rbmk 0.1.0.a

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 915c433f207ea0656ded0512c10507183ba35211
+  data.tar.gz: 8ee0b1ef7c46e215b298783d0597dd6d085368f0
+SHA512:
+  metadata.gz: 9fe9a3bce2171a3b8466f6034d0569ccbb691fe2aee9a161b2ffed4d5695e9bbd68e7b8662d71284a01952cca1c6bbafee621a5f914f589918c3edb915ad359c
+  data.tar.gz: 8fa2b7a9794a4a6bbfb8d25b279445c87a4d20d8936e70fd57c292cd808895bc44e7dcde0eaf14f495c6d2d700b5067dbe57ed1ab1c276c2ad2d20680edbfd7a

data/LICENSE

@@ -0,0 +1,117 @@
+CC0 1.0 Universal
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator and
+subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for the
+purpose of contributing to a commons of creative, cultural and scientific
+works ("Commons") that the public can reliably and without fear of later
+claims of infringement build upon, modify, incorporate in other works, reuse
+and redistribute as freely as possible in any form whatsoever and for any
+purposes, including without limitation commercial purposes. These owners may
+contribute to the Commons to promote the ideal of a free culture and the
+further production of creative, cultural and scientific works, or to gain
+reputation or greater distribution for their Work in part through the use and
+efforts of others.
+
+For these and/or other purposes and motivations, and without any expectation
+of additional consideration or compensation, the person associating CC0 with a
+Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
+and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
+and publicly distribute the Work under its terms, with knowledge of his or her
+Copyright and Related Rights in the Work and the meaning and intended legal
+effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not limited
+to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display, communicate,
+  and translate a Work;
+
+  ii. moral rights retained by the original author(s) and/or performer(s);
+
+  iii. publicity and privacy rights pertaining to a person's image or likeness
+  depicted in a Work;
+
+  iv. rights protecting against unfair competition in regards to a Work,
+  subject to the limitations in paragraph 4(a), below;
+
+  v. rights protecting the extraction, dissemination, use and reuse of data in
+  a Work;
+
+  vi. database rights (such as those arising under Directive 96/9/EC of the
+  European Parliament and of the Council of 11 March 1996 on the legal
+  protection of databases, and under any national implementation thereof,
+  including any amended or successor version of such directive); and
+
+  vii. other similar, equivalent or corresponding rights throughout the world
+  based on applicable law or treaty, and any national implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention of,
+applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
+unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
+and Related Rights and associated claims and causes of action, whether now
+known or unknown (including existing as well as future claims and causes of
+action), in the Work (i) in all territories worldwide, (ii) for the maximum
+duration provided by applicable law or treaty (including future time
+extensions), (iii) in any current or future medium and for any number of
+copies, and (iv) for any purpose whatsoever, including without limitation
+commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
+the Waiver for the benefit of each member of the public at large and to the
+detriment of Affirmer's heirs and successors, fully intending that such Waiver
+shall not be subject to revocation, rescission, cancellation, termination, or
+any other legal or equitable action to disrupt the quiet enjoyment of the Work
+by the public as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason be
+judged legally invalid or ineffective under applicable law, then the Waiver
+shall be preserved to the maximum extent permitted taking into account
+Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
+is so judged Affirmer hereby grants to each affected person a royalty-free,
+non transferable, non sublicensable, non exclusive, irrevocable and
+unconditional license to exercise Affirmer's Copyright and Related Rights in
+the Work (i) in all territories worldwide, (ii) for the maximum duration
+provided by applicable law or treaty (including future time extensions), (iii)
+in any current or future medium and for any number of copies, and (iv) for any
+purpose whatsoever, including without limitation commercial, advertising or
+promotional purposes (the "License"). The License shall be deemed effective as
+of the date CC0 was applied by Affirmer to the Work. Should any part of the
+License for any reason be judged legally invalid or ineffective under
+applicable law, such partial invalidity or ineffectiveness shall not
+invalidate the remainder of the License, and in such case Affirmer hereby
+affirms that he or she will not (i) exercise any of his or her remaining
+Copyright and Related Rights in the Work or (ii) assert any associated claims
+and causes of action with respect to the Work, in either case contrary to
+Affirmer's express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+  a. No trademark or patent rights held by Affirmer are waived, abandoned,
+  surrendered, licensed or otherwise affected by this document.
+
+  b. Affirmer offers the Work as-is and makes no representations or warranties
+  of any kind concerning the Work, express, implied, statutory or otherwise,
+  including without limitation warranties of title, merchantability, fitness
+  for a particular purpose, non infringement, or the absence of latent or
+  other defects, accuracy, or the present or absence of errors, whether or not
+  discoverable, all to the greatest extent permissible under applicable law.
+
+  c. Affirmer disclaims responsibility for clearing rights of other persons
+  that may apply to the Work or any use thereof, including without limitation
+  any person's Copyright and Related Rights in the Work. Further, Affirmer
+  disclaims responsibility for obtaining any necessary consents, permissions
+  or other rights required for any use of the Work.
+
+  d. Affirmer understands and acknowledges that Creative Commons is not a
+  party to this document and has no duty or obligation with respect to this
+  CC0 or use of the Work.
+
+For more information, please see
+<http://creativecommons.org/publicdomain/zero/1.0/>
+

