ldumbd 0.1.0

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2014 Sebastian Boehm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/NEWS

@@ -0,0 +1,8 @@
+* ldumbd NEWS
+** 0.1.0 (2014-03-21)
+
+ - First release
+
+# Local Variables:
+# mode: org
+# End:

data/README.md

@@ -0,0 +1,75 @@
+ldumbd
+======
+
+A simple, self-contained LDAP server with a database back end.
+
+Documentation
+-------------
+
+Ldumbd is a simple, self-contained read-only LDAP server that uses PostgreSQL, MySQL/MariaDB or SQLite as a back end.
+
+Ldumbd is designed primarily to act as an LDAP gateway to a simple SQL user database for use with the `nss-pam-ldapd` Name Service Switch (NSS) module.
+
+Limitations
+-----------
+
+At the moment, ldumbd has no support for any of the following:
+
+ - LDAP schemas
+ - LDAP binds
+ - any request type other than search requests
+ - "approximately equal" operators in search filters
+
+Installation: Debian Wheezy
+---------------------------
+
+    sudo -i
+    export LDUMBD_DIR=/var/lib/ldumbd
+    mkdir -p ${LDUMBD_DIR}
+    groupadd -r ldumbd
+    useradd -r -s /bin/false -g ldumbd -d ${LDUMBD_DIR} ldumbd
+    chown ldumbd:ldumbd ${LDUMBD_DIR}
+    chmod 700 ${LDUMBD_DIR}
+    gem install ldumbd
+    export MIGRATIONS=$(dirname $(gem contents ldumbd | grep migrations/001))
+
+Database setup: SQLite
+----------------------
+
+    aptitude install libsqlite3-dev
+    gem install sqlite3
+    sudo -u ldumbd sequel -m ${MIGRATIONS} sqlite://${LDUMBD_DIR}/ldumbd.sqlite3
+
+Database setup: PostgreSQL
+--------------------------
+
+    aptitude install postgresql libpq-dev
+    sudo -u postgres createuser ldumbd
+    sudo -u postgres createdb -O ldumbd ldumbd
+    gem install pg
+    sudo -u ldumbd sequel -m ${MIGRATIONS} postgres:///ldumbd
+
+Database setup: MySQL/MariaDB
+-----------------------------
+
+    export DB_PASSWORD='secret'
+    aptitude install mysql-server libmysqlclient-dev
+    cat <<EOS | mysql -u root -p
+    CREATE DATABASE ldumbd;
+    CREATE USER 'ldumbd'@'localhost' IDENTIFIED BY 'secret';
+    GRANT ALL PRIVILEGES ON ldumbd.* TO 'ldumbd'@'localhost';
+    EOS
+    gem install mysql2
+    sequel -m ${MIGRATIONS} "mysql2://ldumbd:${DB_PASSWORD}@localhost/ldumbd"
+
+Running ldumbd
+--------------
+
+    cp ${LDUMBD_DIR}/config.yml.sample /etc/ldumbd.yml
+    $EDITOR /etc/ldumbd.yml
+    ldumbd /etc/ldumbd.yml
+
+Copyright
+---------
+
+Copyright (c) 2014 Sebastian Boehm. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,25 @@
+require 'rake/testtask'
+
+MIGRATIONS = 'db/migrations'
+DATABASE_URL = ENV['DATABASE_URL'] || 'sqlite://ldumbd-test.sqlite3'
+
+Rake::TestTask.new do |t|
+  t.pattern = 'spec/**/*_spec.rb'
+end
+
+namespace :db do
+  desc 'Run database migrations'
+  task :migrate do
+    sh "bundle exec sequel -m #{MIGRATIONS} #{DATABASE_URL}"
+  end
+
+  desc 'Drop all tables'
+  task :nuke do
+    nuke_all_tables = 'DB.tables.each {|t| DB.drop_table?(t) }'
+    sh "bundle exec sequel -m #{MIGRATIONS} -M 0 #{DATABASE_URL}"
+    sh "bundle exec sequel -c '#{nuke_all_tables}' #{DATABASE_URL}"
+  end
+
+  desc 'Reset database'
+  task :reset => [:nuke, :migrate]
+end

data/TODO.org

@@ -0,0 +1,4 @@
+* Filters
+ - add documentation for missing :approx filter
+
+* Add some simple server specs using LDAP client library

data/bin/ldumbd

@@ -0,0 +1,43 @@
+#!/usr/bin/env ruby
+
+require 'sequel'
+require 'yaml'
+
+require 'ldumbd/operation'
+require 'ldumbd/ldap_tree'
+require 'ldumbd/preforkserver'
+
+if ARGV.size != 1
+  puts 'usage: ldumbd LDUMBD_CONFIG'
+  exit false
+end
+
+begin
+  debug = ENV['DEBUG'] == '1'
+  config = YAML.load(File.read(ARGV[0]))
+  DB = Sequel.connect(config['database'])
+  require 'ldumbd/user'
+  require 'ldumbd/group'
+  DB.disconnect
+
+  ldap_tree = Ldumbd::LdapTree.new(config['basedn'])
+
+  puts "ldumbd #{Ldumbd::VERSION} starting..."
+  server = LDAP::Server.new(bindaddr: config['bind_address'],
+                            port: config['port'],
+                            nodelay: true,
+                            listen: 10,
+                            num_processes: 10,
+                            operation_class: Ldumbd::Operation,
+                            operation_args: ldap_tree,
+                            user: config['user'],
+                            group: config['group'],
+                            debug: debug)
+  server.run_preforkserver
+  trap('INT') { puts 'caught SIGINT, shutting down'; exit }
+  puts "prefork ok, resuming normal operation"
+  server.join
+rescue => e
+  $stderr.puts e.message
+  $stderr.puts e.backtrace if debug
+end

data/config.yml.sample

@@ -0,0 +1,11 @@
+#bind_address: 0.0.0.0
+#port: 1389
+#user: ldumbd
+#group: ldumbd
+basedn: dc=example,dc=org
+
+# database: postgres:///ldumbd
+
+# database: postgres://user:password@host/database
+# database: mysql2://user:password@host:port/database
+# database: sqlite:///path/to/database.sqlite3

data/db/migrations/001_create_users.rb

@@ -0,0 +1,12 @@
+Sequel.migration do
+  change do
+    create_table(:users) do
+      primary_key :id
+      String      :name,     size:  32, null: false, unique: true
+      String      :realname, size:  64, null: false, default: ''
+      String      :shell,    size:  32, null: false, default: '/bin/false'
+      String      :homedir,  size: 128, null: false
+      index       :name
+    end
+  end
+end

data/db/migrations/002_create_groups.rb

@@ -0,0 +1,9 @@
+Sequel.migration do
+  change do
+    create_table(:groups) do
+      primary_key :id
+      String      :name, size: 32, null: false, unique: true
+      index       :name
+    end
+  end
+end

data/db/migrations/003_add_user_group_id.rb

@@ -0,0 +1,20 @@
+Sequel.migration do
+  nogroup_gid = 65534
+
+  up do
+    self[:groups].insert(id: nogroup_gid, name: 'nogroup')
+    alter_table(:users) do
+      add_foreign_key :group_id, :groups, null: false, default: nogroup_gid
+      # MySQL automatically adds indexes for foreign key columns
+      add_index :group_id unless DB.database_type == :mysql
+    end
+  end
+
+  down do
+    alter_table(:users) do
+      drop_index :group_id unless DB.database_type == :mysql
+      drop_foreign_key :group_id
+    end
+    self[:groups].where(id: nogroup_gid).delete
+  end
+end

data/db/migrations/004_create_groups_users.rb

@@ -0,0 +1,10 @@
+Sequel.migration do
+  change do
+    create_table(:groups_users) do
+      foreign_key :group_id, :groups, null: false
+      foreign_key :user_id, :users, null: false
+      primary_key [:group_id, :user_id]
+      index :user_id
+    end
+  end
+end

data/db/migrations/005_set_uid_and_gid_start_value.rb

@@ -0,0 +1,59 @@
+def set_min_max_value_commands(dbtype, min, max)
+  case dbtype
+  when :postgres
+    options = "start #{min} restart #{min} minvalue #{min} maxvalue #{max}"
+    ["alter sequence users_id_seq #{options};",
+     "alter sequence groups_id_seq #{options};"]
+  when :sqlite
+    id = min-1
+    name = '#dummyname#'
+    dir = '#dummydir#'
+    ["insert into users(id, name, homedir) values(#{id}, '#{name}', '#{dir}');",
+     "delete from users where id = #{id};",
+     "insert into groups(id, name) values(#{id}, '#{name}');",
+     "delete from groups where id = #{id};"]
+  when :mysql
+    ["alter table users auto_increment = #{min};",
+     "alter table groups auto_increment = #{min};"]
+  else
+    raise Sequel::Error, "database type '#{dbtype}' not supported"
+  end
+end
+
+def reset_min_max_value_commands(dbtype, next_uid, next_gid)
+  case dbtype
+  when :postgres
+    ["alter sequence users_id_seq start #{next_uid} restart #{next_uid} \
+       no minvalue no maxvalue;",
+     "alter sequence groups_id_seq start #{next_gid} restart #{next_gid} \
+       no minvalue no maxvalue;"]
+  when :sqlite
+    ["delete from sqlite_sequence where name = 'users';",
+     "delete from sqlite_sequence where name = 'groups';"]
+  when :mysql
+    ["alter table users auto_increment = #{next_uid};",
+     "alter table groups auto_increment = #{next_gid};"]
+  else
+    raise Sequel::Error, "database type '#{dbtype}' not supported"
+  end
+end
+
+Sequel.migration do
+  dbtype = DB.database_type
+  min_id = 100_000
+  max_id = 200_000
+
+  up do
+    set_min_max_value_commands(dbtype, min_id, max_id).each do |command|
+      run command
+    end
+  end
+
+  down do
+    next_uid = self[:users].max(:id).to_i + 1
+    next_gid = self[:groups].max(:id).to_i + 1
+    reset_min_max_value_commands(dbtype, next_uid, next_gid).each do |command|
+      run command
+    end
+  end
+end

data/ldumbd.gemspec

@@ -0,0 +1,42 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'ldumbd/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ldumbd'
+  spec.version       = Ldumbd::VERSION
+  spec.author        = 'Sebastian Boehm'
+  spec.email         = 'sebastian@sometimesfood.org'
+
+  spec.summary       = %q{A simple, self-contained LDAP server}
+  spec.homepage      = 'https://github.com/sometimesfood/ldumbd'
+  spec.license       = 'MIT'
+  spec.description   = <<EOS
+Ldumbd is a simple, self-contained read-only LDAP server that uses
+PostgreSQL, MySQL/MariaDB or SQLite as a back end.
+EOS
+
+  spec.files         = `git ls-files -z`.split("\0") &
+    Dir['config.yml.sample',
+        'Gemfile',
+        'ldumbd.gemspec',
+        'LICENSE',
+        'NEWS',
+        'Rakefile',
+        'README.md',
+        'TODO.org',
+        '{bin,lib,db,spec}/**/*']
+  spec.executables   = ['ldumbd']
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+
+  spec.add_dependency 'ruby-ldapserver', '~> 0.5.0'
+  spec.add_dependency 'sequel', '~> 4.7.0'
+
+  spec.add_development_dependency 'sqlite3', '~> 1.3.9'
+  spec.add_development_dependency 'pg', '~> 0.17.1'
+  spec.add_development_dependency 'mysql2', '~> 0.3.15'
+  spec.add_development_dependency 'rake', '~> 10.0.4'
+  spec.add_development_dependency 'net-ldap', '~> 0.3.1'
+  spec.add_development_dependency 'minitest', '~> 5.3.0'
+end

data/lib/ldumbd/filter_converter.rb

@@ -0,0 +1,190 @@
+require 'ldumbd/table_map'
+
+module Ldumbd
+  class FilterConverter
+    # Public: Converts a parsed LDAP filter to a Sequel dataset filter.
+    #
+    # base_model: The dataset's base model.
+    # filter: A parsed LDAP filter.
+    #
+    # Examples
+    #
+    #   base_model = User
+    #   filter = [:and,
+    #              [:eq, 'uid', nil, 'john'],
+    #              [:ge, 'uidNumber', nil, '1000']]
+    #   base_model.where(Ldumbd::FilterConverter.filter_to_sequel(base_model,
+    #                                                             filter)).sql
+    #   # => "SELECT * FROM \"users\" WHERE ((\"users\".\"name\" = 'john') AND (\"users\".\"id\" >= '1000'))"
+    #
+    # Returns a Sequel dataset filter.
+    def self.filter_to_sequel(base_model, filter)
+      filter = filter.dup
+      op = filter.shift
+      case op
+      when :and, :or, :not
+        nested_filter_to_sequel(base_model, filter, op)
+      when :true, :false, :eq, :ge, :le, :present, :substrings
+        simple_filter_to_sequel(base_model, filter, op)
+      else
+        raise 'not implemented yet'
+      end
+    end
+
+    private
+    # Internal: Transforms a nested filter expression into a
+    #           Sequel::SQL::BooleanExpression
+    #
+    # base_model: The dataset's base model.
+    # filters: An array of parsed LDAP filters.
+    # op: The type of nested filter, i.e. :or, :and or :not.
+    #
+    # Examples
+    #
+    #   base_model = User
+    #   filters = [[:eq, 'uid', nil, 'john'],
+    #              [:ge, 'uidNumber', nil, '1000']]
+    #   op = :and
+    #   query = Ldumbd::FilterConverter.nested_filter_to_sequel(base_model,
+    #                                                           filters,
+    #                                                           op)
+    #   base_model.where(query).sql
+    #   # => "SELECT * FROM \"users\" WHERE ((\"users\".\"name\" = 'john') AND (\"users\".\"id\" >= '1000'))"
+    def self.nested_filter_to_sequel(base_model, filters, op)
+      case op
+      when :and
+        Sequel.&(*filters.map { |f| filter_to_sequel(base_model, f) })
+      when :or
+        Sequel.|(*filters.map { |f| filter_to_sequel(base_model, f) })
+      when :not
+        raise ArgumentError, 'Too many :not arguments' unless filters.size == 1
+        subfilter = filters[0]
+        # ... id NOT IN (SELECT id FROM ...)
+        Sequel.~(id: base_model.where(filter_to_sequel(base_model,
+                                                       subfilter)).select(:id))
+      end
+    end
+
+    # Internal: Transforms a non-nested filter expression into a sequel
+    #           dataset filter.
+    #
+    # base_model: The dataset's base model.
+    # filter: A parsed LDAP filter without a filter operator.
+    # op: The filter type, e.g. :eq, :le, :ge, ...
+    #
+    # Examples
+    #
+    #   base_model = User
+    #   filter = ['uid', nil, 'john']
+    #   op = :eq
+    #   query = Ldumbd::FilterConverter.simple_filter_to_sequel(base_model,
+    #                                                           filter,
+    #                                                           op)
+    #   base_model.where(query).sql
+    #   # => "SELECT * FROM \"users\" WHERE (\"users\".\"name\" = 'john')"
+    def self.simple_filter_to_sequel(base_model, filter, op)
+      key, value = extract_key_value(base_model, filter, op)
+      return { key => value } if key == :users
+      return oc_match?(base_model, op, value) if key == :object_class
+
+      case op
+      when :true
+        true
+      when :false
+        false
+      when :eq
+        # TODO: no case insensitive search support yet
+        #    User.where(Sequel.function(:lower, :name) => v.downcase)
+        { key => value }
+      when :le
+        Sequel.expr(key) <= Sequel.expr(value)
+      when :ge
+        Sequel.expr(key) >= Sequel.expr(value)
+      when :present
+        !key.nil?
+      when :substrings
+        Sequel.like(key, value)
+      end
+    end
+
+    # Internal: Extracts keys and values or Sequel filters for use in
+    #           simple filters.
+    #
+    # model: The dataset's model.
+    # filter: A parsed LDAP filter without a filter operator.
+    # op: The filter type, e.g. :eq, :le, :ge, ...
+    #
+    # Examples
+    #
+    #   model = User
+    #   filter = ['uid', nil, 'john']
+    #   op = :eq
+    #   Ldumbd::FilterConverter.extract_key_value(model, filter, op)
+    #   # => [:users__name, "john"]
+    def self.extract_key_value(model, filter, op)
+      ldap_value = filter[2..-1] || []
+      key = extract_key(model, filter)
+
+      value = if key == :users
+                User.where(filter_to_sequel(User, [op, 'uid', nil, ldap_value]))
+              elsif op == :substrings
+                ldap_value.join('%')
+              else
+                ldap_value[0]
+              end
+
+      return key, value
+    end
+
+    # Internal: Extracts LDAP keys from parsed LDAP filters and
+    #           converts them to SQL attributes.
+    #
+    # model: The dataset model.
+    # filter: A parsed LDAP filter without a filter operator.
+    #
+    # Examples
+    #
+    #   model = User
+    #   filter = ['uid', nil, 'john']
+    #   Ldumbd::FilterConverter.extract_key(model, filter)
+    #   # => :users__name
+    def self.extract_key(model, filter)
+      ldap_key = filter[0]
+      if ldap_key == 'objectClass'
+        # object classes are not saved in the database
+        :object_class
+      else
+        TableMap.db_key(model, ldap_key)
+      end
+    end
+
+    # Internal: Checks whether a model matches a target object class.
+    #
+    # model: The model.
+    # op: An LDAP filter operator, i.e. :eq, :le, :ge or :substrings.
+    # target_oc: The target object class.
+    #
+    # Examples
+    #
+    #   Ldumbd::FilterConverter.oc_match?(User, :ge, 'posixA')
+    #   # => true
+    #
+    #   Ldumbd::FilterConverter.oc_match?(Group, :eq, 'nonexistent')
+    #   # => false
+    def self.oc_match?(model, op, target_oc)
+      object_classes = TableMap.object_classes(model)
+
+      case op
+      when :eq
+        object_classes.any? { |oc| oc == target_oc }
+      when :le
+        object_classes.any? { |oc| oc <= target_oc }
+      when :ge
+        object_classes.any? { |oc| oc >= target_oc }
+      when :substrings
+        target_oc_re = /\A#{Regexp.escape(target_oc).gsub('%', '.*')}\Z/
+        object_classes.any? { |oc| oc =~ target_oc_re }
+      end
+    end
+  end
+end

data/lib/ldumbd/group.rb

@@ -0,0 +1,3 @@
+class Group < Sequel::Model
+  many_to_many :users
+end

data/lib/ldumbd/ldap_tree.rb

@@ -0,0 +1,44 @@
+require 'ldumbd/tree_object'
+
+module Ldumbd
+  class LdapTree
+    def find_by_dn(dn)
+      object = @tree[dn]
+      unless object
+        object = TreeObject.by_dn(@basedn, dn)
+      end
+      object or raise LDAP::ResultError::NoSuchObject
+    end
+
+    def initialize(basedn)
+      @basedn = basedn
+      /\Adc=(?<dc>[^,]*)/ =~ basedn
+      root = TreeObject.new({ 'dn_prefix' => '',
+                              'dc' => dc,
+                              'objectClass' => ['top', 'domain']})
+      people = TreeObject.new({ 'dn_prefix' => 'ou=People',
+                                'ou' => 'People',
+                                'objectClass' => ['top',
+                                                  'organizationalUnit'] })
+      groups = TreeObject.new({ 'dn_prefix' => 'ou=Groups',
+                                'ou' => 'Groups',
+                                'objectClass' => ['top',
+                                                  'organizationalUnit'] })
+      root.children << people
+      root.children << groups
+      people.children << User
+      groups.children << Group
+
+      @tree = Hash[
+                   [root, people, groups].map do |object|
+                     dn_prefix = object.attributes['dn_prefix']
+                     [dn(dn_prefix), object]
+                   end
+                  ]
+    end
+
+    def dn(dn_prefix)
+      [dn_prefix, @basedn].reject(&:empty?).join(',')
+    end
+  end
+end

data/lib/ldumbd/operation.rb

@@ -0,0 +1,61 @@
+require 'ldap/server'
+
+module Ldumbd
+  class Operation < LDAP::Server::Operation
+    def initialize(connection, messageID, ldap_tree)
+      super(connection, messageID)
+      @ldap_tree = ldap_tree
+    end
+
+    def search(basedn, scope, deref, filter)
+      search_results(basedn, scope, deref, filter) do |ldap_object|
+        dn = @ldap_tree.dn(ldap_object['dn_prefix'])
+        object = ldap_object.reject { |k, v| k == 'dn_prefix' }
+        send_SearchResultEntry(dn, object)
+      end
+    end
+
+    private
+    def search_results(basedn, scope, deref, filter, &block)
+      case scope
+      when LDAP::Server::BaseObject
+        search_results_baseobject(basedn, filter, &block)
+      when LDAP::Server::SingleLevel
+        search_results_singlelevel(basedn, filter, &block)
+      when LDAP::Server::WholeSubtree
+        search_results_subtree(basedn, filter, &block)
+      else
+        raise LDAP::ResultError::UnwillingToPerform, 'Invalid search scope'
+      end
+    end
+
+    def search_results_baseobject(basedn, filter, &block)
+      # the base object only
+      object = @ldap_tree.find_by_dn(basedn)
+      if object.matches_filter?(filter) && block_given?
+        block.call(TableMap.sequel_to_ldap_object(object.attributes))
+      end
+    end
+
+    def search_results_singlelevel(basedn, filter, &block)
+      # objects immediately subordinate to the base object; does not
+      # include the base object itself.
+      object = @ldap_tree.find_by_dn(basedn)
+      object.each_child(filter) do |r|
+        block.call(TableMap.sequel_to_ldap_object(r)) if block_given?
+      end
+    end
+
+    def search_results_subtree(basedn, filter, &block)
+      # base object and the entire subtree, also includes the base
+      # object itself.
+      object = @ldap_tree.find_by_dn(basedn)
+      if object.matches_filter?(filter) && block_given?
+        block.call(TableMap.sequel_to_ldap_object(object.attributes))
+      end
+      object.each_child(filter, true) do |r|
+        block.call(TableMap.sequel_to_ldap_object(r)) if block_given?
+      end
+    end
+  end # Operation
+end # Ldumbd