rims-passwd-ldap 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +14 -0
- data/Gemfile +11 -0
- data/LICENSE.txt +22 -0
- data/README.md +54 -0
- data/Rakefile +52 -0
- data/docker/Rakefile +382 -0
- data/docker/build/Dockerfile +21 -0
- data/docker/build/auth.yml +1 -0
- data/docker/build/modconf.ldif +16 -0
- data/docker/container.yml +3 -0
- data/docker/users.yml +44 -0
- data/lib/rims/passwd/ldap.rb +223 -0
- data/lib/rims/passwd/ldap/version.rb +10 -0
- data/rims-passwd-ldap.gemspec +36 -0
- data/test/test_passwd_ldap.rb +614 -0
- metadata +132 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: c8a4a2fe99b941f01a670ea925ca3f7f365f04607d3b459c1e1ebd427059aaed
|
4
|
+
data.tar.gz: b80e434c472500706151588e93e8db1a041b6d3899b38054567f48f390bcc68c
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 2bc92fe90f1440e75b8aa6cc368a7a9aecc5c0b85206d325f8e89357493d31fb86bf215d49f7fbf6b3dbb3d4a32cdd36dde38823c3d4b9ac217f967616f6ecf4
|
7
|
+
data.tar.gz: 39bc750dd4f65f1c5804cde8269c710330a99ccfdc9f43cc82b431842f415300755121920d86857ae2c8465570dae8bf944a4f240f3acaaaefe61a273939d25c
|
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2015-2016 TOKI Yoshinori
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,54 @@
|
|
1
|
+
RIMS::Password::LDAPSource
|
2
|
+
==========================
|
3
|
+
|
4
|
+
RIMS password source plug-in for LDAP authentication.
|
5
|
+
By introducing this plug-in, RIMS IMAP server will be able to
|
6
|
+
authenticate users with LDAP.
|
7
|
+
|
8
|
+
Installation
|
9
|
+
------------
|
10
|
+
|
11
|
+
Add this line to your application's Gemfile that includes RIMS:
|
12
|
+
|
13
|
+
```ruby
|
14
|
+
gem 'rims-passwd-ldap'
|
15
|
+
```
|
16
|
+
|
17
|
+
And then execute:
|
18
|
+
|
19
|
+
$ bundle
|
20
|
+
|
21
|
+
Or install it yourself as:
|
22
|
+
|
23
|
+
$ gem install rims-passwd-ldap
|
24
|
+
|
25
|
+
Usage
|
26
|
+
-----
|
27
|
+
|
28
|
+
Add these lines to your config.yml of RIMS:
|
29
|
+
|
30
|
+
```yaml
|
31
|
+
load_libraries:
|
32
|
+
- rims/passwd/ldap
|
33
|
+
authentication:
|
34
|
+
- plug_in: ldap
|
35
|
+
configuration:
|
36
|
+
ldap_uri: ldap://localhost:38900 # hostname and port, `ldaps' for tls (not tested)
|
37
|
+
base_dn: ou=user,o=science,dc=nodomain # base distingished name to search a user
|
38
|
+
attribute: uid # attribute matched to username
|
39
|
+
scope: sub # search scope from base dn. `base', `one', or `sub'
|
40
|
+
filter: (memberOf=cn=physics,ou=group,o=science,dc=nodomain) # search filter
|
41
|
+
search_bind_auth:
|
42
|
+
method: simple
|
43
|
+
username: cn=search,ou=support,o=science,dc=nodomain # username to search a user
|
44
|
+
password: ******** # password to search a user
|
45
|
+
```
|
46
|
+
|
47
|
+
Contributing
|
48
|
+
------------
|
49
|
+
|
50
|
+
1. Fork it ( https://github.com/[my-github-username]/rims-passwd-ldap/fork )
|
51
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
52
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
53
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
54
|
+
5. Create a new Pull Request
|
data/Rakefile
ADDED
@@ -0,0 +1,52 @@
|
|
1
|
+
# -*- coding: utf-8 -*-
|
2
|
+
|
3
|
+
require 'bundler/gem_tasks'
|
4
|
+
require 'rake/clean'
|
5
|
+
require 'rake/testtask'
|
6
|
+
require 'rdoc/task'
|
7
|
+
|
8
|
+
Rake::TestTask.new do |task|
|
9
|
+
if ((ENV.key? 'RUBY_DEBUG') && (! ENV['RUBY_DEBUG'].empty?)) then
|
10
|
+
task.ruby_opts << '-d'
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
Rake::RDocTask.new do |rd|
|
15
|
+
rd.rdoc_files.include('lib/**/*.rb')
|
16
|
+
end
|
17
|
+
|
18
|
+
desc 'Build README.html from markdown source.'
