ldap_fluff 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba638e83446c1328ec6d7880ccf1528f1a42db4dab9a8884bbd4c8974512632c
-  data.tar.gz: 69c6c3752b330047a953b9e8c4a2c7441f39edb28bccaef32b49fef56b0d21c4
+  metadata.gz: 8c3b572c980fa3c48ede92f936858eb045cf54f6b507e6c7767de0751f85d9cc
+  data.tar.gz: 9280821c5a7ecc20c2300421d9a5947820de407da3480143b08c6ec146675dcb
 SHA512:
-  metadata.gz: b108ae2845030a2e3ea119716b11e7023cd52f4afad32cc48945c8d455a3cf3608755b82bb583373892a6ba0255b030a3750d9f367840e4912860d93e1f8e900
-  data.tar.gz: 315aebba32f13f1f8a62c4f7ce7dd5f49c395fc4950e197029c7818a43eb94fd8ec04c8cb7626c717db4fcb60b1dd61ff8d2d87332140a3c2ecf7a081b7ec682
+  metadata.gz: 4d74d42c9156af61cc485d6e8c1a99d1945aa97157659e627323f60e5b09807ea2c860fd10c62e9ce209d393200a5b57ef20205e8fc66eecf7762af7be56ee22
+  data.tar.gz: 1228b0a8730546ec3e38658bb3a86166bc10cb2af607a8d6e3ee77e3dd8c9ee465c0bbd2383ff1d8f5cdeed3053fd6a649dbdc8b145ccb29e47321ec7ef3e973

data/README.rdoc

@@ -83,6 +83,8 @@ ldap_fluff does not support searching/binding global catalogs
 
 service_user (formatted as "ad_domain/username") and service_pass OR anon_queries are required for AD support
 
+Group membership searches will use "msds-memberOfTransitive" where possible, and will fall back to a recursive lookup
+
 === A note on FreeIPA
 
 ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to
@@ -99,6 +101,10 @@ ActiveSupport::Notifications.  ldap_fluff will use this and also pass it to net-
 When using Rails, pass `:instrumentation_service => ActiveSupport::Notifications` and then subscribe to, and
 optionally log events (e.g. https://gist.github.com/mnutt/566725).
 
-=== License
+== Contributing
+
+Feel free to file PR against our github repository.
+
+== License
 
 ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.

data/lib/ldap_fluff/active_directory.rb

@@ -1,10 +1,9 @@
 class LdapFluff::ActiveDirectory < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || uid.include?('\\') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
@@ -18,9 +17,9 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
     begin
       groups       = @member_service.find_user_groups(uid)
       intersection = gids & groups
-      return (all ? intersection == gids : intersection.size > 0)
+      (all ? intersection == gids : intersection.size > 0)
     rescue MemberService::UIDNotFoundException
-      return false
+      false
     end
   end
 
@@ -37,14 +36,13 @@ class LdapFluff::ActiveDirectory < LdapFluff::Generic
       end
       objectclasses = entry.objectclass.map(&:downcase)
 
-      if (%w(organizationalperson person userproxy) & objectclasses).present?
+      if (%w[organizationalperson person userproxy] & objectclasses).present?
         users << @member_service.get_login_from_entry(entry)
-      elsif (%w(organizationalunit group) & objectclasses).present?
+      elsif (%w[organizationalunit group] & objectclasses).present?
         users << users_for_gid(entry.cn.first)
       end
     end
 
     users.flatten.uniq
   end
-
 end

data/lib/ldap_fluff/ad_member_service.rb

@@ -2,26 +2,49 @@ require 'net/ldap'
 
 # Naughty bits of active directory ldap queries
 class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'samaccountname')
     super
   end
 
   # get a list [] of ldap groups for a given user
-  # in active directory, this means a recursive lookup
+  # try to use msds-memberOfTransitive if it is supported, otherwise do a recursive loop
   def find_user_groups(uid)
-    data = find_user(uid)
-    _groups_from_ldap_data(data.first)
+    user_data = find_user(uid).first
+
+    if _get_domain_func_level >= 6
+      user_dn = user_data[:distinguishedname].first
+      search = @ldap.search(:base => user_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['msds-memberOfTransitive'])
+      if !search.nil? && !search.first.nil?
+        return get_groups(search.first['msds-memberoftransitive'])
+      end
+    end
+
+    # Fall back to recursive lookup
+    _groups_from_ldap_data(user_data)
+  end
+
+  # return the domain functionality level, default to 0
+  def _get_domain_func_level
+    return @domain_functionality unless @domain_functionality.nil?
+
+    @domain_functionality = 0
+
+    search = @ldap.search(:base => "", :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['domainFunctionality'])
+    if !search.nil? && !search.first.nil?
+      @domain_functionality = search.first[:domainfunctionality].first.to_i
+    end
+
+    @domain_functionality
   end
 
   # return the :memberof attrs + parents, recursively
   def _groups_from_ldap_data(payload)
     data = []
-    if !payload.nil?
-      first_level     = payload[:memberof]
-      total_groups, _ = _walk_group_ancestry(first_level, first_level)
-      data            = (get_groups(first_level + total_groups)).uniq
+    unless payload.nil?
+      first_level = payload[:memberof]
+      total_groups, = _walk_group_ancestry(first_level, first_level)
+      data = get_groups(first_level + total_groups).uniq
     end
     data
   end
@@ -31,14 +54,13 @@ class LdapFluff::ActiveDirectory::MemberService < LdapFluff::GenericMemberServic
     set = []
     group_dns.each do |group_dn|
       search = @ldap.search(:base => group_dn, :scope => Net::LDAP::SearchScope_BaseObject, :attributes => ['memberof'])
-      if !search.nil? && !search.first.nil?
-        groups                       = search.first[:memberof] - known_groups
-        known_groups                += groups
-        next_level, new_known_groups = _walk_group_ancestry(groups, known_groups)
-        set                         += next_level
-        set                         += groups
-        known_groups                += next_level
-      end
+      next unless !search.nil? && !search.first.nil?
+      groups = search.first[:memberof] - known_groups
+      known_groups                += groups
+      next_level, new_known_groups = _walk_group_ancestry(groups, known_groups)
+      set                         += next_level
+      set                         += groups
+      known_groups                += next_level
     end
     [set, known_groups]
   end

data/lib/ldap_fluff/config.rb

@@ -3,8 +3,8 @@ require 'active_support/core_ext/hash'
 
 class LdapFluff::Config
   ATTRIBUTES = %w[host port encryption base_dn group_base server_type service_user
-                    service_pass anon_queries attr_login search_filter
-                    instrumentation_service use_netgroups]
+                  service_pass anon_queries attr_login search_filter
+                  instrumentation_service use_netgroups].freeze
   ATTRIBUTES.each { |attr| attr_reader attr.to_sym }
 
   DEFAULT_CONFIG = { 'port' => 389,
@@ -14,7 +14,7 @@ class LdapFluff::Config
                      'server_type' => :free_ipa,
                      'anon_queries' => false,
                      'instrumentation_service' => nil,
-                     'use_netgroups' => false }
+                     'use_netgroups' => false }.freeze
 
   def initialize(config)
     raise ArgumentError unless config.respond_to?(:to_hash)
@@ -65,9 +65,9 @@ class LdapFluff::Config
   end
 
   def correct_server_type?(config)
-    unless [:posix, :active_directory, :free_ipa].include?(config['server_type'])
+    unless %i[posix active_directory free_ipa].include?(config['server_type'])
       raise ConfigError, 'config key server_type has to be :active_directory, :posix, :free_ipa ' +
-        "but was #{config['server_type']}"
+                         "but was #{config['server_type']}"
     end
   end
 

data/lib/ldap_fluff/error.rb

@@ -2,4 +2,3 @@ class LdapFluff
   class Error < StandardError
   end
 end
-

data/lib/ldap_fluff/freeipa.rb

@@ -1,23 +1,20 @@
 class LdapFluff::FreeIPA < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',')
       unless opts[:search] == false
         service_bind
         user = @member_service.find_user(uid)
       end
-      uid = user && user.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
+      uid = user&.first ? user.first.dn : "uid=#{uid},cn=users,cn=accounts,#{@base}"
     end
     @ldap.auth(uid, password)
     @ldap.bind
   end
 
   def groups_for_uid(uid)
-    begin
-      super
-    rescue MemberService::InsufficientQueryPrivilegesException
-      raise UnauthenticatedException, "Insufficient Privileges to query groups data"
-    end
+    super
+  rescue MemberService::InsufficientQueryPrivilegesException
+    raise UnauthenticatedException, "Insufficient Privileges to query groups data"
   end
 
   private

data/lib/ldap_fluff/freeipa_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
-
   def initialize(ldap, config)
     @attr_login = (config.attr_login || 'uid')
     super
@@ -23,7 +22,7 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
   # CN=bros,OU=bropeeps,DC=jomara,DC=redhat,DC=com
   def get_groups(grouplist)
     grouplist.map(&:downcase).collect do |g|
-      if g.match(/.*?ipauniqueid=(.*?)/)
+      if /.*?ipauniqueid=(.*?)/.match?(g)
         @ldap.search(:base => g)[0][:cn][0]
       else
         g.sub(/.*?cn=(.*?),.*/, '\1')
@@ -39,6 +38,4 @@ class LdapFluff::FreeIPA::MemberService < LdapFluff::GenericMemberService
 
   class InsufficientQueryPrivilegesException < LdapFluff::Error
   end
-
 end
-

data/lib/ldap_fluff/freeipa_netgroup_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberService
-
   def find_user_groups(uid)
     groups = []
     @ldap.search(:filter => Net::LDAP::Filter.eq('objectClass', 'nisNetgroup'), :base => @group_base).each do |entry|
@@ -11,4 +10,3 @@ class LdapFluff::FreeIPA::NetgroupMemberService < LdapFluff::FreeIPA::MemberServ
     groups
   end
 end
-

data/lib/ldap_fluff/generic.rb

@@ -7,9 +7,9 @@ class LdapFluff::Generic
                           :port => config.port,
                           :encryption => config.encryption,
                           :instrumentation_service => config.instrumentation_service)
-    @bind_user  = config.service_user
-    @bind_pass  = config.service_pass
-    @anon       = config.anon_queries
+    @bind_user = config.service_user
+    @bind_pass = config.service_pass
+    @anon = config.anon_queries
     @attr_login = config.attr_login
     @base       = config.base_dn
     @group_base = (config.group_base.empty? ? config.base_dn : config.group_base)
@@ -37,7 +37,7 @@ class LdapFluff::Generic
     service_bind
     @member_service.find_user_groups(uid)
   rescue self.class::MemberService::UIDNotFoundException
-    return []
+    []
   end
 
   def users_for_gid(gid)
@@ -60,9 +60,9 @@ class LdapFluff::Generic
     groups = @member_service.find_user_groups(uid).sort
     gids = gids.sort
     if all
-      return groups & gids == gids
+      groups & gids == gids
     else
-      return (groups & gids).any?
+      (groups & gids).any?
     end
   end
 
@@ -74,16 +74,17 @@ class LdapFluff::Generic
   def service_bind
     unless @anon || bind?(@bind_user, @bind_pass, :search => false)
       raise UnauthenticatedException,
-            "Could not bind to #{class_name} user #{@bind_user}"
+        "Could not bind to #{class_name} user #{@bind_user}"
     end
   end
 
   private
+
   def select_member_method(search_result)
     if @use_netgroups
       :nisnetgrouptriple
     else
-      [:member, :memberuid, :uniquemember].find { |m| search_result.respond_to? m }
+      %i[member memberuid uniquemember].find { |m| search_result.respond_to? m }
     end
   end
 
@@ -114,4 +115,3 @@ class LdapFluff::Generic
   class UnauthenticatedException < LdapFluff::Error
   end
 end
-

data/lib/ldap_fluff/generic_member_service.rb

@@ -1,7 +1,6 @@
 require 'net/ldap'
 
 class LdapFluff::GenericMemberService
-
   attr_accessor :ldap
 
   def initialize(ldap, config)
@@ -11,8 +10,8 @@ class LdapFluff::GenericMemberService
     @search_filter = nil
     begin
       @search_filter = Net::LDAP::Filter.construct(config.search_filter) unless (config.search_filter.nil? || config.search_filter.empty?)
-    rescue Net::LDAP::Error => error
-      puts "Search filter unavailable - #{error}"
+    rescue Net::LDAP::Error => e
+      puts "Search filter unavailable - #{e}"
     end
   end
 
@@ -81,5 +80,4 @@ class LdapFluff::GenericMemberService
     end
     nil
   end
-
 end

data/lib/ldap_fluff/ldap_fluff.rb

@@ -20,7 +20,7 @@ class LdapFluff
   end
 
   def authenticate?(uid, password)
-    instrument('authenticate.ldap_fluff', :uid => uid) do |payload|
+    instrument('authenticate.ldap_fluff', :uid => uid) do |_payload|
       if password.nil? || password.empty?
         false
       else
@@ -30,21 +30,21 @@ class LdapFluff
   end
 
   def test
-    instrument('test.ldap_fluff') do |payload|
+    instrument('test.ldap_fluff') do |_payload|
       @ldap.ldap.open {}
     end
   end
 
   # return a list[] of users for a given gid
   def user_list(gid)
-    instrument('user_list.ldap_fluff', :gid => gid) do |payload|
+    instrument('user_list.ldap_fluff', :gid => gid) do |_payload|
       @ldap.users_for_gid(gid)
     end
   end
 
   # return a list[] of groups for a given uid
   def group_list(uid)
-    instrument('group_list.ldap_fluff', :uid => uid) do |payload|
+    instrument('group_list.ldap_fluff', :uid => uid) do |_payload|
       @ldap.groups_for_uid(uid)
     end
   end
@@ -52,35 +52,35 @@ class LdapFluff
   # return true if a user is in all of the groups
   # in grouplist
   def is_in_groups?(uid, grouplist)
-    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |payload|
+    instrument('is_in_groups?.ldap_fluff', :uid => uid, :grouplist => grouplist) do |_payload|
       @ldap.is_in_groups(uid, grouplist, true)
     end
   end
 
   # return true if uid exists
   def valid_user?(uid)
-    instrument('valid_user?.ldap_fluff', :uid => uid) do |payload|
+    instrument('valid_user?.ldap_fluff', :uid => uid) do |_payload|
       @ldap.user_exists? uid
     end
   end
 
   # return true if group exists
   def valid_group?(gid)
-    instrument('valid_group?.ldap_fluff', :gid => gid) do |payload|
+    instrument('valid_group?.ldap_fluff', :gid => gid) do |_payload|
       @ldap.group_exists? gid
     end
   end
 
   # return ldap entry
   def find_user(uid)
-    instrument('find_user.ldap_fluff', :uid => uid) do |payload|
+    instrument('find_user.ldap_fluff', :uid => uid) do |_payload|
       @ldap.member_service.find_user(uid)
     end
   end
 
   # return ldap entry
   def find_group(gid)
-    instrument('find_group.ldap_fluff', :gid => gid) do |payload|
+    instrument('find_group.ldap_fluff', :gid => gid) do |_payload|
       @ldap.member_service.find_group(gid)
     end
   end

data/lib/ldap_fluff/posix.rb

@@ -1,10 +1,9 @@
 class LdapFluff::Posix < LdapFluff::Generic
-
   def bind?(uid = nil, password = nil, opts = {})
     unless uid.include?(',') || opts[:search] == false
       service_bind
       user = @member_service.find_user(uid)
-      uid = user.first.dn if user && user.first
+      uid = user.first.dn if user&.first
     end
     @ldap.auth(uid, password)
     @ldap.bind
@@ -17,14 +16,14 @@ class LdapFluff::Posix < LdapFluff::Generic
     # we have to look for OUs or posixGroups within the current group scope,
     # i.e: cn=ldapusers,ou=groups,dc=example,dc=com -> cn=myusers,cn=ldapusers,ou=gr...
 
-    if @use_netgroups
-      filter = Net::LDAP::Filter.eq('objectClass', 'nisNetgroup')
-    else
-      filter = Net::LDAP::Filter.eq('objectClass','posixGroup') |
-               Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
-               Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
-               Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
-    end
+    filter = if @use_netgroups
+               Net::LDAP::Filter.eq('objectClass', 'nisNetgroup')
+             else
+               Net::LDAP::Filter.eq('objectClass', 'posixGroup') |
+                 Net::LDAP::Filter.eq('objectClass', 'organizationalunit') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') |
+                 Net::LDAP::Filter.eq('objectClass', 'groupOfNames')
+             end
     groups = @ldap.search(:base => search.dn, :filter => filter)
     members = groups.map { |group| group.send(method) }.flatten.uniq