ldaptic 0.2.0

data/lib/ldaptic/adapters/abstract_adapter.rb

@@ -0,0 +1,123 @@
+require 'ldaptic/escape'
+require 'ldaptic/errors'
+
+module Ldaptic
+  module Adapters
+    # Subclasse must implement search, add, modify, delete, and rename.  These
+    # methods should return 0 on success and non-zero on failure.  The failure
+    # code is intended to be the server error code.  If this is unavailable,
+    # return -1.
+    class AbstractAdapter
+
+      # When implementing an adapter, +register_as+ must be called to associate
+      # the adapter with a name.  The adapter name must mimic the filename.
+      # The following might be found in ldaptic/adapters/some_adapter.rb.
+      #
+      #   class SomeAdapter < AbstractAdapter
+      #     register_as(:some)
+      #   end
+      def self.register_as(name)
+        require 'ldaptic/adapters'
+        Ldaptic::Adapters.register(name, self)
+      end
+
+      def initialize(options)
+        @options = options
+      end
+
+      # The server's RootDSE.  +attrs+ is an array specifying which attributes
+      # to return.
+      def root_dse(attrs = nil)
+        result = search(
+          :base => "",
+          :scope => Ldaptic::SCOPES[:base],
+          :filter => "(objectClass=*)",
+          :attributes => attrs && [attrs].flatten.map {|a| Ldaptic.encode(a)},
+          :disable_pagination => true
+        ) { |x| break x }
+        return if result.kind_of?(Fixnum)
+        if attrs.kind_of?(Array) || attrs.nil?
+          result
+        else
+          result[attrs]
+        end
+      end
+
+      def schema(attrs = nil)
+        @subschema_dn ||= root_dse(['subschemaSubentry'])['subschemaSubentry'].first
+        search(
+          :base => @subschema_dn,
+          :scope => Ldaptic::SCOPES[:base],
+          :filter => "(objectClass=subschema)",
+          :attributes => attrs
+        ) { |x| return x }
+        nil
+      end
+
+      # Returns the first of the +namingContexts+ found in the RootDSE.
+      def server_default_base_dn
+        unless defined?(@naming_contexts)
+          @naming_contexts = root_dse(%w(namingContexts))
+        end
+        if @naming_contexts
+          @naming_contexts["namingContexts"].to_a.first
+        end
+      end
+
+      alias default_base_dn server_default_base_dn
+
+      # Returns a hash of attribute types, keyed by both OID and name.
+      def attribute_types
+        @attribute_types ||= construct_schema_hash('attributeTypes',
+          Ldaptic::Schema::AttributeType)
+      end
+
+      def attribute_type(key = nil)
+        if key
+          attribute_types[key] || attribute_types.values.detect do |at|
+            at.names.map {|n| n.downcase}.include?(key.downcase)
+          end
+        else
+          attribute_types.values.uniq
+        end
+      end
+
+      # Returns a hash of DIT content rules, keyed by both OID and name.
+      def dit_content_rules
+        @dit_content_rules ||= construct_schema_hash('dITContentRules',
+          Ldaptic::Schema::DITContentRule)
+      end
+
+      # Returns a hash of object classes, keyed by both OID and name.
+      def object_classes
+        @object_classes ||= construct_schema_hash('objectClasses',
+          Ldaptic::Schema::ObjectClass)
+      end
+
+      # Default compare operation, emulated with a search.
+      def compare(dn, attr, value)
+        search(:base => dn, :scope => Ldaptic::SCOPES[:base], :filter => "(#{attr}=#{Ldaptic.escape(value)})") { return true }
+        false
+      end
+
+      def logger
+        @logger || Ldaptic.logger
+      end
+
+      private
+
+      def construct_schema_hash(element, klass)
+        @schema_hash ||= schema(['attributeTypes', 'dITContentRules', 'objectClasses'])
+        @schema_hash[element.to_s].to_a.inject({}) do |hash, val|
+          object = klass.new(val)
+          hash[object.oid] = object
+          Array(object.name).each do |name|
+            hash[name] = object
+          end
+          hash
+        end
+      end
+
+    end
+  end
+end

data/lib/ldaptic/adapters/active_directory_adapter.rb

@@ -0,0 +1,78 @@
+require 'ldaptic/adapters/ldap_conn_adapter'
+require 'ldaptic/adapters/active_directory_ext'
+
+module Ldaptic
+  module Adapters
+    # ActiveDirectoryAdapter is a LDAPConnAdapter with some Active Directory
+    # specific behaviors.  To help mitigate server timeout issues, this adapter
+    # binds on each request and unbinds afterwards.  For search requests, the
+    # adapter connects to the global catalog on port 3268 instead of the usual
+    # port 389.  The global catalog is read-only but is a bit more flexible
+    # when it comes to searching.
+    #
+    # Active Directory servers can also be connected to with the Net::LDAP
+    # adapter.
+    class ActiveDirectoryAdapter < LDAPConnAdapter
+      register_as(:active_directory)
+
+      def initialize(options)
+        super
+        if @connection
+          @options[:connection] = @connection = nil
+        end
+      end
+
+      # Returns either the +defaultNamingContext+ (Active Directory specific)
+      # or the first of the +namingContexts+ found in the RootDSE.
+      def server_default_base_dn
+        unless defined?(@naming_contexts)
+          @naming_contexts = root_dse(%w(defaultNamingContext namingContexts))
+        end
+        if @naming_contexts
+          @naming_contexts["defaultNamingContext"].to_a.first ||
+            @naming_contexts["namingContexts"].to_a.first
+        end
+      end
+
+      private
+
+      def full_username(username)
+        if username.kind_of?(Hash)
+          super
+        elsif username && username !~ /[\\=@]/
+          if @options[:domain].include?(".")
+            username = [username, @options[:domain]].join("@")
+          elsif @options[:domain]
+            username = [@options[:domain], username].join("\\")
+          else
+            conn = new_connection(3268)
+            dn = conn.search2("", 0, "(objectClass=*", ['defaultNamingContext']).first['defaultNamingContext']
+            if dn
+              domain = Ldaptic::DN(dn).rdns.map {|rdn| rdn[:dc]}.compact
+              unless domain.empty?
+                username = [username, domain.join(".")].join("@")
+              end
+            end
+          end
+        end
+        username
+      end
+
+      def with_port(port, &block)
+        conn = new_connection(port)
+        bind_connection(conn, @options[:username], @options[:password]) do
+          with_conn(conn, &block)
+        end
+      end
+
+      def with_reader(&block)
+        with_port(3268, &block)
+      end
+
+      def with_writer(&block)
+        with_port(389, &block)
+      end
+
+    end
+  end
+end

data/lib/ldaptic/adapters/active_directory_ext.rb

@@ -0,0 +1,12 @@
+# Converts an integer representing the number of microseconds since January 1,
+# 1600 to a DateTime.
+def DateTime.microsoft(tinies)
+  new(1601,1,1).new_offset(Time.now.utc_offset/60/60/24.0) + tinies/1e7/60/60/24
+end
+
+# Converts an integer representing the number of microseconds since January 1,
+# 1600 to a Time.
+def Time.microsoft(tinies)
+  dt = DateTime.microsoft(tinies)
+  Time.local(dt.year,dt.mon,dt.day,dt.hour,dt.min,dt.sec,dt.sec_fraction*60*60*24*1e6)
+end

data/lib/ldaptic/adapters/ldap_conn_adapter.rb

@@ -0,0 +1,262 @@
+require 'ldaptic/adapters/abstract_adapter'
+
+module Ldaptic
+  module Adapters
+    class LDAPConnAdapter < AbstractAdapter
+      register_as(:ldap_conn)
+
+      def initialize(options)
+        require 'ldap'
+        if defined?(::LDAP::Conn) && options.kind_of?(::LDAP::Conn)
+          options = {:adapter => :ldap_conn, :connection => options}
+        else
+          options = options.dup
+        end
+        options[:version] ||= 3
+        @options = options
+        if @connection = @options.delete(:connection)
+          begin
+            host, port = @connection.get_option(::LDAP::LDAP_OPT_HOST_NAME).split(':')
+            @options[:host] ||= host
+            @options[:port] ||= port.to_i if port
+          rescue
+          end
+        else
+          if username = @options.delete(:username)
+            @options[:username] = full_username(username)
+          end
+          if @options[:username]
+            connection = new_connection
+            bind_connection(connection, @options[:username], @options[:password])
+            connection.unbind
+          end
+        end
+        @logger = @options.delete(:logger)
+        super(@options)
+      end
+
+      def add(dn, attributes)
+        with_writer do |conn|
+          conn.add(dn, attributes)
+        end
+      end
+
+      def modify(dn, attributes)
+        if attributes.kind_of?(Array)
+          attributes = attributes.map do |(op, key, vals)|
+            LDAP::Mod.new(mod(op) | LDAP::LDAP_MOD_BVALUES, key, vals)
+          end
+        end
+        with_writer do |conn|
+          conn.modify(dn, attributes)
+        end
+      end
+
+      def delete(dn)
+        with_writer do |conn|
+          conn.delete(dn)
+        end
+      end
+
+      def rename(dn, new_rdn, delete_old, new_superior = nil)
+        with_writer do |conn|
+          if new_superior
+            # This is from a patch I hope to get accepted upstream.
+            if conn.respond_to?(:rename)
+              conn.rename(dn, new_rdn, new_superior, delete_old)
+            else
+              Ldaptic::Errors.raise(NotImplementedError.new("rename unsupported"))
+            end
+          else
+            conn.modrdn(dn, new_rdn, delete_old)
+          end
+        end
+      end
+
+      def compare(dn, attr, value)
+        with_reader do |conn|
+          conn.compare(dn, attr, value)
+        end
+      rescue Ldaptic::Errors::CompareFalse
+        false
+      rescue Ldaptic::Errors::CompareTrue
+        true
+      end
+
+      def search(options = {}, &block)
+        parameters = search_parameters(options)
+        with_reader do |conn|
+          begin
+            if options[:limit]
+              # Some servers don't support this option.  If that happens, the
+              # higher level interface will simulate it.
+              conn.set_option(LDAP::LDAP_OPT_SIZELIMIT, options[:limit]) rescue nil
+            end
+            cookie = ""
+            while cookie
+              ctrl = paged_results_control(cookie)
+              if !options[:disable_pagination] && paged_results?
+                conn.set_option(LDAP::LDAP_OPT_SERVER_CONTROLS, [ctrl])
+              end
+              params = parameters
+              result = conn.search2(*params, &block)
+              ctrl   = conn.controls.detect {|c| c.oid == ctrl.oid}
+              cookie = ctrl && ctrl.decode.last
+              cookie = nil if cookie.to_s.empty?
+            end
+          ensure
+            conn.set_option(LDAP::LDAP_OPT_SERVER_CONTROLS, []) rescue nil
+            conn.set_option(LDAP::LDAP_OPT_SIZELIMIT, 0) rescue nil
+          end
+        end
+      end
+
+      def authenticate(dn, password)
+        conn = new_connection
+        bind_connection(conn, full_username(dn) || "", password)
+        true
+      rescue ::LDAP::ResultError => exception
+        message = exception.message
+        err = error_for_message(message)
+        unless err == 49 # Invalid credentials
+          Ldaptic::Errors.raise_unless_zero(err, message)
+        end
+        false
+      ensure
+        conn.unbind rescue nil
+      end
+
+      def default_base_dn
+        @options[:base] || server_default_base_dn
+      end
+
+      private
+
+      def paged_results?
+        if @paged_results.nil?
+          @paged_results = root_dse('supportedControl').to_a.include?(CONTROL_PAGEDRESULTS)
+        end
+        @paged_results
+      end
+
+      # ::LDAP::LDAP_CONTROL_PAGEDRESULTS,
+      CONTROL_PAGEDRESULTS = "1.2.840.113556.1.4.319"
+
+      def paged_results_control(cookie = "", size = 126)
+        require 'ldap/control'
+        # values above 126 cause problems for slapd, as determined by net/ldap
+        ::LDAP::Control.new(
+          CONTROL_PAGEDRESULTS,
+          ::LDAP::Control.encode(size, cookie),
+          true
+        )
+      end
+
+      def search_parameters(options = {})
+        case options[:sort]
+        when Proc, Method then s_attr, s_proc = nil, options[:sort]
+        else s_attr, s_proc = options[:sort], nil
+        end
+        [
+          options[:base],
+          options[:scope],
+          options[:filter],
+          options[:attributes] && Array(options[:attributes]),
+          options[:attributes_only],
+          options[:timeout].to_i,
+          ((options[:timeout].to_f % 1) * 1e6).round,
+          s_attr.to_s,
+          s_proc
+        ]
+      end
+
+      def new_connection(default_port = nil)
+        if @options[:tls].nil?
+          conn = ::LDAP::Conn.new(
+            @options[:host]||"localhost",
+            *[@options[:port] || default_port].compact
+          )
+        else
+          conn = ::LDAP::SSLConn.new(
+            @options[:host]||"localhost",
+            @options[:port] || default_port || ::LDAP::LDAP_PORT,
+            @options[:tls]
+          )
+        end
+        conn.set_option(::LDAP::LDAP_OPT_PROTOCOL_VERSION, @options[:version])
+        conn
+      end
+
+      def bind_connection(conn, dn, password, &block)
+        if dn
+          password = password.call if password.respond_to?(:call)
+          conn.bind(dn, password, *[@options[:method]].compact, &block)
+        else
+          block_given? ? yield(conn) : conn
+        end
+      end
+
+      def full_username(username)
+        if username.kind_of?(Hash)
+          base = Ldaptic::DN(default_base_dn || "")
+          base / username
+        else
+          username
+        end
+      end
+
+      def with_reader(&block)
+        if @connection
+          with_conn(@connection, &block)
+        else
+          conn = new_connection
+          bind_connection(conn, @options[:username], @options[:password]) do
+            with_conn(conn, &block)
+          end
+        end
+      end
+
+      alias with_writer with_reader
+
+      def with_conn(conn, &block)
+        err, message, result = 0, nil, nil
+        begin
+          result = yield conn
+        rescue ::LDAP::ResultError => exception
+          message = exception.message
+          err = error_for_message(message)
+        end
+        conn_err = conn.err.to_i
+        if err.zero? && !conn_err.zero?
+          err = conn_err
+          message = conn.err2string(err) rescue nil
+        end
+        Ldaptic::Errors.raise_unless_zero(err, message)
+        result
+      end
+
+      # LDAP::Conn only gives us a worthless string rather than a real error
+      # code on exceptions.
+      def error_for_message(msg)
+        unless @errors
+          with_reader do |conn|
+            @errors = (0..127).inject({}) do |h, err|
+              h[conn.err2string(err)] = err; h
+            end
+          end
+          @errors.delete("Unknown error")
+        end
+        @errors[msg]
+      end
+
+      def mod(symbol)
+        {
+          :add     => LDAP::LDAP_MOD_ADD,
+          :replace => LDAP::LDAP_MOD_REPLACE,
+          :delete  => LDAP::LDAP_MOD_DELETE
+        }[symbol]
+      end
+
+    end
+  end
+end