data/README.md

@@ -0,0 +1,46 @@
+RBMK
+====
+[//]: # (DESCRIPTION START)
+This is a rather simple Ruby LDAP server that proxies operations upstream but
+at the same time provides a facility to invoke your code at certain points in
+the operation runtime. This may help to accomodate for some clients that
+are not smart enough to implement the logic you need themselves.
+LDAP is very rigid and static in its nature and although OpenLDAP provides some
+very helpful overlays, it is far from enough.
+[//]: # (DESCRIPTION STOP)
+
+CAUTION
+-------
+Like its name suggests, `rbmk` is somewhat powerful, but is not very stable.
+Expect random meltdowns! Please, **NEVER** run it as superuser. LDAP gems
+that it uses are surprisingly feature-rich, but are not quite polished yet.
+This user does not have the time to rewrite them and does not consider it
+a huge problem. Remember, the best architecture is not the one that never fails,
+but is instead the one that can handle failures gracefully.
+
+LIMITATIONS
+-----------
+* This proxy is read-only, by design.
+* This script does not detach from its terminal, again by design.
+* Only tested with MRI 2.2, but will likely work with anything 1.9+.
+
+INSTALL
+-------
+`gem install rbmk`, simple as that.
+
+RUN
+---
+As this script is not a daemon, you have two easy options besides anything
+you may invent yourself:
+1. use any supervisor that are plenty nowadays: `supervisord`, `bluepill` etc.
+1. or just run it inside a `tmux` session and leave it there.
+
+USAGE
+-----
+`rbmk FILENAME`, where *FILENAME* is a configuration file.
+
+CONFIGURATION
+-------------
+Upon its invocation `rbmk` evals its first argument and thus is configured
+by your Ruby code inside that file. Please refer to `examples/rbmk.rb` for an example
+configuration file.

data/bin/rbmk

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+cfn = ARGV.first
+(puts "Usage: #{File.basename $0} FILENAME"; exit) if cfn.nil? or cfn.empty?
+
+require 'rbmk/logger'
+require 'rbmk/upstream'
+require 'rbmk/server'
+require 'rbmk/worker'
+
+load File.expand_path(cfn)
+
+$log = RBMK::Logger.instance
+
+RBMK::Server.new.start

data/examples/rbmk.rb

@@ -0,0 +1,43 @@
+# Override the host and port of the upstream LDAP server
+#
+class RBMK::Upstream
+	def self.host; 'ldap.example.com' end
+	def self.port; 33389 end
+end
+
+# Override the host and port of RBMK server
+#
+class RBMK::Server
+	def self.host; '0.0.0.0' end
+	def self.port; 10389 end
+end
+
+# Override logger settings
+#
+module RBMK::Logger
+	def self.level; ::Logger::DEBUG end
+end
+
+# The magic! You can transform the found entries here
+#
+module RBMK
+	# For example, we can add a fooBar attribute to any resulting object
+	#
+	def self.hack_entries entries
+		entries.map do |entry|
+			entry.merge 'fooBar' => 'baz'
+		end
+	end
+
+	# In this example we drop fooBar attribute from anywhere in the search
+	#
+	def self.hack_filter filter
+		op = filter.shift
+		case op
+			when :true, :false, :undef then [op]
+			when :not,  :and,   :or    then [op] + filter.map { |sf| hack_filter sf }.compact
+			else (filter.first =~ /\Afoobar\z/i) ? nil : [op] + filter
+		end
+	end
+
+end

data/lib/rbmk/exception.rb

@@ -0,0 +1,11 @@
+class Exception
+
+	def log
+		$log.error sprintf('%s: %s (%s)', backtrace.first, message, self.class)
+	end
+
+	def log_debug
+		$log.debug sprintf('%s: %s (%s)', (to_i rescue 'n/a'), message, self.class)
+	end
+
+end

data/lib/rbmk/logger.rb

@@ -0,0 +1,20 @@
+require 'rbmk/exception'
+module RBMK
+module Logger
+
+	def self.level; ::Logger::INFO end
+
+	def self.format lvl, ts, prog, msg
+		sprintf "%s [%s:%5i] %-5s %s\n", ts.strftime('%F:%T'), ($master ? 'M' : 'w'), Process.pid, lvl, msg
+	end
+
+	def self.instance
+		require 'logger'
+		log = ::Logger.new STDERR
+		log.level = level
+		log.formatter = method :format
+		log
+	end
+
+end
+end

data/lib/rbmk/operation.rb

@@ -0,0 +1,183 @@
+require 'ldap/server/operation'
+
+
+
+class LDAP::ResultError
+	@map = []
+	constants.each do |const|
+		c = const_get const
+		i = c.new.send :to_i rescue nil
+		@map[i] = c if i
+	end
+
+	def self.from_id id, msg = nil
+		@map[id].new msg
+	end
+end
+
+
+
+class LDAP::Server::Filter
+	def self.to_rfc filter
+		raise ArgumentError, 'Array expected' unless filter.is_a? Array
+		raise ArgumentError, 'Filter is empty' if filter.empty?
+		op = filter.shift
+		res = case op
+			when :not then
+				raise 'Empty subfilter' if (sf = to_rfc filter).empty?
+				'!%s' % sf
+			when :and then
+				raise 'Empty subfilter' if (sf = filter.map { |f| to_rfc(f) }.join).empty?
+				'&%s' % sf
+			when :or
+				raise 'Empty subfilter' if (sf = filter.map { |f| to_rfc(f) }.join).empty?
+				'!%s' % sf
+
+			when :true       then 'objectClass=*'
+			when :false      then '!(objectClass=*)'
+			when :undef      then raise 'Undefined filter has no RFC representation'
+
+			when :present    then sprintf '%s=*',   filter.first
+			when :eq         then sprintf '%s=%s',  filter.first, filter.last
+			when :approx     then sprintf '%s~=%s', filter.first, filter.last
+			when :ge         then sprintf '%s>=%s', filter.first, filter.last
+			when :le         then sprintf '%s<=%s', filter.first, filter.last
+			when :substrings then
+				attr = filter.shift
+				junk = filter.shift
+				'%s=%s' % [attr, filter.join('*')]
+			else raise 'Unknown op %s' % op.inspect
+		end
+		'(%s)' % res
+	rescue
+		$!.log_debug
+		''
+	end
+end
+
+
+
+require 'rbmk'
+module RBMK
+class Operation < LDAP::Server::Operation
+
+	# First some patches
+	#
+	def send_SearchResultEntry(dn, avs, opt={})
+		@rescount += 1
+		if @sizelimit
+			raise LDAP::ResultError::SizeLimitExceeded if @rescount > @sizelimit
+		end
+
+		if @schema
+			@attributes = @attributes.map { |a| (['*', '+'].include? a) ? a : @schema.find_attrtype(a).to_s }
+		end
+
+		avseq = []
+
+		avs.each do |attr, vals|
+
+			send = if @attributes.include? '+' then
+				true
+			elsif @attributes.include? '*' then
+				if @schema then
+					a = @schema.find_attrtype(attr) rescue nil
+					a and (a.usage.nil? or a.usage == :userApplications)
+				else
+					true
+				end
+			else
+				@attributes.include? attr
+			end
+
+			next unless send
+
+			if @typesOnly
+				vals = []
+			else
+				vals = [vals] unless vals.kind_of?(Array)
+			end
+			avseq << OpenSSL::ASN1::Sequence([OpenSSL::ASN1::OctetString(attr), OpenSSL::ASN1::Set(vals.collect { |v| OpenSSL::ASN1::OctetString(v.to_s) })])
+		end
+
+		send_LDAPMessage(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::OctetString(dn), OpenSSL::ASN1::Sequence(avseq)], 4, :IMPLICIT, :APPLICATION), opt)
+	end
+
+	def do_search op, controls
+		baseObject = op.value[0].value
+		scope = op.value[1].value
+		deref = op.value[2].value
+		client_sizelimit = op.value[3].value
+		client_timelimit = op.value[4].value.to_i
+		@typesOnly = op.value[5].value
+		filter = LDAP::Server::Filter.parse(op.value[6], @schema)
+		@attributes = op.value[7].value.collect {|x| x.value}
+
+		@rescount = 0
+		@sizelimit = server_sizelimit
+		@sizelimit = client_sizelimit if client_sizelimit > 0 and (@sizelimit.nil? or client_sizelimit < @sizelimit)
+
+		if baseObject.empty? and scope == LDAP::Server::BaseObject
+			send_SearchResultEntry('', @server.root_dse) if @server.root_dse and LDAP::Server::Filter.run(filter, @server.root_dse)
+			send_SearchResultDone(0)
+			return
+		elsif @schema and baseObject == @schema.subschema_dn
+			send_SearchResultEntry(baseObject, @schema.subschema_subentry) if @schema and @schema.subschema_subentry and LDAP::Server::Filter.run(filter, @schema.subschema_subentry)
+			send_SearchResultDone(0)
+			return
+		end
+
+		t = server_timelimit || 10
+		t = client_timelimit if client_timelimit > 0 and client_timelimit < t
+
+		Timeout::timeout(t, LDAP::ResultError::TimeLimitExceeded) { search baseObject, scope, deref, filter }
+		send_SearchResultDone(0)
+
+ 	rescue LDAP::Abandon
+	rescue LDAP::ResultError => e
+		log e.message
+		send_SearchResultDone(e.to_i, :errorMessage=>e.message)
+	rescue Exception => e
+		log_exception(e)
+		send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, :errorMessage=>e.message)
+	end
+
+
+
+	# Okay, now the actual code
+	#
+	def simple_bind version, dn, password
+		RBMK.context[:binddn] = {orig: dn}
+		version, dn, password = transformed(simple_bind: [version, dn, password])
+		RBMK.context[:binddn][:hacked] = dn
+		$log.info sprintf('Bind v%i, dn: %p -> %p', version, RBMK.context[:binddn][:orig], RBMK.context[:binddn][:hacked])
+		@server.bind version, dn, password
+	rescue LDAP::ResultError
+		$!.log_debug
+		raise $!
+	end
+
+	def search basedn, scope, deref, filter
+		RBMK.context[:filter] = {orig: filter, hacked: transformed(filter: filter)}
+		filter = LDAP::Server::Filter.to_rfc RBMK.context[:filter][:hacked]
+		$log.info sprintf('Search %p from %p, scope: %i, deref: %i, attrs: %p, no_values: %s, max: %i', filter, basedn, scope, deref, @attributes, @typesOnly, (@sizelimit.to_i rescue 0))
+		entries = @server.ldap.search_ext2 basedn, scope, filter, ['*', '+'], @typesOnly, nil, nil, 0, 0, (@sizelimit.to_i rescue 0)
+#require 'pp'
+#pp entries
+		transformed(entries: entries).each { |entry| send_SearchResultEntry entry.delete('dn').first, entry }
+	rescue LDAP::ResultError
+		@server.handle_ldap_error
+	end
+
+protected
+
+	def transformed spec
+		raise ArgumentError.new('Please provide a hash with exactly one key.') unless (spec.is_a? Hash) and (1 == spec.count)
+		spec.each { |type, object| return RBMK.send "hack_#{type}".to_sym, object }
+	rescue
+		$!.log
+		object
+	end
+
+end
+end

data/lib/rbmk/peer.rb

@@ -0,0 +1,14 @@
+module RBMK
+class Peer
+
+	def initialize client
+		@host = client.peeraddr[3]
+		@port = client.peeraddr[1]
+	end
+
+	def to_s
+		sprintf '%s:%s', @host, @port
+	end
+
+end
+end

