rims-passwd-ldap 0.0.1

data/docker/build/Dockerfile

@@ -0,0 +1,21 @@
+# local OpenLDAP for rims-passwd-ldap
+
+FROM ubuntu:18.04
+MAINTAINER TOKI Yoshinori
+
+RUN apt-get update
+
+# slapd admin
+ADD auth.yml auth.yml
+RUN awk '/^pass:/{print "slapd","slapd/password1","password",$2}' auth.yml | debconf-set-selections
+RUN awk '/^pass:/{print "slapd","slapd/password2","password",$2}' auth.yml | debconf-set-selections
+
+# slapd and some useful tools
+RUN apt-get -y install slapd ldap-utils rsyslog
+
+# slapd setup
+ADD modconf.ldif modconf.ldif
+RUN service slapd start && ldapmodify -Y EXTERNAL -H ldapi:/// -f modconf.ldif && service slapd stop
+
+CMD service rsyslog start && service slapd start && bash
+EXPOSE 389

data/docker/build/auth.yml

@@ -0,0 +1 @@
+pass: 2dbb92b1-1fbb-43a2-9390-fe799b6fe8b9

data/docker/build/modconf.ldif

@@ -0,0 +1,16 @@
+dn: cn=config
+changetype: modify
+replace: olcLogLevel
+olcLogLevel: 64 256
+
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof
+
+dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: olcConfig
+objectClass: top

data/docker/container.yml

@@ -0,0 +1,3 @@
+name: rims-slapd
+repository: toki/rims-slapd
+tag: v3.0

data/docker/users.yml

@@ -0,0 +1,44 @@
+support:
+    - cn: search
+      userPassword: 4586d51f-2161-4fb2-a20a-9e03eaeba1e0
+user:
+    - uid: einstein
+      userPassword: cdb1a742-398f-4717-9fcd-fd700f734854
+      cn: Albert Einstein
+      sn: Einstein
+      group: physics
+    - uid: feynman
+      userPassword: 0ee33778-9b59-4983-a684-99d7e38c91e1
+      cn: Richard Phillips Feynman
+      sn: Feynman
+      group: physics
+    - uid: landau
+      userPassword: 35c40788-62c4-4b35-ba10-df737fabea99
+      cn: Lev Davidovich Landau
+      sn: Landau
+      group: physics
+    - uid: hawking
+      userPassword: b745ad68-dc3c-4b51-a730-590fb8f659f6
+      cn: Stephen William Hawking
+      sn: Hawking
+      group: physics
+    - uid: galileo
+      userPassword: aad39384-8888-46cd-825b-a2b4f2713a12
+      cn: Galileo Galilei
+      sn: Galilei
+      group: physics
+    - uid: galois
+      userPassword: d4af8bc9-fac8-4242-b7ac-42efefb253b9
+      cn: Evariste Galois
+      sn: Galois
+      group: mathematics
+    - uid: euler
+      userPassword: 2291ffeb-b1cd-478c-9625-ebd2746595f4
+      cn: Leonhard Euler
+      sn: Euler
+      group: mathematics
+    - uid: gauss
+      userPassword: 3f5c5559-b262-4c51-88ae-60e7c3022a36
+      cn: Carolus Fridericus Gauss
+      sn: Gauss
+      group: mathematics

data/lib/rims/passwd/ldap.rb

@@ -0,0 +1,223 @@
+# -*- coding: utf-8 -*-
+
+require 'net/ldap'
+require 'rims'
+require 'rims/passwd/ldap/version'
+require 'uri'
+
+# to enable LDAP pass-source plug-in, add the entry of
+# <tt>rims/passwd/ldap</tt> to <tt>load_libraries</tt> list.
+#
+#  ex.
+#     load_libraries:
+#       - rims/passwd/ldap
+#
+class RIMS::Password::LDAPSource < RIMS::Password::Source
+  def initialize(host, port, base_dn, attr, scope: 'sub', filter: nil,
+                 search_bind_auth: { :method => :anonymous },
+                 search_bind_verification_skip: false,
+                 encryption: false)
+    @host = host
+    @port = port
+    @base_dn = base_dn
+    @attr = attr
+    @scope_src = scope
+    @filter_src = filter
+    @search_bind_auth = search_bind_auth
+    @search_bind_verification_skip = search_bind_verification_skip
+    @encryption = encryption
+  end
+
+  def start
+    scheme = @encryption ? 'ldaps' : 'ldap'
+    @logger.info("LDAP pass-source: #{scheme}://#{@host}:#{@port}/#{@base_dn}?#{@attr}?#{@scope_src}?#{@filter_src}")
+
+    case (@scope_src)
+    when 'base'
+      @scope = Net::LDAP::SearchScope_BaseObject
+    when 'one'
+      @scope = Net::LDAP::SearchScope_SingleLevel
+    when 'sub'
+      @scope = Net::LDAP::SearchScope_WholeSubtree
+    else
+      raise "unknown ldap search scope: #{@scope_src}"
+    end
+
+    if (@filter_src) then
+      filter = Net::LDAP::Filter.construct(@filter_src)
+      @filter_factory = proc{|username|
+        Net::LDAP::Filter.eq(@attr, username) & filter
+      }
+    else
+      @filter_factory = proc{|username|
+        Net::LDAP::Filter.eq(@attr, username)
+      }
+    end
+  end
+
+  def raw_password?
+    false
+  end
+
+  def ldap_open
+    options = { host: @host, port: @port }
+    if (@search_bind_verification_skip) then
+      options[:auth] = @search_bind_auth
+    end
+    if (@encryption) then
+      options[:encryption] = :simple_tls
+    end
+
+    Net::LDAP.open(options) {|ldap|
+      unless (@search_bind_verification_skip) then
+        # implicit bind of Net::LDAP.open has no error handling.
+        # explicit 2nd bind is required to check bind error.
+        if (@logger.debug?) then
+          auth = @search_bind_auth.dup
+          auth.delete(:password)
+          @logger.debug("LDAP bind: #{auth.inspect}")
+        end
+        ldap.bind(@search_bind_auth) or raise "failed to bind to search: #{ldap.get_operation_result}"
+        @logger.debug("LDAP bind OK")
+      end
+
+      yield(ldap)
+    }
+  end
+  private :ldap_open
+
+  def search(ldap, username)
+    user_filter = @filter_factory.call(username)
+    @logger.debug("LDAP search #{@base_dn} #{@attr} #{@scope} #{user_filter}") if @logger.debug?
+    if (users = ldap.search(base: @base_dn, attributes: [ @attr ], scope: @scope, filter: user_filter)) then
+      unless (users.empty?) then
+        user_dn = users.first.dn
+        @logger.info("found a LDAP user: #{user_dn}")
+        return user_dn
+      else
+        @logger.debug("LDAP search result: not found") if @logger.debug?
+      end
+    else
+      @logger.debug("LDAP search result: no entries") if @logger.debug?
+    end
+
+    nil
+  end
+  private :search
+
+  def user?(username)
+    ldap_open{|ldap|
+      if (search(ldap, username)) then
+        true
+      else
+        false
+      end
+    }
+  end
