omniauth-ldap2 1.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 37117fed333df2253ff06ce7800decc9b1626a6b
+  data.tar.gz: d934972fa031cc1facd90686888e86d4cf277c70
+SHA512:
+  metadata.gz: fd88f413e0a42b3841e997830220b869e3f9e46984e603f9a41c57601d6e60eb7f8ddcf0f8eaed2222ec72a73396c0551ef1426661ca31f58dae099e4b625503
+  data.tar.gz: d39124abda5ad9430fb504bf0c8ae35b300de39b5b51b83439d43967fb1d8ebbd399b3eaf9092a417cfb33d4038a5770138a0766e85e88a2ad06b997756d4dd3

data/.gitignore

@@ -0,0 +1,3 @@
+.project
+coverage
+/Gemfile.lock

data/.rspec

@@ -0,0 +1 @@
+--colour

data/Gemfile

@@ -0,0 +1,11 @@
+source 'http://rubygems.org'
+
+gemspec
+
+group :development, :test do
+  gem 'guard'
+  gem 'guard-rspec'
+  gem 'guard-bundler'
+  gem 'growl'
+  gem 'rb-fsevent'
+end

data/Guardfile

@@ -0,0 +1,11 @@
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end
+
+
+guard 'bundler' do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/README.md

@@ -0,0 +1,71 @@
+# OmniAuth LDAP
+
+== LDAP
+
+Use the LDAP strategy as a middleware in your application:
+
+    use OmniAuth::Strategies::LDAP, 
+        :title => "My LDAP", 
+        :host => '10.101.10.1',
+        :port => 389,
+        :method => :plain,
+        :base => 'dc=intridea, dc=com',
+        :uid => 'sAMAccountName',
+        :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
+        :bind_dn => 'default_bind_dn',
+        # Or, alternatively:
+        #:filter => '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
+        :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+        :bind_dn => 'default_bind_dn'
+        :password => 'password'
+
+All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
+Allowed values of :method are: :plain, :ssl, :tls.
+
+:bind_dn and :password is the default credentials to perform user lookup.
+  most LDAP servers require that you supply a complete DN as a binding-credential, along with an authenticator
+  such as a password. But for many applications, you often don’t have a full DN to identify the user. 
+  You usually get a simple identifier like a username or an email address, along with a password. 
+  Since many LDAP servers don't allow anonymous access, search function will require a bound connection, 
+  :bind_dn and :password will be required for searching on the username or email to retrieve the DN attribute 
+  for the user. If the LDAP server allows anonymous access, you don't need to provide these two parameters.
+
+:uid is the LDAP attribute name for the user name in the login form. 
+  typically AD would be 'sAMAccountName' or 'UserPrincipalName', while OpenLDAP is 'uid'.
+
+:filter is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility.
+  `%{username}` will be replaced by the user name processed by :name_proc.
+
+:name_proc allows you to match the user name entered with the format of the :uid attributes. 
+  For example, value of 'sAMAccountName' in AD contains only the windows user name. If your user prefers using 
+  email to login, a name_proc as above will trim the email string down to just the windows login name. 
+  In summary, use :name_proc to fill the gap between the submitted username and LDAP uid attribute value.
+ 
+:try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO']
+  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods, 
+  please just avoid them.
+
+Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
+
+
+## License
+
+Copyright (C) 2011 by Ping Yu and Intridea, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,9 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new

data/lib/omniauth-ldap.rb

@@ -0,0 +1,4 @@
+require "omniauth-ldap/version"
+require "omniauth-ldap/adaptor"
+require 'omniauth/strategies/ldap'
+

data/lib/omniauth-ldap/adaptor.rb

@@ -0,0 +1,147 @@
+#this code borrowed pieces from activeldap and net-ldap
+
+require 'rack'
+require 'net/ldap'
+require 'net/ntlm'
+require 'sasl'
+require 'kconv'
+module OmniAuth
+  module LDAP
+    class Adaptor
+      class LdapError < StandardError; end
+      class ConfigurationError < StandardError; end
+      class AuthenticationError < StandardError; end
+      class ConnectionError < StandardError; end
+
+      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter]
+
+      # A list of needed keys. Possible alternatives are specified using sub-lists.
+      MUST_HAVE_KEYS = [:host, :port, :method, [:uid, :filter], :base]
+
+      METHOD = {
+        :ssl => :simple_tls,
+        :tls => :start_tls,
+        :plain => nil,
+      }
+
+      attr_accessor :bind_dn, :password
+      attr_reader :connection, :uid, :base, :auth, :filter
+      def self.validate(configuration={})
+        message = []
+        MUST_HAVE_KEYS.each do |names|
+          names = [names].flatten
+          missing_keys = names.select{|name| configuration[name].nil?}
+          if missing_keys == names
+            message << names.join(' or ')
+          end
+        end
+        raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+      end
+      def initialize(configuration={})
+        Adaptor.validate(configuration)
+        @configuration = configuration.dup
+        @configuration[:allow_anonymous] ||= false
+        @logger = @configuration.delete(:logger)
+        VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
+          instance_variable_set("@#{name}", @configuration[name])
+        end
+        method = ensure_method(@method)
+        config = {
+          :host => @host,
+          :port => @port,
+          :encryption => method,
+          :base => @base
+        }
+        @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
+
+
+        @auth = sasl_auths({:username => @bind_dn, :password => @password}).first if @bind_method == :sasl
+        @auth ||= { :method => @bind_method,
+                    :username => @bind_dn,
+                    :password => @password
+                  }
+        config[:auth] = @auth
+        @connection = Net::LDAP.new(config)
+      end
+
+      #:base => "dc=yourcompany, dc=com",
+      # :filter => "(mail=#{user})",
+      # :password => psw
+      def bind_as(args = {})
+        result = false
+        @connection.open do |me|
+          rs = me.search args
+          if rs and rs.first and dn = rs.first.dn
+            password = args[:password]
+            method = args[:method] || @method
+            password = password.call if password.respond_to?(:call)
+            if method == 'sasl'
+            result = rs.first if me.bind(sasl_auths({:username => dn, :password => password}).first)
+            else
+            result = rs.first if me.bind(:method => :simple, :username => dn,
+                                :password => password)
+            end
+          end
+        end
+        result
+      end
+
+      private
+      def ensure_method(method)
+          method ||= "plain"
+          normalized_method = method.to_s.downcase.to_sym
+          return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+
+          available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+          format = "%s is not one of the available connect methods: %s"
+          raise ConfigurationError, format % [method.inspect, available_methods]
+      end
+
+      def sasl_auths(options={})
+        auths = []
+        sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
+        sasl_mechanisms.each do |mechanism|
+          normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+          sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
+          next unless respond_to?(sasl_bind_setup, true)
+          initial_credential, challenge_response = send(sasl_bind_setup, options)
+          auths << {
+            :method => :sasl,
+            :initial_credential => initial_credential,
+            :mechanism => mechanism,
+            :challenge_response => challenge_response
+          }
+        end
+        auths
+      end
+
+      def sasl_bind_setup_digest_md5(options)
+        bind_dn = options[:username]
+        initial_credential = ""
+        challenge_response = Proc.new do |cred|
+          pref = SASL::Preferences.new :digest_uri => "ldap/#{@host}", :username => bind_dn, :has_password? => true, :password => options[:password]
+          sasl = SASL.new("DIGEST-MD5", pref)
+          response = sasl.receive("challenge", cred)
+          response[1]
+        end
+        [initial_credential, challenge_response]
+      end
+
+      def sasl_bind_setup_gss_spnego(options)
+        bind_dn = options[:username]
+        psw = options[:password]
+        raise LdapError.new( "invalid binding information" ) unless (bind_dn && psw)
+
+        nego = proc {|challenge|
+          t2_msg = Net::NTLM::Message.parse( challenge )
+          bind_dn, domain = bind_dn.split('\\').reverse
+          t2_msg.target_name = Net::NTLM::encode_utf16le(domain) if domain
+          t3_msg = t2_msg.response( {:user => bind_dn, :password => psw}, {:ntlmv2 => true} )
+          t3_msg.serialize
+        }
+        [Net::NTLM::Message::Type1.new.serialize, nego]
+      end
+
+    end
+  end
+end

data/lib/omniauth-ldap/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module LDAP
+    VERSION = "1.0.4"
+  end
+end

data/lib/omniauth/strategies/ldap.rb

@@ -0,0 +1,101 @@
+require 'omniauth'
+
+module OmniAuth
+  module Strategies
+    class LDAP
+      include OmniAuth::Strategy
+      @@config = {
+        'name' => 'cn',
+        'first_name' => 'givenName',
+        'last_name' => 'sn',
+        'email' => ['mail', "email", 'userPrincipalName'],
+        'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
+        'mobile' => ['mobile', 'mobileTelephoneNumber'],
+        'nickname' => ['uid', 'userid', 'sAMAccountName'],
+        'title' => 'title',
+        'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
+        'uid' => 'dn',
+        'url' => ['wwwhomepage'],
+        'image' => 'jpegPhoto',
+        'description' => 'description'
+      }
+      option :title, "LDAP Authentication" #default title for authentication form
+      option :port, 389
+      option :method, :plain
+      option :uid, 'sAMAccountName'
+      option :name_proc, lambda {|n| n}
+
+      def request_phase
+        OmniAuth::LDAP::Adaptor.validate @options
+        f = OmniAuth::Form.new(:title => (options[:title] || "LDAP Authentication"), :url => callback_path)
+        f.text_field 'Login', 'username'
+        f.password_field 'Password', 'password'
+        f.button "Sign In"
+        f.to_response
+      end
+
+      def callback_phase
+        @adaptor = OmniAuth::LDAP::Adaptor.new @options
+
+        return fail!(:missing_credentials) if missing_credentials?
+        begin
+          @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
+          return fail!(:invalid_credentials) if !@ldap_user_info
+
+          @user_info = self.class.map_user(@@config, @ldap_user_info)
+          super
+        rescue Exception => e
+          return fail!(:ldap_error, e)
+        end
+      end
+
+      def filter adaptor
+        if adaptor.filter and !adaptor.filter.empty?
+          Net::LDAP::Filter.construct(adaptor.filter % {username: @options[:name_proc].call(request['username'])})
+        else
+          Net::LDAP::Filter.eq(adaptor.uid, @options[:name_proc].call(request['username']))
+        end
+      end
+
+      uid {
+        @user_info["uid"]
+      }
+      info {
+        @user_info
+      }
+      extra {
+        { :raw_info => @ldap_user_info }
+      }
+
+      def self.map_user(mapper, object)
+        user = {}
+        mapper.each do |key, value|
+          case value
+          when String
+            user[key] = object[value.downcase.to_sym].first if object.respond_to? value.downcase.to_sym
+          when Array
+            value.each {|v| (user[key] = object[v.downcase.to_sym].first; break;) if object.respond_to? v.downcase.to_sym}
+          when Hash
+            value.map do |key1, value1|
+              pattern = key1.dup
+              value1.each_with_index do |v,i|
+                part = ''; v.collect(&:downcase).collect(&:to_sym).each {|v1| (part = object[v1].first; break;) if object.respond_to? v1}
+                pattern.gsub!("%#{i}",part||'')
+              end
+              user[key] = pattern
+            end
+          end
+        end
+        user
+      end
+
+      protected
+
+      def missing_credentials?
+        request['username'].nil? or request['username'].empty? or request['password'].nil? or request['password'].empty?
+      end # missing_credentials?
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'ldap', 'LDAP'

data/omniauth-ldap2.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth-ldap/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Ping Yu"]
+  gem.email         = ["ping@intridea.com"]
+  gem.description   = %q{A LDAP strategy for OmniAuth.}
+  gem.summary       = %q{A LDAP strategy for OmniAuth.}
+  gem.homepage      = "https://github.com/intridea/omniauth-ldap"
+  gem.license       = "MIT"
+
+  gem.add_runtime_dependency     'omniauth'
+  gem.add_runtime_dependency     'net-ldap'
+  gem.add_runtime_dependency     'pyu-ruby-sasl'
+  gem.add_runtime_dependency     'rubyntlm'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'rack-test'
+  gem.add_development_dependency 'libnotify'
+  gem.add_development_dependency 'ruby-debug19'
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "omniauth-ldap2"
+  gem.require_paths = ["lib"]
+  gem.version       = OmniAuth::LDAP::VERSION
+end

data/spec/omniauth-ldap/adaptor_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+describe "OmniAuth::LDAP::Adaptor" do
+
+  describe 'initialize' do
+    it 'should throw exception when must have field is not set' do
+      #[:host, :port, :method, :bind_dn]
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain'})}.should raise_error(ArgumentError)
+    end
+
+    it 'should throw exception when method is not supported' do
+      lambda { OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'myplain', uid: 'uid', port: 389, base: 'dc=com'})}.should raise_error(OmniAuth::LDAP::Adaptor::ConfigurationError)
+    end
+
+    it 'should setup ldap connection with anonymous' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth').should == {:method => :anonymous, :username => nil, :password => nil}
+    end
+
+    it 'should setup ldap connection with simple' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth').should == {:method => :simple, :username => 'bind_dn', :password => 'password'}
+    end
+
+    it 'should setup ldap connection with sasl-md5' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["DIGEST-MD5"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth')[:method].should == :sasl
+      adaptor.connection.instance_variable_get('@auth')[:mechanism].should == 'DIGEST-MD5'
+      adaptor.connection.instance_variable_get('@auth')[:initial_credential].should == ''
+      adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil
+    end
+
+    it 'should setup ldap connection with sasl-gss' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_not == nil
+      adaptor.connection.host.should == '192.168.1.145'
+      adaptor.connection.port.should == 389
+      adaptor.connection.base.should == 'dc=intridea, dc=com'
+      adaptor.connection.instance_variable_get('@auth')[:method].should == :sasl
+      adaptor.connection.instance_variable_get('@auth')[:mechanism].should == 'GSS-SPNEGO'
+      adaptor.connection.instance_variable_get('@auth')[:initial_credential].should =~ /^NTLMSSP/
+      adaptor.connection.instance_variable_get('@auth')[:challenge_response].should_not be_nil
+    end
+  end
+
+  describe 'bind_as' do
+    let(:args) { {:filter => Net::LDAP::Filter.eq('sAMAccountName', 'username'), :password => 'password', :size => 1} }
+    let(:rs) { Struct.new(:dn).new('new dn') }
+
+    it 'should bind simple' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", method: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
+      adaptor.connection.should_receive(:search).with(args).and_return([rs])
+      adaptor.connection.should_receive(:bind).with({:username => 'new dn', :password => args[:password], :method => :simple}).and_return(true)
+      adaptor.bind_as(args).should == rs
+    end
+
+    it 'should bind sasl' do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", method: 'plain', base: 'dc=intridea, dc=com', port: 389, uid: 'sAMAccountName', try_sasl: true, sasl_mechanisms: ["GSS-SPNEGO"], bind_dn: 'bind_dn', password: 'password'})
+      adaptor.connection.should_receive(:open).and_yield(adaptor.connection)
+      adaptor.connection.should_receive(:search).with(args).and_return([rs])
+      adaptor.connection.should_receive(:bind).and_return(true)
+      adaptor.bind_as(args).should == rs
+    end
+  end
+end