|
19
|
+
task :readme => %w[ README.html ]
|
20
|
+
|
21
|
+
file 'README.html' => [ 'README.md' ] do
|
22
|
+
sh "pandoc --from=markdown --to=html5 --standalone --self-contained --css=$HOME/.pandoc/github.css --output=README.html README.md"
|
23
|
+
end
|
24
|
+
CLOBBER.include 'README.html'
|
25
|
+
|
26
|
+
namespace :docker do
|
27
|
+
desc 'setup docker container for unit-test.'
|
28
|
+
task :setup do
|
29
|
+
chdir('docker') do
|
30
|
+
sh 'rake', 'setup'
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
desc 'reset docker container for unit-test.'
|
35
|
+
task :reset do
|
36
|
+
chdir('docker') do
|
37
|
+
sh 'rake', 'reset'
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
desc 'start docker container for unit-test.'
|
42
|
+
task :start do
|
43
|
+
chdir('docker') do
|
44
|
+
sh 'rake', 'docker:start'
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
# Local Variables:
|
50
|
+
# mode: Ruby
|
51
|
+
# indent-tabs-mode: nil
|
52
|
+
# End:
|
data/docker/Rakefile
ADDED
@@ -0,0 +1,382 @@
|
|
1
|
+
# -*- coding: utf-8 -*-
|
2
|
+
|
3
|
+
require 'json'
|
4
|
+
require 'pp'
|
5
|
+
require 'test/unit/assertions'
|
6
|
+
require 'uri'
|
7
|
+
require 'yaml'
|
8
|
+
|
9
|
+
include Test::Unit::Assertions
|
10
|
+
|
11
|
+
DOCKER = ENV['DOCKER_COMMAND'] || 'docker'
|
12
|
+
|
13
|
+
AUTH = YAML.load_file(File.join(File.dirname(__FILE__), 'build', 'auth.yml'))
|
14
|
+
CONTAINER = YAML.load_file(File.join(File.dirname(__FILE__), 'container.yml'))
|
15
|
+
|
16
|
+
NAME = CONTAINER['name']
|
17
|
+
IMAGE_REPOSITORY = CONTAINER['repository']
|
18
|
+
IMAGE_TAG = CONTAINER['tag']
|
19
|
+
|
20
|
+
DOCKER_INSPECT_CACHE = {}
|
21
|
+
|
22
|
+
def docker_inspect(name)
|
23
|
+
DOCKER_INSPECT_CACHE[name] ||= JSON.parse(`#{DOCKER} inspect #{name}`)
|
24
|
+
end
|
25
|
+
|
26
|
+
def get_exposed_port(name)
|
27
|
+
docker_inspect(name)[0]['Config']['ExposedPorts'].keys.first
|
28
|
+
end
|
29
|
+
|
30
|
+
def get_published_port(name)
|
31
|
+
Integer(docker_inspect(name)[0]['NetworkSettings']['Ports'][get_exposed_port(name)][0]['HostPort'])
|
32
|
+
end
|
33
|
+
|
34
|
+
def docker_exec_i(*cmd, input_string)
|
35
|
+
docker_cmd = [ DOCKER, 'exec', '-i', NAME ] + cmd
|
36
|
+
IO.popen(docker_cmd, 'w') {|stdin| stdin << input_string }
|
37
|
+
if ($?.exitstatus != 0) then
|
38
|
+
raise "FAILED: #{docker_cmd.join(' ')} <\n" + input_string
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def load_users
|
43
|
+
YAML.load_file(File.join(File.dirname(__FILE__), 'users.yml'))
|
44
|
+
end
|
45
|
+
|
46
|
+
def ldap_anon
|
47
|
+
require 'net/ldap' # on-demand load
|
48
|
+
ldap_host = (ENV.key? 'DOCKER_HOST') ? URI(ENV['DOCKER_HOST']).host : 'localhost'
|
49
|
+
Net::LDAP.open(host: ldap_host, port: get_published_port(NAME)) {|ldap|
|
50
|
+
yield(ldap)
|
51
|
+
}
|
52
|
+
end
|
53
|
+
|
54
|
+
def ldap_open(username='cn=admin,dc=nodomain', password=AUTH['pass'], method=:simple)
|
55
|
+
ldap_anon{|ldap|
|
56
|
+
unless (ldap.bind(method: method, username: username, password: password)) then
|
57
|
+
p ldap.get_operation_result
|
58
|
+
raise 'failed to bind.'