+
+  def compare_password(username, password)
+    ldap_open{|ldap|
+      if (user_dn = search(ldap, username)) then
+        if (ldap.bind(method: :simple, username: user_dn, password: password)) then
+          true
+        else
+          false
+        end
+      end
+    }
+  end
+
+  class << self
+    def uri_decode(string)
+      string.gsub(/%(\h)(\h)/) { [$&[1, 2].hex].pack('C') }.force_encoding(string.encoding)
+    end
+
+    def parse_uri(uri_string)
+      ldap_params = {}
+
+      ldap_uri = URI.parse(uri_string)
+      case (ldap_uri)
+      when URI::LDAPS
+        ldap_params[:encryption] = true
+      when URI::LDAP
+        # OK
+      else
+        raise "not a LDAP URI: #{uri_string}"
+      end
+
+      ldap_params[:host] = ldap_uri.host || 'localhost'
+      ldap_params[:port] = ldap_uri.port or raise "required LDAP port: #{uri_string}"
+      ldap_params[:base_dn] = uri_decode(ldap_uri.dn) if (ldap_uri.dn && ! ldap_uri.dn.empty?)
+      ldap_params[:attribute] = uri_decode(ldap_uri.attributes) if ldap_uri.attributes
+      ldap_params[:scope] = uri_decode(ldap_uri.scope) if ldap_uri.scope
+      ldap_params[:filter] = uri_decode(ldap_uri.filter) if ldap_uri.filter
+
+      ldap_params
+    end
+
+    # configuration entries:
+    # * <tt>"ldap_uri"</tt>
+    # * <tt>"base_dn"</tt>
+    # * <tt>"attribute"</tt>
+    # * <tt>"scope"</tt>
+    # * <tt>"filter"</tt>
+    # * <tt>"search_bind_auth"</tt>
+    #     * <tt>"method"</tt>
+    #     * <tt>"username"</tt>
+    #     * <tt>"password"</tt>
+    # * <tt>"search_bind_verification_skip"</tt>
+    #
+    def build_from_conf(config)
+      unless (config.key? 'ldap_uri') then
+        raise 'required ldap_uri parameter at LDAP pass-source configuration.'
+      end
+      ldap_params = parse_uri(config['ldap_uri'])
+      ldap_args = []
+
+      for name in [ :host, :port ]
+        value = ldap_params.delete(name) or raise "internal error: #{name}"
+        ldap_args << value
+      end
+
+      for name in [ :base_dn, :attribute ]
+        value = ldap_params.delete(name)
+        if (config.key? name.to_s) then
+          value = config[name.to_s]
+        end
+        unless (value) then
+          raise "required #{name} parameter at LDAP pass-source configuration."
+        end
+        ldap_args << value
+      end
+
+      for name in [ :scope, :filter, :search_bind_verification_skip ]
+        if (config.key? name.to_s) then
+          ldap_params[name] = config[name.to_s]
+        end
+      end
+
+      if (config.key? 'search_bind_auth') then
+        case (config['search_bind_auth']['method'])
+        when 'anonymous'
+          auth = { method: :anonymous }
+        when 'simple'
+          auth = { method: :simple }
+          auth[:username] = config['search_bind_auth']['username'] or raise 'required serach bind username at LDAP pass-source configuration.'
+          auth[:password] = config['search_bind_auth']['password'] or raise 'required search bind password at LDAP pass-source configuration.'
+        else
+          raise "unknown or unsupported bind method type: #{config['search_bind_auth'].inspect}"
+        end
+        ldap_params[:search_bind_auth] = auth
+      end
+
+      self.new(*ldap_args, **ldap_params)
+    end
+  end
+
+  RIMS::Authentication.add_plug_in('ldap', self)
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End:

