ldap_fluff 0.4.4 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ed707d5d36b8d6b918fb50d6e89a5e6485735755
-  data.tar.gz: eb28be466da5f887d087a9f604f4cd2f70706ca0
+SHA256:
+  metadata.gz: 8c3b572c980fa3c48ede92f936858eb045cf54f6b507e6c7767de0751f85d9cc
+  data.tar.gz: 9280821c5a7ecc20c2300421d9a5947820de407da3480143b08c6ec146675dcb
 SHA512:
-  metadata.gz: f1b2ca1f26ff45725c8ceaf615f3b871e833b57d77d5f6299b91f6dfa34548a5537af714945963c2fc671afbc8bd93549e282e498c9db393421fdc79db0ffb9f
-  data.tar.gz: 7396f3426a2edae96fb8a5617222211daa72a224b6aaa8cc28c1cd83671fdccf9126858ec1c389dbd7733a1a24fbab75bd420e8ed7640d48518a3694b1593cec
+  metadata.gz: 4d74d42c9156af61cc485d6e8c1a99d1945aa97157659e627323f60e5b09807ea2c860fd10c62e9ce209d393200a5b57ef20205e8fc66eecf7762af7be56ee22
+  data.tar.gz: 1228b0a8730546ec3e38658bb3a86166bc10cb2af607a8d6e3ee77e3dd8c9ee465c0bbd2383ff1d8f5cdeed3053fd6a649dbdc8b145ccb29e47321ec7ef3e973

data/README.rdoc

@@ -51,7 +51,9 @@ Your global configuration must provide information about your LDAP host to funct
   encryption: # blank, :simple_tls, or :start_tls
   base_dn: # base DN for LDAP auth, eg dc=redhat,dc=com
   group_base: # base DN for your LDAP groups, eg ou=Groups,dc=redhat,dc=com
-  server_type: # type of server. default == posix. :active_directory, :posix, :free_ipa
+  use_netgroups: # false by default, use true if you want to use netgroup triples,
+                 # supported only for server type :free_ipa and :posix
+  server_type: # type of server. default == :posix. :active_directory, :posix, :free_ipa
   ad_domain: # domain for your users if using active directory, eg redhat.com
   service_user: # service account for authenticating LDAP calls. required unless you enable anon
   service_pass: # service password for authenticating LDAP calls. required unless you enable anon
@@ -61,7 +63,7 @@ Your global configuration must provide information about your LDAP host to funct
 You can pass these arguments as a hash to LdapFluff to get a valid LdapFluff object.
 
   ldap_config = { :host => "freeipa.localdomain", :port => 389, :encryption => nil, :base_dn => "DC=mydomain,DC=com",
-                  :group_base => "DC=groups,DC=mydomain,DC=com", :attr_login => "uid", :server_type => :freeipa,
+                  :group_base => "DC=groups,DC=mydomain,DC=com", :attr_login => "uid", :server_type => :free_ipa,
                   :service_user => "admin", :search_filter => "(objectClass=*)", :service_pass => "mypass",
                   :anon_queries => false }
 
@@ -81,6 +83,8 @@ ldap_fluff does not support searching/binding global catalogs
 
 service_user (formatted as "ad_domain/username") and service_pass OR anon_queries are required for AD support
 
+Group membership searches will use "msds-memberOfTransitive" where possible, and will fall back to a recursive lookup
+
 === A note on FreeIPA
 
 ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to
@@ -97,6 +101,10 @@ ActiveSupport::Notifications.  ldap_fluff will use this and also pass it to net-
 When using Rails, pass `:instrumentation_service => ActiveSupport::Notifications` and then subscribe to, and
 optionally log events (e.g. https://gist.github.com/mnutt/566725).
 
-=== License
+== Contributing
+
+Feel free to file PR against our github repository.
+
+== License
 
 ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.

data/lib/ldap_fluff.rb

@@ -7,5 +7,7 @@ require 'ldap_fluff/active_directory'
 require 'ldap_fluff/ad_member_service'
 require 'ldap_fluff/posix'
 require 'ldap_fluff/posix_member_service'
+require 'ldap_fluff/posix_netgroup_member_service'
 require 'ldap_fluff/freeipa'
 require 'ldap_fluff/freeipa_member_service'
+require 'ldap_fluff/freeipa_netgroup_member_service'

data/lib/ldap_fluff/active_directory.rb

@@ -1,10 +1,9 @@
 class LdapFluff::ActiveDirectory < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || uid.include?('\\') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
@@ -18,9 +17,9 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
     begin
       groups       = @member_service.find_user_groups(uid)
       intersection = gids & groups
-      return (all ? intersection == gids : intersection.size > 0)
+      (all ? intersection == gids : intersection.size > 0)
     rescue MemberService::UIDNotFoundException
-      return false
+      false
     end
   end
 
@@ -30,17 +29,20 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
     users = []
 
     search.send(method).each do |member|
-      entry = @member_service.find_by_dn(member).first
+      begin
+        entry = @member_service.find_by_dn(member).first
+      rescue MemberService::UIDNotFoundException
+        next
+      end
       objectclasses = entry.objectclass.map(&:downcase)
 
-      if (%w(organizationalperson person userproxy) & objectclasses).present?
+      if (%w[organizationalperson person userproxy] & objectclasses).present?
         users << @member_service.get_login_from_entry(entry)
-      elsif (%w(organizationalunit group) & objectclasses).present?
+      elsif (%w[organizationalunit group] & objectclasses).present?
         users << users_for_gid(entry.cn.first)
       end
     end
 
     users.flatten.uniq
   end
-
 end

data/lib/ldap_fluff/ad_member_service.rb

@@ -2,26 +2,49 @@ require 'net/ldap'
 
 # Naughty bits of active directory ldap queries
 class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'samaccountname')
     super
   end
 
   # get a list [] of ldap groups for a given user
-  # in active directory, this means a recursive lookup
+  # try to use msds-memberOfTransitive if it is supported, otherwise do a recursive loop
   def find_user_groups(uid)
-    data = find_user(uid)
-    _groups_from_ldap_data(data.first)
+    user_data = find_user(uid).first
+
+    if _get_domain_func_level >= 6
+      user_dn = user_data[:distinguishedname].first
+      search = @ldap.search(:base => user_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['msds-memberOfTransitive'])
+      if !search.nil? && !search.first.nil?
+        return get_groups(search.first['msds-memberoftransitive'])
+      end
+    end
+
+    # Fall back to recursive lookup
+    _groups_from_ldap_data(user_data)
+  end
+
+  # return the domain functionality level, default to 0
+  def _get_domain_func_level
+    return @domain_functionality unless @domain_functionality.nil?
+
+    @domain_functionality = 0
+
+    search = @ldap.search(:base => "", :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['domainFunctionality'])
+    if !search.nil? && !search.first.nil?
+      @domain_functionality = search.first[:domainfunctionality].first.to_i
+    end
+
+    @domain_functionality
   end
 
   # return the :memberof attrs + parents, recursively
   def _groups_from_ldap_data(payload)
     data = []
-    if !payload.nil?
-      first_level     = payload[:memberof]
-      total_groups, _ = _walk_group_ancestry(first_level, first_level)
-      data            = (get_groups(first_level + total_groups)).uniq
+    unless payload.nil?
+      first_level = payload[:memberof]
+      total_groups, = _walk_group_ancestry(first_level, first_level)
+      data = get_groups(first_level + total_groups).uniq
     end
     data
   end
@@ -31,14 +54,13 @@ class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberServic
     set = []
     group_dns.each do |group_dn|
       search = @ldap.search(:base => group_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['memberof'])
-      if !search.nil? && !search.first.nil?
-        groups                       = search.first[:memberof] - known_groups
-        known_groups                += groups
-        next_level, new_known_groups = _walk_group_ancestry(groups, known_groups)
-        set                         += next_level
-        set                         += groups
-        known_groups                += next_level
-      end
+      next unless !search.nil? && !search.first.nil?
+      groups = search.first[:memberof] - known_groups
+      known_groups                += groups
+      next_level, new_known_groups = _walk_group_ancestry(groups, known_groups)
+      set                         += next_level
+      set                         += groups
+      known_groups                += next_level
     end
     [set, known_groups]
   end

data/lib/ldap_fluff/config.rb

@@ -3,8 +3,8 @@ require 'active_support/core_ext/hash'
 
 class LdapFluff::Config
   ATTRIBUTES = %w[host port encryption base_dn group_base server_type service_user
-                    service_pass anon_queries attr_login search_filter
-                    instrumentation_service ]
+                  service_pass anon_queries attr_login search_filter
+                  instrumentation_service use_netgroups].freeze
   ATTRIBUTES.each { |attr| attr_reader attr.to_sym }
 
   DEFAULT_CONFIG = { 'port' => 389,
@@ -13,7 +13,8 @@ class LdapFluff::Config
                      'group_base' => 'dc=company,dc=com',
                      'server_type' => :free_ipa,
                      'anon_queries' => false,
-                     'instrumentation_service' => nil }
+                     'instrumentation_service' => nil,
+                     'use_netgroups' => false }.freeze
 
   def initialize(config)
     raise ArgumentError unless config.respond_to?(:to_hash)
@@ -64,9 +65,9 @@ class LdapFluff::Config
   end
 
   def correct_server_type?(config)
-    unless [:posix, :active_directory, :free_ipa].include?(config['server_type'])
+    unless %i[posix active_directory free_ipa].include?(config['server_type'])
       raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa ' +
-        "but was #{config['server_type']}"
+                         "but was #{config['server_type']}"
     end
   end
 

data/lib/ldap_fluff/error.rb

@@ -2,4 +2,3 @@ class LdapFluff
   class Error < StandardError
   end
 end
-

data/lib/ldap_fluff/freeipa.rb

@@ -1,40 +1,20 @@
 class LdapFluff::FreeIPA < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',')
       unless opts[:search] == false
         service_bind
         user = @member_service.find_user(uid)
       end
-      uid = user && user.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
+      uid = user&.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
     end
     @ldap.auth(uid, password)
     @ldap.bind
   end
 
   def groups_for_uid(uid)
-    begin
-      super
-    rescue MemberService::InsufficientQueryPrivilegesException
-      raise UnauthenticatedException, "Insufficient Privileges to query groups data"
-    end
-  end
-
-  # In freeipa, a simple user query returns a full set
-  # of nested groups! yipee
-  #
-  # gids should be an array of group common names
-  #
-  # returns true if owner is in ALL of the groups if all=true, otherwise
-  # returns true if owner is in ANY of the groups
-  def is_in_groups(uid, gids = [], all = true)
-    service_bind
-    groups = @member_service.find_user_groups(uid)
-    if all
-      return groups & gids == gids
-    else
-      return groups & gids != []
-    end
+    super
+  rescue MemberService::InsufficientQueryPrivilegesException
+    raise UnauthenticatedException, "Insufficient Privileges to query groups data"
   end
 
   private
@@ -43,12 +23,18 @@ class LdapFluff::FreeIPA < LdapFluff::Generic
     # Member results come in the form uid=sampleuser,cn=users, etc.. or gid=samplegroup,cn=groups
     users = []
 
-    search.send(method).each do |member|
-      type = member.downcase.split(',')[1]
-      if type == 'cn=users'
-        users << @member_service.get_logins([member])
-      elsif type == 'cn=groups'
-        users << users_for_gid(member.split(',')[0].split('=')[1])
+    members = search.send(method)
+
+    if method == :nisnetgrouptriple
+      users = @member_service.get_netgroup_users(members)
+    else
+      members.each do |member|
+        type = member.downcase.split(',')[1]
+        if type == 'cn=users'
+          users << @member_service.get_logins([member])
+        elsif type == 'cn=groups'
+          users << users_for_gid(member.split(',')[0].split('=')[1])
+        end
       end
     end
 

data/lib/ldap_fluff/freeipa_member_service.rb

@@ -1,8 +1,6 @@
 require 'net/ldap'
 
-# handles the naughty bits of posix ldap
 class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'uid')
     super
@@ -19,6 +17,19 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
     get_groups(user[0][:memberof])
   end
 
