exists
+
+  find_user(uid)
+    returns the LDAP entry of the user if found, nil if not found
+
+  find_group(gid)
+    returns the LDAP entry of the group if found, nil if not found
+
+These methods are handy for using LDAP for both authentication and authorization.
+
+This gem integrates with warden/devise quite nicely.
+
+Your global configuration must provide information about your LDAP host to function properly.
+
+  host: # ip address or hostname
+  port: # port
+  encryption: # blank, :simple_tls, or :start_tls
+  base_dn: # base DN for LDAP auth, eg dc=redhat,dc=com
+  group_base: # base DN for your LDAP groups, eg ou=Groups,dc=redhat,dc=com
+  server_type: # type of server. default == posix. :active_directory, :posix, :free_ipa
+  ad_domain: # domain for your users if using active directory, eg redhat.com
+  service_user: # service account for authenticating LDAP calls. required unless you enable anon
+  service_pass: # service password for authenticating LDAP calls. required unless you enable anon
+  anon_queries: # false by default, true if you don't want to use the service user
+
+You can pass these arguments as a hash to LdapFluff to get a valid LdapFluff object.
+
+  ldap_config = { :host => "freeipa.localdomain", :port => 389, :encryption => nil, :base_dn => "DC=mydomain,DC=com",
+                  :group_base => "DC=groups,DC=mydomain,DC=com", :attr_login => "uid", :server_type => :freeipa,
+                  :service_user => "admin", :search_filter => "(objectClass=*)", :service_pass => "mypass",
+                  :anon_queries => false }
+
+  fluff = LdapFluff.new(ldap_config)
+  fluff.valid_user?("admin") # returns true
+
+=== TLS support
+
+ldap_fluff fully supports simple_tls and start_tls encryption, but most likely you'll need to add your
+server's CAs to the local bundle. on a Red Hat style system, it's probably something like this:
+
+  $ cat ldap_server_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
+
+=== A note on ActiveDirectory
+
+ldap_fluff does not support searching/binding global catalogs
+
+service_user (formatted as "ad_domain/username") and service_pass OR anon_queries are required for AD support
+
+=== A note on FreeIPA
+
+ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to
+include this in your base_dn string
+
+=== License
+
+ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.

data/lib/ldap_fluff/freeipa_member_service.rb

@@ -14,8 +14,9 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
     user = find_user(uid)
     # if group data is missing, they aren't querying with a user
     # with enough privileges
-    raise InsufficientQueryPrivilegesException if user.size <= 1
-    get_groups(user[1][:memberof])
+    user.delete_if { |u| u.nil? || !u.respond_to?(:attribute_names) || !u.attribute_names.include?(:memberof) }
+    raise InsufficientQueryPrivilegesException if user.size < 1
+    get_groups(user[0][:memberof])
   end
 
   class UIDNotFoundException < LdapFluff::Error

data/test/ipa_member_services_test.rb

@@ -33,7 +33,9 @@ class TestIPAMemberService < MiniTest::Test
   end
 
   def test_no_groups
-    @ldap.expect(:search, ['', { :memberof => [] }], [:filter => ipa_name_filter("john")])
+    entry = Net::LDAP::Entry.new
+    entry['memberof'] = []
+    @ldap.expect(:search, [ Net::LDAP::Entry.new, entry ], [:filter => ipa_name_filter("john")])
     @ipams.ldap = @ldap
     assert_equal([], @ipams.find_user_groups('john'))
     @ldap.verify

data/test/lib/ldap_test_helper.rb

@@ -103,7 +103,13 @@ module LdapTestHelper
   end
 
   def ipa_user_payload
-    [{ :cn => 'john' }, { :memberof => ['cn=group,dc=internet,dc=com', 'cn=bros,dc=internet,dc=com'] }]
+    @ipa_user_payload_cache ||= begin
+      entry_1 = Net::LDAP::Entry.new
+      entry_1['cn'] = 'John'
+      entry_2 = Net::LDAP::Entry.new
+      entry_2['memberof'] = ['cn=group,dc=internet,dc=com', 'cn=bros,dc=internet,dc=com']
+      [ entry_1, entry_2 ]
+    end
   end
 
   def ipa_group_payload

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ldap_fluff
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Jordan O'Mara
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-27 00:00:00.000000000 Z
+date: 2014-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
@@ -79,8 +79,12 @@ email:
 - mhulan@redhat.com
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- README.rdoc
+- LICENSE
 files:
+- LICENSE
+- README.rdoc
 - lib/ldap_fluff.rb
 - lib/ldap_fluff/active_directory.rb
 - lib/ldap_fluff/ad_member_service.rb