rims-passwd-ldap 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: c8a4a2fe99b941f01a670ea925ca3f7f365f04607d3b459c1e1ebd427059aaed
+  data.tar.gz: b80e434c472500706151588e93e8db1a041b6d3899b38054567f48f390bcc68c
+SHA512:
+  metadata.gz: 2bc92fe90f1440e75b8aa6cc368a7a9aecc5c0b85206d325f8e89357493d31fb86bf215d49f7fbf6b3dbb3d4a32cdd36dde38823c3d4b9ac217f967616f6ecf4
+  data.tar.gz: 39bc750dd4f65f1c5804cde8269c710330a99ccfdc9f43cc82b431842f415300755121920d86857ae2c8465570dae8bf944a4f240f3acaaaefe61a273939d25c

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rims-passwd-ldap.gemspec
+gemspec
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End:

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015-2016 TOKI Yoshinori
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+RIMS::Password::LDAPSource
+==========================
+
+RIMS password source plug-in for LDAP authentication.
+By introducing this plug-in, RIMS IMAP server will be able to
+authenticate users with LDAP.
+
+Installation
+------------
+
+Add this line to your application's Gemfile that includes RIMS:
+
+```ruby
+gem 'rims-passwd-ldap'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rims-passwd-ldap
+
+Usage
+-----
+
+Add these lines to your config.yml of RIMS:
+
+```yaml
+load_libraries:
+  - rims/passwd/ldap
+authentication:
+  - plug_in: ldap
+    configuration:
+      ldap_uri: ldap://localhost:38900          # hostname and port, `ldaps' for tls (not tested)
+      base_dn: ou=user,o=science,dc=nodomain    # base distingished name to search a user
+      attribute: uid                            # attribute matched to username
+      scope: sub                                # search scope from base dn. `base', `one', or `sub'
+      filter: (memberOf=cn=physics,ou=group,o=science,dc=nodomain) # search filter
+      search_bind_auth:
+        method: simple
+        username: cn=search,ou=support,o=science,dc=nodomain       # username to search a user
+        password: ********                                         # password to search a user
+```
+
+Contributing
+------------
+
+1. Fork it ( https://github.com/[my-github-username]/rims-passwd-ldap/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+
+require 'bundler/gem_tasks'
+require 'rake/clean'
+require 'rake/testtask'
+require 'rdoc/task'
+
+Rake::TestTask.new do |task|
+  if ((ENV.key? 'RUBY_DEBUG') && (! ENV['RUBY_DEBUG'].empty?)) then
+    task.ruby_opts << '-d'
+  end
+end
+
+Rake::RDocTask.new do |rd|
+  rd.rdoc_files.include('lib/**/*.rb')
+end
+
+desc 'Build README.html from markdown source.'
+task :readme => %w[ README.html ]
+
+file 'README.html' => [ 'README.md' ] do
+  sh "pandoc --from=markdown --to=html5 --standalone --self-contained --css=$HOME/.pandoc/github.css --output=README.html README.md"
+end
+CLOBBER.include 'README.html'
+
+namespace :docker do
+  desc 'setup docker container for unit-test.'
+  task :setup do
+    chdir('docker') do
+      sh 'rake', 'setup'
+    end
+  end
+
+  desc 'reset docker container for unit-test.'
+  task :reset do
+    chdir('docker') do
+      sh 'rake', 'reset'
+    end
+  end
+
+  desc 'start docker container for unit-test.'
+  task :start do
+    chdir('docker') do
+      sh 'rake', 'docker:start'
+    end
+  end
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End:

data/docker/Rakefile

@@ -0,0 +1,382 @@
+# -*- coding: utf-8 -*-
+
+require 'json'
+require 'pp'
+require 'test/unit/assertions'
+require 'uri'
+require 'yaml'
+
+include Test::Unit::Assertions
+
+DOCKER = ENV['DOCKER_COMMAND'] || 'docker'
+
+AUTH = YAML.load_file(File.join(File.dirname(__FILE__), 'build', 'auth.yml'))
+CONTAINER = YAML.load_file(File.join(File.dirname(__FILE__), 'container.yml'))
+
+NAME = CONTAINER['name']
+IMAGE_REPOSITORY = CONTAINER['repository']
+IMAGE_TAG = CONTAINER['tag']
+
+DOCKER_INSPECT_CACHE = {}
+
+def docker_inspect(name)
+  DOCKER_INSPECT_CACHE[name] ||= JSON.parse(`#{DOCKER} inspect #{name}`)
+end
+
+def get_exposed_port(name)
+  docker_inspect(name)[0]['Config']['ExposedPorts'].keys.first
+end
+
+def get_published_port(name)
+  Integer(docker_inspect(name)[0]['NetworkSettings']['Ports'][get_exposed_port(name)][0]['HostPort'])
+end
+
+def docker_exec_i(*cmd, input_string)
+  docker_cmd = [ DOCKER, 'exec', '-i', NAME ] + cmd
+  IO.popen(docker_cmd, 'w') {|stdin| stdin << input_string }
+  if ($?.exitstatus != 0) then
+    raise "FAILED: #{docker_cmd.join(' ')} <\n" + input_string
+  end
+end
+
+def load_users
+  YAML.load_file(File.join(File.dirname(__FILE__), 'users.yml'))
+end
+
+def ldap_anon
+  require 'net/ldap'            # on-demand load
+  ldap_host = (ENV.key? 'DOCKER_HOST') ? URI(ENV['DOCKER_HOST']).host : 'localhost'
+  Net::LDAP.open(host: ldap_host, port: get_published_port(NAME)) {|ldap|
+    yield(ldap)
+  }
+end
+
+def ldap_open(username='cn=admin,dc=nodomain', password=AUTH['pass'], method=:simple)
+  ldap_anon{|ldap|
+    unless (ldap.bind(method: method, username: username, password: password)) then
+      p ldap.get_operation_result
+      raise 'failed to bind.'
+    end
+    yield(ldap)
+  }
+end
+
+def ldap_error(ldap)
+  pp ldap.get_operation_result
+  raise 'ldap fail.'
+end
+
+desc 'total setup'
+task :setup => [ :'docker:setup', :wait, :'ldap:setup' ]
+
+desc 'total reset'
+task :reset => [ :'docker:reset', :wait, :'ldap:setup' ]
+
+task :wait do
+  s = 10
+  puts "...wait #{s}s..."
+  sleep(s)
+end
+
+namespace :docker do
+  task :get_exposed_port do
+    p get_exposed_port(NAME)
+  end
+
+  task :get_published_port do
+    p get_published_port(NAME)
+  end
+
+  desc 'all setup'
+  task :setup => [ :build, :run ]
+
+  desc 'all destroy'
+  task :destroy => [ :stop, :rm, :rmi ]
+
+  desc 'reset running container'
+  task :reset => [ :stop, :rm, :run ]
+
+  desc 'build image'
+  task :build do
+    sh "#{DOCKER} build -t #{IMAGE_REPOSITORY}:#{IMAGE_TAG} build"
+  end
+
+  desc 'remove image'
+  task :rmi do
+    sh "#{DOCKER} rmi #{IMAGE_REPOSITORY}:#{IMAGE_TAG}"
+  end
+
+  desc 'run new container'
+  task :run do
+    sh "#{DOCKER} run --name=#{NAME} -itd -P #{IMAGE_REPOSITORY}:#{IMAGE_TAG}"
+  end
+
+  desc 'start container'
+  task :start do
+    sh "#{DOCKER} start #{NAME}"
+  end
+
+  desc 'stop container'
+  task :stop do
+    sh "#{DOCKER} stop #{NAME}"
+  end
+
+  desc 'remove container'
+  task :rm do
+    sh "#{DOCKER} rm #{NAME}"
+  end
+
+  desc 'show slapd configuration'
+  task :conf do
+    sh "#{DOCKER} exec #{NAME} slapcat -b cn=config"
+  end
+
+  desc 'tail slapd logging'
+  task :tail do
+    sh "#{DOCKER} exec #{NAME} tail -100f /var/log/syslog"
+  end
+end
+
+namespace :ldap do
+  desc 'setup example'
+  task :setup => [ :build, :'conf:acl' ]
+
+  desc 'dump example dit'
+  task :dump do
+    ldap_open{|ldap|
+      puts '* all'
+      pp ldap.search(base: 'dc=nodomain')
+
+      phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
+      math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
+
+      for f in [ phys_filter, math_filter ]
+        puts "* filter: #{f}"
+        pp ldap.search(base: 'o=science,dc=nodomain', attributes: %w[ dn ], filter: f)
+      end
+    }
+  end
+
+  desc 'anonymous'
+  task :anonymous do
+    ldap_anon{|ldap|
+      puts '* all'
+      pp ldap.search(base: 'dc=nodomain')
+      pp ldap.search(base: 'o=science,dc=nodomain')
+      pp ldap.search(base: 'ou=user,o=science,dc=nodomain')
+
+      phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
+      math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
+
+      for f in [ phys_filter, math_filter ]
+        puts "* filter: #{f}"
+        pp ldap.search(base: 'o=science,dc=nodomain', attributes: %w[ dn ], filter: f)
+      end
+    }
+  end
+
+  desc 'search dit'
+  task :search do
+    users = load_users
+    search = users['support'].find{|role| role['cn'] = 'search' }
+    search_dn = "cn=#{search['cn']},ou=support,o=science,dc=nodomain"
+    ldap_open(search_dn, search['userPassword']) {|ldap|
+      puts '* all'
+      pp ldap.search(base: 'dc=nodomain')
+
+      puts '* self'
+      pp ldap.search(base: search_dn)
+
+      phys_filter = Net::LDAP::Filter.eq('memberOf', 'cn=physics,ou=group,o=science,dc=nodomain')
+      math_filter = Net::LDAP::Filter.eq('memberOf', 'cn=mathematics,ou=group,o=science,dc=nodomain')
+
+      for f in [ phys_filter, math_filter ]
+        puts "* filter: #{f}"
+        pp ldap.search(base: 'ou=user,o=science,dc=nodomain', filter: f)
+      end
+    }
+  end
+
+  desc 'build exmaple dit'
+  task :build do
+    ldap_open{|ldap|
+      ldap.add(dn: 'o=science,dc=nodomain',
+               attributes: {
+                 objectclass: 'organization'
+               }) or ldap_error(ldap)
+      ldap.add(dn: 'ou=support,o=science,dc=nodomain',
+               attributes: {
+                 objectclass: 'organizationalUnit'
+               }) or ldap_error(ldap)
+      ldap.add(dn: 'ou=user,o=science,dc=nodomain',
+               attributes: {
+                 objectclass: 'organizationalUnit'
+               }) or ldap_error(ldap)
+      ldap.add(dn: 'ou=group,o=science,dc=nodomain',
+               attributes: {
+                 objectclass: 'organizationalUnit'
+               }) or ldap_error(ldap)
+
+      users = load_users
+
+      for role in users['support']
+        attrs = {}
+        for name, value in role
+          case (name)
+          when 'userPassword'
+            attrs[:userPassword] = Net::LDAP::Password.generate(:ssha, value)
+          else
+            attrs[name.to_sym] = value
+          end
+        end
+        attrs[:objectClass] = %w[ organizationalRole simpleSecurityObject ]
+        ldap.add(dn: "cn=#{role['cn']},ou=support,o=science,dc=nodomain",
+                 attributes: attrs) or ldap_error(ldap)
+      end
+
+      for user in users['user']
+        attrs = {}
+        for name, value in user
+          case (name)
+          when 'userPassword'
+            attrs[:userPassword] = Net::LDAP::Password.generate(:ssha, value)
+          when 'group'
+            # skip
+          else
+            attrs[name.to_sym] = value
+          end
+        end
+        attrs[:objectclass] = 'inetOrgPerson'
+        ldap.add(dn: "uid=#{user['uid']},ou=user,o=science,dc=nodomain",
+                 attributes: attrs) or ldap_error(ldap)
+      end
+
+      groups = {}
+      for user in users['user']
+        groups[user['group']] = [] unless (groups.key? user['group'])
+        groups[user['group']] << user['uid']
+      end
+
+      for name, members in groups
+        ldap.add(dn: "cn=#{name},ou=group,o=science,dc=nodomain",
+                 attributes: {
+                   cn: name,
+                   objectclass: 'groupOfNames',
+                   member: members.map{|uid| "uid=#{uid},ou=user,o=science,dc=nodomain" }
+                 }) or ldap_error(ldap)
+      end
+    }
+  end
+
+  desc 'some tests'
+  task :test => [ :test_user_auth, :test_search_acl ]
+
+  task :test_user_auth do
+    ldap_anon{|ldap|
+      users = load_users
+      for role in users['support']
+        ldap.bind(method: :simple,
+                  username: "cn=#{role['cn']},ou=support,o=science,dc=nodomain",
+                  password: role['userPassword']) or ldap_error(ldap)
+      end
+      for user in users['user']
+        ldap.bind(method: :simple,
+                  username: "uid=#{user['uid']},ou=user,o=science,dc=nodomain",
+                  password: user['userPassword']) or ldap_error(ldap)
+      end
+    }
+  end
+
+  task :test_search_acl do
+    users = load_users
+    search = users['support'].find{|role| role['cn'] = 'search' }
+    search_dn = "cn=#{search['cn']},ou=support,o=science,dc=nodomain"
+    ldap_open(search_dn, search['userPassword']) {|ldap|
+      assert_nil(ldap.search(base: 'dc=nodomain'))
+      assert_nil(ldap.search(base: 'o=science,dc=nodomain'))
+      assert_nil(ldap.search(base: 'ou=support,o=science,dc=nodomain'))
+      assert_nil(ldap.search(base: search_dn))
+
+      assert(entry_list = ldap.search(base: 'ou=user,o=science,dc=nodomain',
+                                      scope: Net::LDAP::SearchScope_BaseObject))
+      assert(ou = entry_list.shift)
+      assert_equal(%w[ organizationalUnit ], ou[:objectClass])
+      assert_equal(%w[ user ], ou[:ou])
+      assert_equal([], ou[:userPassword])
+      assert_nil(entry_list.shift)
+
+      assert(entry_list = ldap.search(base: 'ou=user,o=science,dc=nodomain',
+                                      scope: Net::LDAP::SearchScope_WholeSubtree,
+                                      filter: Net::LDAP::Filter.eq('objectClass', 'inetOrgPerson')))
+      assert_equal(users['user'].length, entry_list.length)
+      for person in entry_list
+        assert_equal(%w[ inetOrgPerson ], person[:objectClass])
+        for uid in person[:uid]
+          assert(users['user'].find{|user| user['uid'] == uid })
+        end
+        assert_equal([], person[:userPassword])
+      end
+    }
+  end
+end
+
+namespace :conf do
+  desc 'setup slapd ACL'
+  task :acl do
+    docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}
+  to dn.exact="cn=search,ou=support,o=science,dc=nodomain" attrs=userPassword,shadowLastChange
+    by anonymous auth
+    by dn="cn=admin,dc=nodomain" write
+    by * none
+olcAccess: {1}
+  to attrs=userPassword,shadowLastChange
+    by self write
+    by anonymous auth
+    by dn="cn=admin,dc=nodomain" write
+    by * none
+olcAccess: {2}
+  to dn.subtree="ou=user,o=science,dc=nodomain" filter=(|(objectClass=organizationalUnit)(objectClass=inetOrgPerson))
+    by dn.exact="cn=search,ou=support,o=science,dc=nodomain" read
+olcAccess: {3}
+  to *
+    by dn.exact="cn=search,ou=support,o=science,dc=nodomain" none
+olcAccess: {4}
+  to dn.base=""
+    by * read
+olcAccess: {5}
+  to *
+    by self write
+    by dn="cn=admin,dc=nodomain" write
+    by * read
+EOF
+  end
+
+  desc 'enable slapd verbose logging'
+  task :logging_on do
+    docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
+dn: cn=config
+changetype: modify
+replace: olcLogLevel
+olcLogLevel: 8 32 64 128 256
+EOF
+  end
+
+  desc 'disable slapd verbose logging'
+  task :logging_off do
+    docker_exec_i 'ldapmodify', '-Y', 'EXTERNAL', '-H', 'ldapi:///', <<EOF
+dn: cn=config
+changetype: modify
+replace: olcLogLevel
+olcLogLevel: 64 256
+EOF
+  end
+end
+
+# Local Variables:
+# mode: Ruby
+# indent-tabs-mode: nil
+# End: