ruby-ldapserver 0.3.1

data/examples/mkcert.rb

@@ -0,0 +1,31 @@
+require 'openssl'
+
+# Taken directly from echo_svr.rb in the Ruby openssl examples
+
+key = OpenSSL::PKey::RSA.new(1024){ print "."; $stdout.flush }
+puts
+cert = OpenSSL::X509::Certificate.new
+cert.version = 2
+cert.serial = 0
+name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
+cert.subject = name
+cert.issuer = name
+cert.not_before = Time.now
+cert.not_after = Time.now + 3600
+cert.public_key = key.public_key
+ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
+cert.extensions = [
+  ef.create_extension("basicConstraints","CA:FALSE"),
+  ef.create_extension("subjectKeyIdentifier","hash"),
+  ef.create_extension("extendedKeyUsage","serverAuth"),
+  ef.create_extension("keyUsage",
+                      "keyEncipherment,dataEncipherment,digitalSignature")
+]
+ef.issuer_certificate = cert
+cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                       "keyid:always,issuer:always")
+cert.sign(key, OpenSSL::Digest::SHA1.new)
+
+# Write to disk
+File.open("key.pem","w",0600) { |f| f << key.to_pem }
+File.open("cert.pem","w",0644) { |f| f << cert.to_pem }

data/examples/rbslapd1.rb

@@ -0,0 +1,111 @@
+#!/usr/local/bin/ruby -w
+
+# This is a trivial LDAP server which just stores directory entries in RAM.
+# It does no validation or authentication. This is intended just to
+# demonstrate the API, it's not for real-world use!!
+
+$:.unshift('../lib')
+$debug = true
+
+require 'ldap/server'
+
+# We subclass the Operation class, overriding the methods to do what we need
+
+class HashOperation < LDAP::Server::Operation
+  def initialize(connection, messageID, hash)
+    super(connection, messageID)
+    @hash = hash   # an object reference to our directory data
+  end
+
+  def search(basedn, scope, deref, filter)
+    basedn.downcase!
+
+    case scope
+    when LDAP::Server::BaseObject
+      # client asked for single object by DN
+      obj = @hash[basedn]
+      raise LDAP::ResultError::NoSuchObject unless obj
+      send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
+
+    when LDAP::Server::WholeSubtree
+      @hash.each do |dn, av|
+        next unless dn.index(basedn, -basedn.length)    # under basedn?
+        next unless LDAP::Server::Filter.run(filter, av)  # attribute filter?
+        send_SearchResultEntry(dn, av)
+      end
+
+    else
+      raise LDAP::ResultError::UnwillingToPerform, "OneLevel not implemented"
+
+    end
+  end
+
+  def add(dn, av)
+    dn.downcase!
+    raise LDAP::ResultError::EntryAlreadyExists if @hash[dn]
+    @hash[dn] = av
+  end
+
+  def del(dn)
+    dn.downcase!
+    raise LDAP::ResultError::NoSuchObject unless @hash.has_key?(dn)
+    @hash.delete(dn)
+  end
+
+  def modify(dn, ops)
+    entry = @hash[dn]
+    raise LDAP::ResultError::NoSuchObject unless entry
+    ops.each do |attr, vals|
+      op = vals.shift
+      case op 
+      when :add
+        entry[attr] ||= []
+        entry[attr] += vals
+        entry[attr].uniq!
+      when :delete
+        if vals == []
+          entry.delete(attr)
+        else
+          vals.each { |v| entry[attr].delete(v) }
+        end
+      when :replace
+        entry[attr] = vals
+      end
+      entry.delete(attr) if entry[attr] == []
+    end
+  end
+end
+
+# This is the shared object which carries our actual directory entries.
+# It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]}
+
+directory = {}
+
+# Let's put some backing store on it
+
+require 'yaml'
+begin
+  File.open("ldapdb.yaml") { |f| directory = YAML::load(f.read) }
+rescue Errno::ENOENT
+end
+
+at_exit do
+  File.open("ldapdb.new","w") { |f| f.write(YAML::dump(directory)) }
+  File.rename("ldapdb.new","ldapdb.yaml")
+end
+
+# Listen for incoming LDAP connections. For each one, create a Connection
+# object, which will invoke a HashOperation object for each request.
+
+s = LDAP::Server.new(
+	:port			=> 1389,
+	:nodelay		=> true,
+	:listen			=> 10,
+#	:ssl_key_file		=> "key.pem",
+#	:ssl_cert_file		=> "cert.pem",
+#	:ssl_on_connect		=> true,
+	:operation_class	=> HashOperation,
+	:operation_args		=> [directory]
+)
+s.run_tcpserver
+s.join

data/examples/rbslapd2.rb

@@ -0,0 +1,161 @@
+#!/usr/local/bin/ruby -w
+
+$:.unshift('../lib')
+require 'ldap/server'
+require 'mysql'                 # <http://www.tmtm.org/en/ruby/mysql/>
+require 'thread'
+require 'resolv-replace'	# ruby threading DNS client
+
+# An example of an LDAP to SQL gateway. We have a MySQL table which
+# contains (login_id,login,passwd) combinations, e.g.
+#
+#   +----------+----------+--------+
+#   | login_id | login    | passwd |
+#   +----------+----------+--------+
+#   |    1     | brian    | foobar |
+#   |    2     | caroline | boing  |
+#   +----------+----------+--------+
+#
+# We support LDAP searches for (uid=login), returning a synthesised DN and
+# Maildir attribute, and we support LDAP binds to validate passwords. We
+# keep a cache of recent lookups so that a bind to validate a password
+# doesn't cause a second SQL query. Since we're multi-threaded, this should
+# work even if the bind occurs on a different client connection to the search.
+#
+# To test:
+#    ldapsearch -H ldap://127.0.0.1:1389/ -b "dc=example,dc=com" "(uid=brian)"
+#
+#    ldapsearch -H ldap://127.0.0.1:1389/ -b "dc=example,dc=com" \
+#       -D "id=1,dc=example,dc=com" -W "(uid=brian)"
+
+$debug = true
+SQL_CONNECT = ["1.2.3.4", "myuser", "mypass", "mydb"]
+TABLE = "logins"
+SQL_POOL_SIZE = 5
+PW_CACHE_SIZE = 100
+BASEDN = "dc=example,dc=com"
+LDAP_PORT = 1389
+
+# A thread-safe pool of persistent MySQL connections
+
+class SQLPool
+  def initialize(n, *args)
+    @args = args
+    @pool = Queue.new		# this is a thread-safe queue
+    n.times { @pool.push nil }	# create connections on demand
+  end
+
+  def borrow
+    conn = @pool.pop || Mysql::new(*@args)
+    yield conn
+  rescue Exception
+    conn = nil			# put 'nil' back into the pool
+    raise
+  ensure
+    @pool.push conn
+  end
+end    
+
+# An simple LRU cache of username->password. It's linearly searched
+# so don't make it too big.
+
+class LRUCache
+  def initialize(size)
+    @size = size
+    @cache = []   # [[key,val],[key,val],...]
+    @mutex = Mutex.new
+  end
+
+  def add(id,data)
+    @mutex.synchronize do
+      @cache.delete_if { |k,v| k == id }
+      @cache.unshift [id,data]
+      @cache.pop while @cache.size > @size
+    end
+  end
+
+  def find(id)
+    @mutex.synchronize do
+      index = entry = nil
+      @cache.each_with_index do |e, i|
+        if e[0] == id
+          entry = e
+          index = i
+          break
+        end
+      end
+      return nil unless index
+      @cache.delete_at(index)
+      @cache.unshift entry
+      return entry[1]
+    end
+  end
+end
+
+
+class SQLOperation < LDAP::Server::Operation
+  def self.setcache(cache,pool)
+    @@cache = cache
+    @@pool = pool
+  end
+
+  # Handle searches of the form "(uid=<foo>)" using SQL backend
+  # (uid=foo) => [:eq, "uid", matchobj, "foo"]
+
+  def search(basedn, scope, deref, filter)
+    raise LDAP::ResultError::UnwillingToPerform, "Bad base DN" unless basedn == BASEDN
+    raise LDAP::ResultError::UnwillingToPerform, "Bad filter" unless filter[0..1] == [:eq, "uid"]
+    uid = filter[3]
+    @@pool.borrow do |sql|
+      q = "select login_id,passwd from #{TABLE} where login='#{sql.quote(uid)}'"
+      puts "SQL Query #{sql.object_id}: #{q}" if $debug
+      res = sql.query(q)
+      res.each do |login_id,passwd|
+        @@cache.add(login_id, passwd)
+        send_SearchResultEntry("id=#{login_id},#{BASEDN}", {
+          "maildir"=>["/netapp/#{uid}/"],
+        })
+      end
+    end
+  end
+
+  # Validate passwords
+
+  def simple_bind(version, dn, password)
+    return if dn.nil?   # accept anonymous
+
+    raise LDAP::ResultError::UnwillingToPerform unless dn =~ /\Aid=(\d+),#{BASEDN}\z/
+    login_id = $1
+    dbpw = @@cache.find(login_id)
+    unless dbpw
+      @@pool.borrow do |sql|
+        q = "select passwd from #{TABLE} where login_id=#{login_id}"
+        puts "SQL Query #{sql.object_id}: #{q}" if $debug
+        res = sql.query(q)
+        if res.num_rows == 1
+          dbpw = res.fetch_row[0]
+          @@cache.add(login_id, dbpw)
+        end
+      end
+    end
+    raise LDAP::ResultError::InvalidCredentials unless dbpw and dbpw != "" and dbpw == password
+  end
+end
+
+# Build the objects we need
+
+cache = LRUCache.new(PW_CACHE_SIZE)
+pool = SQLPool.new(SQL_POOL_SIZE, *SQL_CONNECT)
+SQLOperation.setcache(cache,pool)
+
+s = LDAP::Server.new(
+	:port			=> LDAP_PORT,
+	:nodelay		=> true,
+	:listen			=> 10,
+#	:ssl_key_file		=> "key.pem",
+#	:ssl_cert_file		=> "cert.pem",
+#	:ssl_on_connect		=> true,
+	:operation_class	=> SQLOperation
+)
+s.run_tcpserver
+s.join

data/examples/rbslapd3.rb

@@ -0,0 +1,172 @@
+#!/usr/local/bin/ruby -w
+
+# This is similar to rbslapd1.rb but here we use TOMITA Masahiro's prefork
+# library: <http://raa.ruby-lang.org/project/prefork/>
+# Advantages over Ruby threading:
+# - each client connection is handled in its own process; don't need
+#   to worry about Ruby thread blocking (except if one client issues
+#   overlapping LDAP operations down the same connection, which is uncommon)
+# - better scalability on multi-processor systems
+# - better scalability on single-processor systems (e.g. shouldn't hit
+#   max FDs per process limit)
+# Disadvantages:
+# - client connections can't share state in RAM. So our shared directory
+#   now has to be read from disk, and flushed to disk after every update.
+#
+# Additionally, I have added schema support. An LDAP v3 client can
+# query the schema remotely, and adds/modifies have data validated.
+
+$:.unshift('../lib')
+
+require 'ldap/server'
+require 'ldap/server/schema'
+require 'yaml'
+
+$debug = nil # $stderr
+
+# An object to keep our in-RAM database and synchronise it to disk
+# when necessary
+
+class Directory
+  attr_reader :data
+
+  def initialize(filename)
+    @filename = filename
+    @stat = nil
+    update
+  end
+
+  # synchronise with directory on disk (re-read if it has changed)
+
+  def update
+    begin
+      tmp = {}
+      sb = File.stat(@filename)
+      return if @stat and @stat.ino == sb.ino and @stat.mtime == sb.mtime
+      File.open(@filename) do |f|
+        tmp = YAML::load(f.read)
+        @stat = f.stat
+      end
+    rescue Errno::ENOENT
+    end
+    @data = tmp
+  end
+
+  # write back to disk
+
+  def write
+    File.open(@filename+".new","w") { |f| f.write(YAML::dump(@data)) }
+    File.rename(@filename+".new",@filename)
+    @stat = File.stat(@filename)
+  end
+
+  # run a block while holding a lock on the database
+
+  def lock
+    File.open(@filename+".lock","w") do |f|
+      f.flock(File::LOCK_EX)  # will block here until lock available
+      yield
+    end
+  end
+end
+
+# We subclass the Operation class, overriding the methods to do what we need
+
+class DirOperation < LDAP::Server::Operation
+  def initialize(connection, messageID, dir)
+    super(connection, messageID)
+    @dir = dir
+  end
+
+  def search(basedn, scope, deref, filter)
+    $debug << "Search: basedn=#{basedn.inspect}, scope=#{scope.inspect}, deref=#{deref.inspect}, filter=#{filter.inspect}\n" if $debug
+    basedn.downcase!
+
+    case scope
+    when LDAP::Server::BaseObject
+      # client asked for single object by DN
+      @dir.update
+      obj = @dir.data[basedn]
+      raise LDAP::ResultError::NoSuchObject unless obj
+      ok = LDAP::Server::Filter.run(filter, obj)
+      $debug << "Match=#{ok.inspect}: #{obj.inspect}\n" if $debug
+      send_SearchResultEntry(basedn, obj) if ok
+
+    when LDAP::Server::WholeSubtree
+      @dir.update
+      @dir.data.each do |dn, av|
+        $debug << "Considering #{dn}\n" if $debug
+        next unless dn.index(basedn, -basedn.length)    # under basedn?
+        next unless LDAP::Server::Filter.run(filter, av)  # attribute filter?
+        $debug << "Sending: #{av.inspect}\n" if $debug
+        send_SearchResultEntry(dn, av)
+      end
+
+    else
+      raise LDAP::ResultError::UnwillingToPerform, "OneLevel not implemented"
+
+    end
+  end
+
+  def add(dn, entry)
+    entry = @schema.validate(entry)
+    entry['createTimestamp'] = [Time.now.gmtime.strftime("%Y%m%d%H%MZ")]
+    entry['creatorsName'] = [@connection.binddn.to_s]
+    # FIXME: normalize the DN and check it's below our root DN
+    # FIXME: validate that a superior object exists
+    # FIXME: validate that entry contains the RDN attribute (yuk)
+    dn.downcase!
+    @dir.lock do
+      @dir.update
+      raise LDAP::ResultError::EntryAlreadyExists if @dir.data[dn]
+      @dir.data[dn] = entry
+      @dir.write
+    end
+  end
+
+  def del(dn)
+    dn.downcase!
+    @dir.lock do
+      @dir.update
+      raise LDAP::ResultError::NoSuchObject unless @dir.data.has_key?(dn)
+      @dir.data.delete(dn)
+      @dir.write
+    end
+  end
+
+  def modify(dn, ops)
+    dn.downcase!
+    @dir.lock do
+      @dir.update
+      entry = @dir.data[dn]
+      raise LDAP::ResultError::NoSuchObject unless entry
+      entry = @schema.validate(ops, entry)  # also does the update
+      entry['modifyTimestamp'] = [Time.now.gmtime.strftime("%Y%m%d%H%MZ")]
+      entry['modifiersName'] = [@connection.binddn.to_s]
+      @dir.data[dn] = entry
+      @dir.write
+    end
+  end
+end
+
+directory = Directory.new("ldapdb.yaml")
+
+schema = LDAP::Server::Schema.new
+schema.load_system
+schema.load_file("../test/core.schema")
+schema.resolve_oids
+
+s = LDAP::Server.new(
+	:port			=> 1389,
+	:nodelay		=> true,
+	:listen			=> 10,
+#	:ssl_key_file		=> "key.pem",
+#	:ssl_cert_file		=> "cert.pem",
+#	:ssl_on_connect		=> true,
+	:operation_class	=> DirOperation,
+	:operation_args		=> [directory],
+	:schema			=> schema,
+	:namingContexts		=> ['dc=example,dc=com']
+)
+s.run_prefork
+s.join