+  # extract the group names from the LDAP style response,
+  # return string will be something like
+  # CN=bros,OU=bropeeps,DC=jomara,DC=redhat,DC=com
+  def get_groups(grouplist)
+    grouplist.map(&:downcase).collect do |g|
+      if /.*?ipauniqueid=(.*?)/.match?(g)
+        @ldap.search(:base => g)[0][:cn][0]
+      else
+        g.sub(/.*?cn=(.*?),.*/, '\1')
+      end
+    end.compact
+  end
+
   class UIDNotFoundException < LdapFluff::Error
   end
 
@@ -27,6 +38,4 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
 
   class InsufficientQueryPrivilegesException < LdapFluff::Error
   end
-
 end
-

data/lib/ldap_fluff/freeipa_netgroup_member_service.rb

@@ -0,0 +1,12 @@
+require 'net/ldap'
+
+class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberService
+  def find_user_groups(uid)
+    groups = []
+    @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
+      members = get_netgroup_users(entry[:nisnetgrouptriple])
+      groups << entry[:cn][0] if members.include? uid
+    end
+    groups
+  end
+end

data/lib/ldap_fluff/generic.rb

@@ -7,13 +7,14 @@ class LdapFluff::Generic
                           :port => config.port,
                           :encryption => config.encryption,
                           :instrumentation_service => config.instrumentation_service)
-    @bind_user  = config.service_user
-    @bind_pass  = config.service_pass
-    @anon       = config.anon_queries
+    @bind_user = config.service_user
+    @bind_pass = config.service_pass
+    @anon = config.anon_queries
     @attr_login = config.attr_login
     @base       = config.base_dn
     @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
-    @member_service = self.class::MemberService.new(@ldap, config)
+    @use_netgroups = config.use_netgroups
+    @member_service = create_member_service(config)
   end
 
   def user_exists?(uid)
@@ -36,19 +37,35 @@ class LdapFluff::Generic
     service_bind
     @member_service.find_user_groups(uid)
   rescue self.class::MemberService::UIDNotFoundException
-    return []
+    []
   end
 
   def users_for_gid(gid)
     return [] unless group_exists?(gid)
     search = @member_service.find_group(gid).last
-
-    method = [:member, :memberuid, :uniquemember].find { |m| search.respond_to? m } or
-             return []
-
+    method = select_member_method(search)
+    return [] if method.nil?
     users_from_search_results(search, method)
   end
 
+  # returns whether a user is a member of ALL or ANY particular groups
+  # note: this method is much faster than groups_for_uid
+  #
+  # gids should be an array of group common names
+  #
+  # returns true if owner is in ALL of the groups if all=true, otherwise
+  # returns true if owner is in ANY of the groups
+  def is_in_groups(uid, gids = [], all = true)
+    service_bind
+    groups = @member_service.find_user_groups(uid).sort
+    gids = gids.sort
+    if all
+      groups & gids == gids
+    else
+      (groups & gids).any?
+    end
+  end
+
   def includes_cn?(cn)
     filter = Net::LDAP::Filter.eq('cn', cn)
     @ldap.search(:base => @ldap.base, :filter => filter).present?
@@ -57,11 +74,28 @@ class LdapFluff::Generic
   def service_bind
     unless @anon || bind?(@bind_user, @bind_pass, :search => false)
       raise UnauthenticatedException,
-            "Could not bind to #{class_name} user #{@bind_user}"
+        "Could not bind to #{class_name} user #{@bind_user}"
     end
   end
 
   private
+
+  def select_member_method(search_result)
+    if @use_netgroups
+      :nisnetgrouptriple
+    else
+      %i[member memberuid uniquemember].find { |m| search_result.respond_to? m }
+    end
+  end
+
+  def create_member_service(config)
+    if @use_netgroups
+      self.class::NetgroupMemberService.new(@ldap, config)
+    else
+      self.class::MemberService.new(@ldap, config)
+    end
+  end
+
   def class_name
     self.class.name.split('::').last
   end
@@ -71,6 +105,8 @@ class LdapFluff::Generic
     if method == :memberuid
       # memberuid contains an array ['user1','user2'], no need to parse it
       members
+    elsif method == :nisnetgrouptriple
+      @member_service.get_netgroup_users(members)
     else
       @member_service.get_logins(members)
     end
@@ -79,4 +115,3 @@ class LdapFluff::Generic
   class UnauthenticatedException < LdapFluff::Error
   end
 end
-