|
59
|
+
end
|
60
|
+
yield(ldap)
|
61
|
+
}
|
62
|
+
end
|
63
|
+
|
64
|
+
def ldap_error(ldap)
|
65
|
+
pp ldap.get_operation_result
|
66
|
+
raise 'ldap fail.'
|
67
|
+
end
|
68
|
+
|
69
|
+
desc 'total setup'
|
70
|
+
task :setup => [ :'docker:setup', :wait, :'ldap:setup' ]
|
71
|
+
|
72
|
+
desc 'total reset'
|
73
|
+
task :reset => [ :'docker:reset', :wait, :'ldap:setup' ]
|
74
|
+
|
75
|
+
task :wait do
|
76
|
+
s = 10
|
77
|
+
puts "...wait #{s}s..."
|
78
|
+
sleep(s)
|
79
|
+
end
|
80
|
+
|
81
|
+
namespace :docker do
|
82
|
+
task :get_exposed_port do
|
83
|
+
p get_exposed_port(NAME)
|
84
|
+
end
|
85
|
+
|
86
|
+
task :get_published_port do
|
87
|
+
p get_published_port(NAME)
|
88
|
+
end
|
89
|
+
|
90
|
+
desc 'all setup'
|
91
|
+
task :setup => [ :build, :run ]
|
92
|
+
|
93
|
+
desc 'all destroy'
|
94
|
+
task :destroy => [ :stop, :rm, :rmi ]
|
95
|
+
|
96
|
+
desc 'reset running container'
|
97
|
+
task :reset => [ :stop, :rm, :run ]
|
98
|
+
|
99
|
+
desc 'build image'
|
100
|
+
task :build do
|
101
|
+
sh "#{DOCKER} build -t #{IMAGE_REPOSITORY}:#{IMAGE_TAG} build"
|
102
|
+
end
|
103
|
+
|
104
|
+
desc 'remove image'
|
105
|
+
task :rmi do
|
106
|
+
sh "#{DOCKER} rmi #{IMAGE_REPOSITORY}:#{IMAGE_TAG}"
|
107
|
+
end
|
108
|
+
|
109
|
+
desc 'run new container'
|
110
|
+
task :run do
|
111
|
+
sh "#{DOCKER} run --name=#{NAME} -itd -P #{IMAGE_REPOSITORY}:#{IMAGE_TAG}"
|
112
|
+
end
|
113
|
+
|
114
|
+
desc 'start container'
|
115
|
+
task :start do
|
116
|
+
sh "#{DOCKER} start #{NAME}"
|
117
|
+
end
|
118
|
+
|
119
|
+
desc 'stop container'
|
120
|
+
task :stop do
|
121
|
+
sh "#{DOCKER} stop #{NAME}"
|
122
|
+
end
|
123
|
+
|
124
|
+
desc 'remove container'
|
125
|
+
task :rm do
|
126
|
+
sh "#{DOCKER} rm #{NAME}"
|
127
|
+
end
|
128
|
+
|
129
|
+
desc 'show slapd configuration'
|
130
|
+
task :conf do
|
131
|
+
sh "#{DOCKER} exec #{NAME} slapcat -b cn=config"
|
132
|
+
end
|
133
|
+
|
134
|
+
desc 'tail slapd logging'
|
135
|
+
task :tail do
|
136
|
+
sh "#{DOCKER} exec #{NAME} tail -100f /var/log/syslog"
|
137
|
+
end
|
138
|
+
end
|
139
|
+
|
140
|
+
namespace :ldap do
|
141
|
+
desc 'setup example'
|
142
|
+
task :setup => [ :build, :'conf:acl' ]
|
143
|
+
|
144
|
+
desc 'dump example dit'
|
145
|
+
task :dump do
|
146
|
+
ldap_open{|ldap|
|
147
|
+
puts '* all'
|
148
|
+
pp ldap.search(base: 'dc=nodomain')
|
149
|
+
|
150
|
+
phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
|
151
|
+
math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
|
152
|
+
|
153
|
+
for f in [ phys_filter, math_filter ]
|
154
|
+
puts "* filter: #{f}"
|
155
|
+
pp ldap.search(base: 'o=science,dc=nodomain', attributes: %w[ dn ], filter: f)
|
156
|
+
end
|
157
|
+
}
|
158
|
+
end
|
159
|
+
|
160
|
+
desc 'anonymous'
|
161
|
+
task :anonymous do
|
162
|
+
ldap_anon{|ldap|
|
163
|
+
puts '* all'
|
164
|
+
pp ldap.search(base: 'dc=nodomain')
|
165
|
+
pp ldap.search(base: 'o=science,dc=nodomain')
|
166
|
+
pp ldap.search(base: 'ou=user,o=science,dc=nodomain')
|
167
|
+
|
168
|
+
phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
|
169
|
+
math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
|
170
|
+
|
171
|
+
for f in [ phys_filter, math_filter ]
|
172
|
+
puts "* filter: #{f}"
|
173
|
+
pp ldap.search(base: 'o=science,dc=nodomain', attributes: %w[ dn ], filter: f)
|
174
|
+
end
|
175
|
+
}
|
176
|
+
end
|
177
|
+
|
178
|
+
desc 'search dit'
|
179
|
+
task :search do
|
180
|
+
users = load_users
|
181
|
+
search = users['support'].find{|role| role['cn'] = 'search' }
|
182
|
+
search_dn = "cn=#{search['cn']},ou=support,o=science,dc=nodomain"
|
183
|
+
ldap_open(search_dn, search['userPassword']) {|ldap|
|
184
|
+
puts '* all'
|
185
|
+
pp ldap.search(base: 'dc=nodomain')
|
186
|
+
|
187
|
+
puts '* self'
|
188
|
+
pp ldap.search(base: search_dn)
|
189
|
+
|
190
|
+
phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
|
191
|
+
math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
|
192
|
+
|
193
|
+
for f in [ phys_filter, math_filter ]
|
194
|
+
puts "* filter: #{f}"
|
195
|
+
pp ldap.search(base: 'ou=user,o=science,dc=nodomain', filter: f)
|
196
|
+
end
|
197
|
+
}
|
198
|
+
end
|
199
|
+
|
200
|
+
desc 'build exmaple dit'
|
201
|
+
task :build do
|
202
|
+
ldap_open{|ldap|
|
203
|
+
ldap.add(dn: 'o=science,dc=nodomain',
|
204
|
+
attributes: {
|
205
|
+
objectclass: 'organization'
|
206
|
+
}) or ldap_error(ldap)
|
207
|
+
ldap.add(dn: 'ou=support,o=science,dc=nodomain',
|
208
|
+
attributes: {
|
209
|
+
objectclass: 'organizationalUnit'
|
210
|
+
}) or ldap_error(ldap)
|
211
|
+
ldap.add(dn: 'ou=user,o=science,dc=nodomain',
|
212
|
+
attributes: {
|
213
|
+
objectclass: 'organizationalUnit'
|
214
|
+
}) or ldap_error(ldap)
|
215
|
+
ldap.add(dn: 'ou=group,o=science,dc=nodomain',
|
216
|
+
attributes: {
|
217
|
+
objectclass: 'organizationalUnit'
|
218
|
+
}) or ldap_error(ldap)
|
219
|
+
|
220
|
+
users = load_users
|
221
|
+
|
222
|
+
for role in users['support']
|
223
|
+
attrs = {}
|
224
|
+
for name, value in role
|
225
|
+
case (name)
|
226
|
+
when 'userPassword'
|
227
|
+
attrs[:userPassword] = Net::LDAP::Password.generate(:ssha, value)
|
228
|
+
else
|
229
|
+
attrs[name.to_sym] = value
|
230
|
+
end
|
231
|
+
end
|
232
|
+
attrs[:objectClass] = %w[ organizationalRole simpleSecurityObject ]
|
233
|
+
ldap.add(dn: "cn=#{role['cn']},ou=support,o=science,dc=nodomain",
|
234
|
+
attributes: attrs) or ldap_error(ldap)
|
235
|
+
end
|
236
|
+
|
237
|
+
for user in users['user']
|
238
|
+
attrs = {}
|
239
|
+
for name, value in user
|
240
|
+
case (name)
|
241
|
+
when 'userPassword'
|
242
|
+
attrs[:userPassword] = Net::LDAP::Password.generate(:ssha, value)
|
243
|
+
when 'group'
|
244
|
+
# skip
|
245
|
+
else
|
246
|
+
attrs[name.to_sym] = value
|
247
|
+
end
|
248
|
+
end
|
249
|
+
attrs[:objectclass] = 'inetOrgPerson'
|
250
|
+
ldap.add(dn: "uid=#{user['uid']},ou=user,o=science,dc=nodomain",
|
251
|
+
attributes: attrs) or ldap_error(ldap)
|
252
|
+
end
|
253
|
+
|
254
|
+
groups = {}
|
255
|
+
for user in users['user']
|
256
|
+
groups[user['group']] = [] unless (groups.key? user['group'])
|
257
|
+
groups[user['group']] << user['uid']
|
258
|
+
end
|
259
|
+
|
260
|
+
for name, members in groups
|
261
|
+
ldap.add(dn: "cn=#{name},ou=group,o=science,dc=nodomain",
|
262
|
+
attributes: {
|
263
|
+
cn: name,
|
264
|
+
objectclass: 'groupOfNames',
|
265
|
+
member: members.map{|uid| "uid=#{uid},ou=user,o=science,dc=nodomain" }
|
266
|
+
}) or ldap_error(ldap)
|
267
|
+
end
|
268
|
+
}
|
269
|
+
end
|
270
|
+
|
271
|
+
desc 'some tests'
|
272
|
+
task :test => [ :test_user_auth, :test_search_acl ]
|
273
|
+
|
274
|
+
task :test_user_auth do
|
275
|
+
ldap_anon{|ldap|
|
276
|
+
users = load_users
|
277
|
+
for role in users['support']
|
278
|
+
ldap.bind(method: :simple,
|
279
|
+
username: "cn=#{role['cn']},ou=support,o=science,dc=nodomain",
|
280
|
+
password: role['userPassword']) or ldap_error(ldap)
|
281
|
+
end
|
282
|
+
for user in users['user']
|
283
|
+
ldap.bind(method: :simple,
|
284
|
+
username: "uid=#{user['uid']},ou=user,o=science,dc=nodomain",
|
285
|
+
password: user['userPassword']) or ldap_error(ldap)
|
286
|
+
end
|
287
|
+
}
|
288
|
+
end
|
289
|
+
|
290
|
+
task :test_search_acl do
|
291
|
+
users = load_users
|
292
|
+
search = users['support'].find{|role| role['cn'] = 'search' }
|
293
|
+
search_dn = "cn=#{search['cn']},ou=support,o=science,dc=nodomain"
|
294
|
+
ldap_open(search_dn, search['userPassword']) {|ldap|
|
295
|
+
assert_nil(ldap.search(base: 'dc=nodomain'))
|
296
|
+
assert_nil(ldap.search(base: 'o=science,dc=nodomain'))
|
297
|
+
assert_nil(ldap.search(base: 'ou=support,o=science,dc=nodomain'))
|
298
|
+
assert_nil(ldap.search(base: search_dn))
|
299
|
+
|
300
|
+
assert(entry_list = ldap.search(base: 'ou=user,o=science,dc=nodomain',
|
301
|
+
scope: Net::LDAP::SearchScope_BaseObject))
|
302
|
+
assert(ou = entry_list.shift)
|
303
|
+
assert_equal(%w[ organizationalUnit ], ou[:objectClass])
|
304
|
+
assert_equal(%w[ user ], ou[:ou])
|
305
|
+
assert_equal([], ou[:userPassword])
|
306
|
+
assert_nil(entry_list.shift)
|
307
|
+
|
308
|
+
assert(entry_list = ldap.search(base: 'ou=user,o=science,dc=nodomain',
|
309
|
+
scope: Net::LDAP::SearchScope_WholeSubtree,
|
310
|
+
filter: Net::LDAP::Filter.eq('objectClass', 'inetOrgPerson')))
|
311
|
+
assert_equal(users['user'].length, entry_list.length)
|
312
|
+
for person in entry_list
|
313
|
+
assert_equal(%w[ inetOrgPerson ], person[:objectClass])
|
314
|
+
for uid in person[:uid]
|
315
|
+
assert(users['user'].find{|user| user['uid'] == uid })
|
316
|
+
end
|
317
|
+
assert_equal([], person[:userPassword])
|
318
|
+
end
|
319
|
+
}
|
320
|
+
end
|
321
|
+
end
|
322
|
+
|
323
|
+
namespace :conf do
|
324
|
+
desc 'setup slapd ACL'
|
325
|
+
task :acl do
|
326
|
+
docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
|
327
|
+
dn: olcDatabase={1}mdb,cn=config
|
328
|
+
changetype: modify
|
329
|
+
replace: olcAccess
|
330
|
+
olcAccess: {0}
|
331
|
+
to dn.exact="cn=search,ou=support,o=science,dc=nodomain" attrs=userPassword,shadowLastChange
|
332
|
+
by anonymous auth
|
333
|
+
by dn="cn=admin,dc=nodomain" write
|
334
|
+
by * none
|
335
|
+
olcAccess: {1}
|
336
|
+
to attrs=userPassword,shadowLastChange
|
337
|
+
by self write
|
338
|
+
by anonymous auth
|
339
|
+
by dn="cn=admin,dc=nodomain" write
|
340
|
+
by * none
|
341
|
+
olcAccess: {2}
|
342
|
+
to dn.subtree="ou=user,o=science,dc=nodomain" filter=(|(objectClass=organizationalUnit)(objectClass=inetOrgPerson))
|
343
|
+
by dn.exact="cn=search,ou=support,o=science,dc=nodomain" read
|
344
|
+
olcAccess: {3}
|
345
|
+
to *
|
346
|
+
by dn.exact="cn=search,ou=support,o=science,dc=nodomain" none
|
347
|
+
olcAccess: {4}
|
348
|
+
to dn.base=""
|
349
|
+
by * read
|
350
|
+
olcAccess: {5}
|
351
|
+
to *
|
352
|
+
by self write
|
353
|
+
by dn="cn=admin,dc=nodomain" write
|
354
|
+
by * read
|
355
|
+
EOF
|
356
|
+
end
|
357
|
+
|
358
|
+
desc 'enable slapd verbose logging'
|
359
|
+
task :logging_on do
|
360
|
+
docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
|
361
|
+
dn: cn=config
|
362
|
+
changetype: modify
|
363
|
+
replace: olcLogLevel
|
364
|
+
olcLogLevel: 8 32 64 128 256
|
365
|
+
EOF
|
366
|
+
end
|
367
|
+
|
368
|
+
desc 'disable slapd verbose logging'
|
369
|
+
task :logging_off do
|
370
|
+
docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
|
371
|
+
dn: cn=config
|
372
|
+
changetype: modify
|
373
|
+
replace: olcLogLevel
|
374
|
+
olcLogLevel: 64 256
|
375
|
+
EOF
|
376
|
+
end
|
377
|
+
end
|
378
|
+
|
379
|
+
# Local Variables:
|
380
|
+
# mode: Ruby
|
381
|
+
# indent-tabs-mode: nil
|
382
|
+
# End:
|