data/spec/omniauth/strategies/ldap_spec.rb

@@ -0,0 +1,194 @@
+require 'spec_helper'
+describe "OmniAuth::Strategies::LDAP" do
+  # :title => "My LDAP",
+  # :host => '10.101.10.1',
+  # :port => 389,
+  # :method => :plain,
+  # :base => 'dc=intridea, dc=com',
+  # :uid => 'sAMAccountName',
+  # :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+  # :bind_dn => 'default_bind_dn'
+  # :password => 'password'
+  class MyLdapProvider < OmniAuth::Strategies::LDAP; end
+
+  let(:app) do
+    Rack::Builder.new {
+      use OmniAuth::Test::PhonySession
+      use MyLdapProvider, :name => 'ldap', :title => 'MyLdap Form', :host => '192.168.1.145', :base => 'dc=score, dc=local', :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
+      run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+    }.to_app
+  end
+
+  let(:session) do
+    last_request.env['rack.session']
+  end
+
+  it 'should add a camelization for itself' do
+    OmniAuth::Utils.camelize('ldap').should == 'LDAP'
+  end
+
+  describe '/auth/ldap' do
+    before(:each){ get '/auth/ldap' }
+
+    it 'should display a form' do
+      last_response.status.should == 200
+      last_response.body.should be_include("<form")
+    end
+
+    it 'should have the callback as the action for the form' do
+      last_response.body.should be_include("action='/auth/ldap/callback'")
+    end
+
+    it 'should have a text field for each of the fields' do
+      last_response.body.scan('<input').size.should == 2
+    end
+    it 'should have a label of the form title' do
+      last_response.body.scan('MyLdap Form').size.should > 1
+    end
+  end
+
+  describe 'post /auth/ldap/callback' do
+    before(:each) do
+      @adaptor = double(OmniAuth::LDAP::Adaptor, {:uid => 'ping'})
+      @adaptor.stub(:filter)
+      OmniAuth::LDAP::Adaptor.stub(:new).and_return(@adaptor)
+    end
+
+    context 'failure' do
+      before(:each) do
+        @adaptor.stub(:bind_as).and_return(false)
+      end
+
+      context "when username is not preset" do
+        it 'should redirect to error page' do
+          post('/auth/ldap/callback', {})
+
+          last_response.should be_redirect
+          last_response.headers['Location'].should =~ %r{missing_credentials}
+        end
+      end
+
+      context "when username is empty" do
+        it 'should redirect to error page' do
+          post('/auth/ldap/callback', {:username => ""})
+
+          last_response.should be_redirect
+          last_response.headers['Location'].should =~ %r{missing_credentials}
+        end
+      end
+
+      context "when username is present" do
+        context "and password is not preset" do
+          it 'should redirect to error page' do
+            post('/auth/ldap/callback', {:username => "ping"})
+
+            last_response.should be_redirect
+            last_response.headers['Location'].should =~ %r{missing_credentials}
+          end
+        end
+
+        context "and password is empty" do
+          it 'should redirect to error page' do
+            post('/auth/ldap/callback', {:username => "ping", :password => ""})
+
+            last_response.should be_redirect
+            last_response.headers['Location'].should =~ %r{missing_credentials}
+          end
+        end
+      end
+
+      context "when username and password are present" do
+        context "and bind on LDAP server failed" do
+          it 'should redirect to error page' do
+            post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+
+            last_response.should be_redirect
+            last_response.headers['Location'].should =~ %r{invalid_credentials}
+          end
+          context 'and filter is set' do
+            it 'should bind with filter' do
+              @adaptor.stub(:filter).and_return('uid=%{username}')
+              Net::LDAP::Filter.should_receive(:construct).with('uid=ping')
+              post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+
+              last_response.should be_redirect
+              last_response.headers['Location'].should =~ %r{invalid_credentials}
+            end
+          end
+
+        end
+
+        context "and communication with LDAP server caused an exception" do
+          before :each do
+            @adaptor.stub(:bind_as).and_throw(Exception.new('connection_error'))
+          end
+
+          it 'should redirect to error page' do
+            post('/auth/ldap/callback', {:username => "ping", :password => "password"})
+
+            last_response.should be_redirect
+            last_response.headers['Location'].should =~ %r{ldap_error}
+          end
+        end
+      end
+    end
+
+    context 'success' do
+      let(:auth_hash){ last_request.env['omniauth.auth'] }
+
+      before(:each) do
+        @adaptor.stub(:filter)
+        @adaptor.stub(:bind_as).and_return(Net::LDAP::Entry.from_single_ldif_string(
+      %Q{dn: cn=ping, dc=intridea, dc=com
+mail: ping@intridea.com
+givenname: Ping
+sn: Yu
+telephonenumber: 555-555-5555
+mobile: 444-444-4444
+uid: ping
+title: dev
+address: k street
+l: Washington
+st: DC
+co: U.S.A
+postofficebox: 20001
+wwwhomepage: www.intridea.com
+jpegphoto: http://www.intridea.com/ping.jpg
+description: omniauth-ldap
+}
+    ))
+      end
+
+      it 'should not redirect to error page' do
+        post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+        last_response.should_not be_redirect
+      end
+
+      context 'and filter is set' do
+        it 'should bind with filter' do
+          @adaptor.stub(:filter).and_return('uid=%{username}')
+          Net::LDAP::Filter.should_receive(:construct).with('uid=ping')
+          post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+
+          last_response.should_not be_redirect
+        end
+      end
+
+      it 'should map user info to Auth Hash' do
+        post('/auth/ldap/callback', {:username => 'ping', :password => 'password'})
+        auth_hash.uid.should == 'cn=ping, dc=intridea, dc=com'
+        auth_hash.info.email.should == 'ping@intridea.com'
+        auth_hash.info.first_name.should == 'Ping'
+        auth_hash.info.last_name.should == 'Yu'
+        auth_hash.info.phone.should == '555-555-5555'
+        auth_hash.info.mobile.should == '444-444-4444'
+        auth_hash.info.nickname.should == 'ping'
+        auth_hash.info.title.should == 'dev'
+        auth_hash.info.location.should == 'k street, Washington, DC, U.S.A 20001'
+        auth_hash.info.url.should == 'www.intridea.com'
+        auth_hash.info.image.should == 'http://www.intridea.com/ping.jpg'
+        auth_hash.info.description.should == 'omniauth-ldap'
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,14 @@
+$:.unshift File.expand_path('..', __FILE__)
+$:.unshift File.expand_path('../../lib', __FILE__)
+require 'simplecov'
+SimpleCov.start
+require 'rspec'
+require 'rack/test'
+require 'omniauth'
+require 'omniauth-ldap'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+  config.extend  OmniAuth::Test::StrategyMacros, :type => :strategy
+end
+

metadata

@@ -0,0 +1,187 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-ldap2
+version: !ruby/object:Gem::Version
+  version: 1.0.4
+platform: ruby
+authors:
+- Ping Yu
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-08-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pyu-ruby-sasl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubyntlm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: libnotify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-debug19
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A LDAP strategy for OmniAuth.
+email:
+- ping@intridea.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Guardfile
+- README.md
+- Rakefile
+- lib/omniauth-ldap.rb
+- lib/omniauth-ldap/adaptor.rb
+- lib/omniauth-ldap/version.rb
+- lib/omniauth/strategies/ldap.rb
+- omniauth-ldap2.gemspec
+- spec/omniauth-ldap/adaptor_spec.rb
+- spec/omniauth/strategies/ldap_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/intridea/omniauth-ldap
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.12
+signing_key: 
+specification_version: 4
+summary: A LDAP strategy for OmniAuth.
+test_files:
+- spec/omniauth-ldap/adaptor_spec.rb
+- spec/omniauth/strategies/ldap_spec.rb
+- spec/spec_helper.rb