data/lib/rbmk/server.rb

@@ -0,0 +1,86 @@
+require 'timeout'
+require 'rbmk/peer'
+require 'rbmk/signal'
+module RBMK
+class Server
+
+	class Reaped < StandardError; end
+
+	def initialize
+		$master = true
+		@arvg0 = File.basename Process.argv0
+		@workers = {}
+	end
+
+	def start
+		require 'socket'
+		@upstream = self.class.upstream
+		$log.debug sprintf('Listening on %s:%s', self.class.host, self.class.port)
+		@socket = TCPServer.new self.class.host, self.class.port
+		Signal.constants.each { |sig| Signal.trap Signal.const_get(sig), method(:trap) }
+		$0 = sprintf '%s master at %s:%s', @arvg0, self.class.host, self.class.port
+		loop { accept }
+	ensure
+		@socket.close rescue nil
+		@workers.each { |pid| Process.kill 'TERM', pid rescue nil }
+		Process.waitall rescue nil
+		$log.debug 'Exiting'
+	end
+
+protected
+
+	def self.host; '127.0.0.1' end
+	def self.port; 8389 end
+	def self.worker_timeout; 600 end # (in seconds) this is not per single request, this is for the whole session
+
+	def self.upstream
+		require 'rbmk/upstream'
+		RBMK::Upstream.new
+	end
+
+	def accept
+		peer = Peer.new(client = @socket.accept)
+		$log.info 'Connection from %s' % peer
+		if pid = fork then
+			client.close
+			@workers[pid] = peer
+		else
+			$log.debug 'Worker started'
+			act_as_a_child_for client, peer
+		end
+	rescue Reaped
+		$log.debug $!.message
+	end
+
+	def trap sig = nil
+		case sig
+			when nil then raise 'Something went wrong, trapped a nil.'
+			when Signal::CHLD then
+				pid, status = Process.wait2 -1, Process::WNOHANG
+				@workers.delete pid
+				raise Reaped.new('Reaped %s' % pid)
+			else raise 'Terminated on SIG%s' % Signal.signame(sig)
+		end
+	rescue Errno::ECHILD
+		# okay, nothing to do
+	end
+
+	def act_as_a_child_for client, peer
+		Signal.trap 'CHLD', 'DEFAULT'
+		$master = false
+		remove_instance_variable :@workers
+		$0 = sprintf '%s worker for %s', @arvg0, peer
+		Timeout.timeout(self.class.worker_timeout) { serve client } # FIXME shall move to master in the future
+	rescue Exception
+		$!.log
+	ensure
+		exit!
+	end
+
+	def serve client
+		require 'rbmk/worker'
+		Worker.hire client, @upstream
+	end
+
+end
+end

data/lib/rbmk/signal.rb

@@ -0,0 +1,3 @@
+module Signal
+	%w( CHLD INT HUP QUIT TERM ).each { |signame| const_set signame.to_sym, list[signame] }
+end

data/lib/rbmk/upstream.rb

@@ -0,0 +1,72 @@
+require 'tempfile'
+require 'ldap'
+require 'ldap/schema'
+require 'ldap/server/schema'
+module RBMK
+class Upstream
+	FILTER_PREFIX = '( 1.3.6.1.4.1.4203.1.12.2'
+	SPECIAL_ATS = {
+		subtreeSpecification: {s: 45, oid: '2.5.18.6', f: 's'},
+		dITStructureRules:    {s: 17, oid: '2.5.21.1', eq: :integerFirstComponentMatch},
+		dITContentRules:      {s: 16, oid: '2.5.21.2', eq: :objectIdentifierFirstComponentMatch},
+		nameForms:            {s: 35, oid: '2.5.21.7', eq: :objectIdentifierFirstComponentMatch},
+		configContext:        {s: 12, oid: '1.3.6.1.4.1.4203.1.12.2.1', f: 'sua'},
+	}
+
+	attr_reader :ldap, :root_dse, :schema
+	def initialize
+		@schema = LDAP::Server::Schema.new
+		SPECIAL_ATS.each { |name,at| @schema.add_attrtype format(name, at) }
+		ldap = LDAP::Conn.new self.class.host, self.class.port
+		ldap.set_option LDAP::LDAP_OPT_PROTOCOL_VERSION, 3
+		ldap.bind do |ldap|
+			@root_dse = ldap.root_dse.first
+			ssse = ldap.schema
+			{add_attrtype: 'attributeTypes', add_objectclass: 'objectClasses'}.each { |meth,id| ssse[id].each { |str| @schema.send meth, str unless str.start_with? FILTER_PREFIX } }
+		end
+		@schema.resolve_oids
+	end
+
+	def bind version, dn, password
+		@ldap = LDAP::Conn.new self.class.host, self.class.port
+		@ldap.set_option LDAP::LDAP_OPT_PROTOCOL_VERSION, version.to_i
+		dn ? @ldap.bind(dn, password) : @ldap.bind
+	rescue LDAP::ResultError
+		handle_ldap_error
+	end
+
+	def handle_ldap_error
+		stderr = from_stderr { @ldap.perror 'LDAP' }                        # WHY U NO?
+		message = stderr.match(/additional info:(.*)$/)[1].strip rescue nil # Seriously, how hard can it be to expose a server's message?
+		raise LDAP::ResultError.from_id(@ldap.err, message)                 # FUCK ME WHY SHOULD I EVER PARSE MY OWN STDERR
+	end
+
+	def mktemp
+		@temp = Tempfile.new 'rbmk'
+		File.unlink @temp
+	end
+
+protected
+
+	def self.host; '127.0.0.1' end
+	def self.port; 389 end
+
+	def format name, at
+		sprintf '( %s NAME \'%s\'%s SYNTAX 1.3.6.1.4.1.1466.115.121.1.%s%s%s USAGE %s )', at[:oid], name,
+			(at[:eq] ? " EQUALITY #{at[:eq]}": ''), at[:s], ((at[:f] and at[:f].include?('s')) ? ' SINGLE-VALUE' : ''),
+			((at[:f] and at[:f].include?('u')) ? ' NO-USER-MODIFICATION' : ''), ((at[:f] and at[:f].include?('a')) ? 'dSAOperation' : 'directoryOperation')
+	end
+
+	def from_stderr
+		saved = STDERR.dup
+		STDERR.reopen @temp
+		yield if block_given?
+		STDERR.rewind
+		STDERR.read
+	ensure
+		STDERR.reopen saved
+		saved.close
+	end
+
+end
+end

data/lib/rbmk/version.rb

@@ -0,0 +1,4 @@
+module RBMK
+	VERSION = '0.1.0.a'
+	CODENAME = 'plan b'
+end

data/lib/rbmk/worker.rb

@@ -0,0 +1,26 @@
+require 'ldap/server'
+require 'rbmk/operation'
+module RBMK
+class Worker
+
+	def self.hire client, upstream; new(client, upstream).serve end
+
+	def initialize client, upstream
+		upstream.mktemp
+		@socket = client
+		@conn = LDAP::Server::Connection.new @socket,
+			server: upstream,
+			logger: $log,
+			operation_class: RBMK::Operation,
+			schema: upstream.schema,
+			namingContexts: upstream.root_dse['namingContexts']
+	end
+
+	def serve
+		@conn.handle_requests
+	ensure
+		@socket.close
+	end
+
+end
+end

data/lib/rbmk.rb

@@ -0,0 +1,26 @@
+module RBMK
+
+	def self.context
+		@context ||= {}
+	end
+
+	# Patch this method to hack incoming bind data
+	#
+	def self.hack_simple_bind data
+#		version, dn, password = data
+		data
+	end
+
+	# Patch this method to hack incoming search filters
+	#
+	def self.hack_filter filter
+		filter
+	end
+
+	# Patch this method to hack outbound found entries
+	#
+	def self.hack_entries entries
+		entries
+	end
+
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: rbmk
+version: !ruby/object:Gem::Version
+  version: 0.1.0.a
+platform: ruby
+authors:
+- stronny red
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.17
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.17
+- !ruby/object:Gem::Dependency
+  name: ruby-ldapserver
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.3
+description: |-
+  This is a rather simple Ruby LDAP server that proxies operations upstream but
+  at the same time provides a facility to invoke your code at certain points in
+  the operation runtime. This may help to accomodate for some clients that
+  are not smart enough to implement the logic you need themselves.
+  LDAP is very rigid and static in its nature and although OpenLDAP provides some
+  very helpful overlays, it is far from enough.
+email: stronny@celestia.ru
+executables:
+- rbmk
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- bin/rbmk
+- examples/rbmk.rb
+- lib/rbmk.rb
+- lib/rbmk/exception.rb
+- lib/rbmk/logger.rb
+- lib/rbmk/operation.rb
+- lib/rbmk/peer.rb
+- lib/rbmk/server.rb
+- lib/rbmk/signal.rb
+- lib/rbmk/upstream.rb
+- lib/rbmk/version.rb
+- lib/rbmk/worker.rb
+homepage: https://github.com/stronny/rbmk
+licenses:
+- CC0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.9.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: a trivial LDAP read-only proxy that allows you to get inside the bind and
+  search operations
+test_files: []