data/lib/rims/passwd/ldap/version.rb

@@ -0,0 +1,10 @@
+#-*-  coding: utf-8 -*-
+
+module RIMS
+  Password_LDAPSource_VERSION = '0.0.1'
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End:

data/rims-passwd-ldap.gemspec

@@ -0,0 +1,36 @@
+#-*-  coding: utf-8 -*-
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rims/passwd/ldap/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "rims-passwd-ldap"
+  spec.version       = RIMS::Password_LDAPSource_VERSION
+  spec.authors       = ["TOKI Yoshinori"]
+  spec.email         = ["toki@freedom.ne.jp"]
+  spec.summary       = %q{RIMS password source plug-in for LDAP authentication}
+  spec.description   = <<-'EOF'
+    RIMS password source plug-in for LDAP authentication.
+    By introducing this plug-in, RIMS IMAP server will be able to
+    authenticate users with LDAP.
+  EOF
+  spec.homepage      = "https://github.com/y10k/rims-passwd-ldap"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "rims", ">= 0.2.0"
+  spec.add_runtime_dependency "net-ldap"
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "test-unit"
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End:

data/test/test_passwd_ldap.rb

@@ -0,0 +1,614 @@
+# -*- coding: utf-8 -*-
+
+require 'json'
+require 'logger'
+require 'net/ldap'
+require 'pp' if $DEBUG
+require 'rims/passwd/ldap'
+require 'test/unit'
+require 'uri'
+require 'yaml'
+
+module RIMS::Password::LDAPSource::Test
+  module LDAPExample
+    DOCKER = ENV['DOCKER_COMMAND'] || 'docker'
+    AUTH = YAML.load_file(File.join(File.dirname(__FILE__), '..', 'docker', 'build', 'auth.yml'))
+    CONTAINER = YAML.load_file(File.join(File.dirname(__FILE__), '..', 'docker', 'container.yml'))
+    HOST = (ENV.key? 'DOCKER_HOST') ? URI(ENV['DOCKER_HOST']).host : 'localhost'
+    conf = JSON.parse(`#{DOCKER} inspect #{CONTAINER['name']}`)
+    exposed_port = conf[0]['Config']['ExposedPorts'].keys.first
+    published_port = Integer(conf[0]['NetworkSettings']['Ports'][exposed_port][0]['HostPort'])
+    PORT = published_port
+    USERS = YAML.load_file(File.join(File.dirname(__FILE__), '..', 'docker', 'users.yml'))
+    SEARCH = USERS['support'].find{|role| role['cn'] == 'search' }
+    SEARCH_USER = "cn=#{SEARCH['cn']},ou=support,o=science,dc=nodomain"
+    SEARCH_PASS = SEARCH['userPassword']
+  end
+
+  module LDAPSourceTestMethod
+    include LDAPExample
+
+    def setup
+      @logger = Logger.new(STDOUT)
+      @logger.level = ($DEBUG) ? Logger::DEBUG : Logger::FATAL
+      @search_bind_verification_skip = false
+      @search_bind_auth = {
+        method: :simple,
+        username: SEARCH_USER,
+        password: SEARCH_PASS
+      }
+    end
+
+    def open_ldap_src(ldap_uri, search_bind_auth: @search_bind_auth)
+      ldap_uri = URI.parse(ldap_uri)
+
+      host = ldap_uri.host
+      port = ldap_uri.port
+      base_dn = ldap_uri.dn
+      attr = ldap_uri.attributes
+
+      optional = {}
+      optional[:scope] = ldap_uri.scope if ldap_uri.scope
+      optional[:filter] = ldap_uri.filter if ldap_uri.filter
+      optional[:search_bind_auth] = search_bind_auth if search_bind_auth
+      optional[:search_bind_verification_skip] = @search_bind_verification_skip
+      case (ldap_uri.scheme)
+      when 'ldap'
+        # ok
+      when 'ldaps'
+        optional[:encryption] = true
+      else
+        raise "unknown URI scheme: #{ldap_uri}"
+      end
+
+      ldap_src = RIMS::Password::LDAPSource.new(host, port, base_dn, attr, **optional)
+      ldap_src.logger = @logger
+
+      ldap_src.start
+      begin
+        yield(ldap_src)
+      ensure
+        ldap_src.stop
+      end
+    end
+    private :open_ldap_src
+
+    def test_raw_password?
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid") {|ldap_src|
+        assert_false(ldap_src.raw_password?)
+      }
+    end
+
+    def test_users
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid") {|ldap_src|
+        for user in USERS['user']
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_users_wrong_password
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid") {|ldap_src|
+        for user in USERS['user']
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_false(ldap_src.compare_password(user['uid'], 'invalid_pass'), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_users_wrong_base_dn
+      open_ldap_src("ldap://#{HOST}:#{PORT}/o=science,dc=nodomain?uid") {|ldap_src|
+        for user in USERS['user']
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+
+      open_ldap_src("ldap://#{HOST}:#{PORT}/o=no_org,dc=nodomain?uid") {|ldap_src|
+        for user in USERS['user']
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_users_scope_base
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid?base") {|ldap_src|
+        for user in USERS['user']
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+
+      for user in USERS['user']
+        open_ldap_src("ldap://#{HOST}:#{PORT}/uid=#{user['uid']},ou=user,o=science,dc=nodomain?uid?base") {|ldap_src|
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        }
+      end
+    end
+
+    def test_users_scope_one
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid?one") {|ldap_src|
+        for user in USERS['user']
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+
+      for user in USERS['user']
+        open_ldap_src("ldap://#{HOST}:#{PORT}/uid=#{user['uid']},ou=user,o=science,dc=nodomain?uid?one") {|ldap_src|
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        }
+      end
+    end
+
+    def test_users_scope_sub
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid?sub") {|ldap_src|
+        for user in USERS['user']
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+
+      for user in USERS['user']
+        open_ldap_src("ldap://#{HOST}:#{PORT}/uid=#{user['uid']},ou=user,o=science,dc=nodomain?uid?sub") {|ldap_src|
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        }
+      end
+    end
+
+    def test_users_scope_invalid_error
+      assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid?unknown") {|ldap_src|
+          flunk
+        }
+      }
+    end
+
+    def test_users_filter_physics
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid??(memberOf=cn=physics,ou=group,o=science,dc=nodomain)") {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_users_filter_mathematics
+      open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid??(memberOf=cn=mathmatics,ou=group,o=science,dc=nodomain)") {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'mathmatics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'mathmatics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_users_filter_invalid
+      assert_raise(Net::LDAP::FilterSyntaxInvalidError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid??unknown") {|ldap_src|
+          flunk
+        }
+      }
+    end
+  end
+
+  class LDAPSourceTest < Test::Unit::TestCase
+    include LDAPSourceTestMethod
+
+    def test_wrong_search_bind
+      auth = {
+        method: :simple,
+        username: 'no_dn',
+        password: ''
+      }
+      assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          flunk
+        }
+      }
+
+      auth = {
+        method: :simple,
+        username: 'cn=no_role,ou=support,o=science,dc=nodomain',
+        password: 'open_sesame'
+      }
+      assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          flunk
+        }
+      }
+
+      auth = {
+        method: :simple,
+        username: "cn=#{SEARCH['cn']},ou=support,o=science,dc=nodomain",
+        password: 'invalid_pass'
+      }
+      assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          flunk
+        }
+      }
+    end
+  end
+
+  class LDAPSourceSearchBindVerificationSkipTest < Test::Unit::TestCase
+    include LDAPSourceTestMethod
+
+    def setup
+      super
+      @search_bind_verification_skip = true
+    end
+
+    def test_wrong_search_bind_no_error
+      auth = {
+        method: :simple,
+        username: 'no_dn',
+        password: ''
+      }
+      #assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          #flunk
+        }
+      #}
+
+      auth = {
+        method: :simple,
+        username: 'cn=no_role,ou=support,o=science,dc=nodomain',
+        password: 'open_sesame'
+      }
+      #assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          #flunk
+        }
+      #}
+
+      auth = {
+        method: :simple,
+        username: "cn=#{SEARCH['cn']},ou=support,o=science,dc=nodomain",
+        password: 'invalid_pass'
+      }
+      #assert_raise(RuntimeError) {
+        open_ldap_src("ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid", search_bind_auth: auth) {|ldap_src|
+          ldap_src.user? 'foo'    # to bind
+          #flunk
+        }
+      #}
+    end
+  end
+
+  class LDAPSourceConfigTest < Test::Unit::TestCase
+    include LDAPExample
+
+    def assert_decode_uri(expected_string, src_string)
+      assert_equal(expected_string, RIMS::Password::LDAPSource.uri_decode(src_string))
+    end
+    private :assert_decode_uri
+
+    def test_uri_decode
+      assert_decode_uri('ou=user,o=science,dc=nodomain', 'ou=user,o=science,dc=nodomain')
+      assert_decode_uri('(cn=Albert Einstein)', '(cn=Albert%20Einstein)')
+      assert_decode_uri('(&(cn=Albert Einstein)(memberOf=cn=physics,ou=group,o=science,dc=nodomain))',
+                        '(%26(cn=Albert%20Einstein)(memberOf=cn=physics%2cou=group%2co=science%2cdc=nodomain))')
+      assert_decode_uri('+', '+')
+    end
+
+    def assert_parse_uri(expected_ldap_params, ldap_uri)
+      assert_equal(expected_ldap_params, RIMS::Password::LDAPSource.parse_uri(ldap_uri))
+    end
+    private :assert_parse_uri
+
+    def test_parse_uri
+      assert_parse_uri({ host: 'localhost', port: 389 }, 'ldap:///')
+      assert_parse_uri({ host: 'localhost', port: 636, encryption: true }, 'ldaps://')
+      assert_parse_uri({ host: 'mydomain', port: 389 }, 'ldap://mydomain')
+      assert_parse_uri({ host: 'mydomain', port: 38900 }, 'ldap://mydomain:38900')
+      assert_parse_uri({ host: 'mydomain',
+                         port: 389,
+                         base_dn: 'ou=user,o=science,dc=nodomain'
+                       }, 'ldap://mydomain/ou=user,o=science,dc=nodomain')
+      assert_parse_uri({ host: 'mydomain',
+                         port: 389,
+                         base_dn: 'ou=user, o=science, dc=nodomain'
+                       }, 'ldap://mydomain/ou=user,%20o=science,%20dc=nodomain')
+      assert_parse_uri({ host: 'mydomain', port: 389, attribute: 'uid' }, 'ldap://mydomain/?uid')
+      assert_parse_uri({ host: 'mydomain', port: 389, attribute: '?foo' }, 'ldap://mydomain/?%3ffoo')
+      assert_parse_uri({ host: 'mydomain', port: 389, scope: 'base' }, 'ldap://mydomain/??base')
+      assert_parse_uri({ host: 'mydomain', port: 389, scope: 'one' }, 'ldap://mydomain/??one')
+      assert_parse_uri({ host: 'mydomain', port: 389, scope: 'sub' }, 'ldap://mydomain/??sub')
+      assert_parse_uri({ host: 'mydomain', port: 389, filter: '(uid=einstein)' }, 'ldap://mydomain/???(uid=einstein)')
+      assert_parse_uri({ host: 'mydomain', port: 389, filter: '(cn=Albert Einstein)' }, 'ldap://mydomain/???(cn=Albert%20Einstein)')
+      assert_parse_uri({ host: 'mydomain',
+                         port: 6360,
+                         encryption: true,
+                         base_dn: 'ou=user,o=science,dc=nodomain',
+                         attribute: 'uid',
+                         scope: 'base',
+                         filter: '(uid=einstein)'
+                       }, 'ldaps://mydomain:6360/ou=user,o=science,dc=nodomain?uid?base?(uid=einstein)')
+    end
+
+    def build_from_conf(config)
+      ldap_src = RIMS::Password::LDAPSource.build_from_conf(config)
+
+      logger = Logger.new(STDOUT)
+      logger.level = ($DEBUG) ? Logger::DEBUG : Logger::FATAL
+      ldap_src.logger = logger
+
+      ldap_src.start
+      begin
+        yield(ldap_src)
+      ensure
+        ldap_src.stop
+      end
+    end
+    private :build_from_conf
+
+    def test_build_from_conf
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_ldap_uri
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}/ou=user,o=science,dc=nodomain?uid?one?(memberOf=cn=physics,ou=group,o=science,dc=nodomain)",
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_error_no_ldap_uri
+      c = {
+        #'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      assert_raise(RuntimeError) {
+        build_from_conf(c) {|ldap_src|
+          flunk
+        }
+      }
+    end
+
+    def test_build_from_conf_error_no_base_dn
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        #'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      assert_raise(RuntimeError) {
+        build_from_conf(c) {|ldap_src|
+          flunk
+        }
+      }
+    end
+
+    def test_build_from_conf_error_no_attribute
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        #'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      assert_raise(RuntimeError) {
+        build_from_conf(c) {|ldap_src|
+          flunk
+        }
+      }
+    end
+
+    def test_build_from_conf_scope_default
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        #'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_no_filter
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        #'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user']
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_search_bind_verification_skip_default
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        #'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_search_bind_verification_skip_enabled
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => {
+          'method' => 'simple',
+          'username' => SEARCH_USER,
+          'password' => SEARCH_PASS
+        },
+        'search_bind_verification_skip' => true
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user'].find_all{|user| user['group'] == 'physics' }
+          assert_true((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_true(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+        for user in USERS['user'].find_all{|user| user['group'] != 'physics' }
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_search_bind_auth_default_anonymous
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user']
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+
+    def test_build_from_conf_search_bind_auth_explicit_anonymous
+      c = {
+        'ldap_uri' => "ldap://#{HOST}:#{PORT}",
+        'base_dn' => 'ou=user,o=science,dc=nodomain',
+        'attribute' => 'uid',
+        'scope' => 'one',
+        'filter' => '(memberOf=cn=physics,ou=group,o=science,dc=nodomain)',
+        'search_bind_auth' => { 'method' => 'anonymous' },
+        'search_bind_verification_skip' => false
+      }
+      build_from_conf(c) {|ldap_src|
+        for user in USERS['user']
+          assert_false((ldap_src.user? user['uid']), "uid: #{user.inspect}")
+          assert_nil(ldap_src.compare_password(user['uid'], user['userPassword']), "uid: #{user.inspect}")
+        end
+      }
+    end
+  end
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End: