rubycas-server 0.4.1 → 0.4.2

data/CHANGELOG.txt

@@ -1,3 +1,24 @@
+=== 0.4.2 :: 2007-07-26
+
+* The LDAP/AD authenticator has been largely re-written. The code is a bit
+  cleaner now, and should work better with non-Active Directory LDAP servers
+  (although this has yet to be tested since I don't have access to a non-AD
+  LDAP server).
+* The validate() method in your authenticators now receives a :service element
+  (in addition to :username, and :password). This is simply the service
+  url (if any) specified in the user's CAS request. If you call 
+  read_standard_credentials(credentials) at the top of your validator, the value
+  will also be available as @service along with @username and @password.
+* By request, a :username_prefix option has been added to the ldap 
+  configuration. If entered, this string will be automatically prefixed to 
+  the username entered by the user.
+* A bug having to do with handling authenticator errors has been fixed.
+  Any authenticator error messages should now be correctly shown on the
+  login page.
+* Minor improvements to error messages having to do with login tickets.
+  They're a bit more prescriptive now, explaining to the user what steps
+  they should take to correct the error.
+
 === 0.4.1 :: 2007-06-07
 
 * This release restores compatiblity with older versions of rubygems

data/config.example.yml

@@ -104,15 +104,17 @@ database:
 #
 #
 # ==> ActiveDirectory Authentication:
-# This method authenticates against Microsoft's ActiveDirectory using LDAP.
+# This method authenticates against Microsoft's Active Directory using LDAP.
 # You must enter your ActiveDirectory server, and base DN. The port number
-# and LDAP filter are optional. You must also enter a username and password
+# and LDAP filter are optional. You must also enter a CN and password
 # for an "authenticator" user. The authenticator users this account to
 # log in to the ActiveDirectory server and search LDAP. This does not have
-# to be an administrative account; it only has to be able to search for other
+# to be an administrative account -- it only has to be able to search for other
 # users.
-#
-# Example:
+# 
+# Note that the auth_user parameter must be the user's CN (Common Name)!
+# In Active Directory, the CN is genarally the user's full name, which is not 
+# the same as their username (sAMAccountName).
 #
 #authenticator: 
 #  class: CASServer::Authenticators::ActiveDirectoryLDAP
@@ -124,6 +126,13 @@ database:
 #    auth_user: authenticator
 #    auth_password: itsasecret
 #
+# It is possible to authenticate against Active Directory without the
+# authenticator user, but this requires that users type in their CN as
+# the username, rather than typing in their sAMAccountName. In other words
+# users will likely have to authenticate by typing their full name,
+# rather than their username. If you prefer to do this, then just
+# omit the auth_user and auth_password values in the above example.
+#
 #
 # ==> LDAP Authentication:
 # This is a more general version of the ActiveDirectory authenticator.

data/lib/casserver/authenticators/base.rb

@@ -2,6 +2,8 @@ module CASServer
   module Authenticators
     class Base
       attr_accessor :options
+      attr_reader :username # make this accessible so that we can pick up any 
+                            # transformations done within the authenticator
     
       def validate(credentials)
         raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
@@ -16,6 +18,7 @@ module CASServer
       def read_standard_credentials(credentials)
         @username = credentials[:username]
         @password = credentials[:password]
+        @service = credentials[:service]
       end
     end
   end

data/lib/casserver/authenticators/ldap.rb

@@ -18,27 +18,72 @@ class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
     raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:ldap]
     raise CASServer::AuthenticatorError, "You must specify an ldap server in the configuration!" unless @options[:ldap][:server]
     
-    raise CASServer::AuthenticatorError, "The username '#{@username}' contains invalid characters." if (@username =~ /[*\(\)\\\0\/]/)
+    raise CASServer::AuthenticatorError, "The username '#{@username}' contains invalid characters." if (@username =~ /[*\(\)\0\/]/)
     
-    ldap = Net::LDAP.new
-    ldap.host = @options[:ldap][:server]
-    ldap.port = @options[:ldap][:port] if   @options[:ldap][:port]
+    preprocess_username
     
-    if @options[:ldap][:auth_user]
-      raise CASServer::AuthenticatorError, "A password must be specified in the configuration for the authenticator user!" unless @options[:ldap][:auth_password]
-      ldap.authenticate(@options[:ldap][:auth_user], @options[:ldap][:auth_password])
-    end
-    
-    filter = "(#{@options[:ldap][:username_attribute] || default_username_attribute}=#{@username})"
-    filter += " & (#{@options[:ldap][:filter]})" if @options[:ldap][:filter]
-    
-    result = ldap.bind_as(:base => @options[:ldap][:base], :filter => filter, :password => @password)
+    @ldap = Net::LDAP.new
+    @ldap.host = @options[:ldap][:server]
+    @ldap.port = @options[:ldap][:port] if @options[:ldap][:port]
     
-    return result
+    begin
+      if @options[:ldap][:auth_user]
+        bind_with_preauthentication
+      else
+        bind_directly
+      end
+    rescue Net::LDAP::LdapError => e
+      raise CASServer::AuthenticatorError,
+        "LDAP authentication failed with '#{e}'. Check your authenticator configuration."
+    end
   end
   
   protected
-  def default_username_attribute
-    "uid"
-  end
+    def default_username_attribute
+      "uid"
+    end
+  
+  private
+    def preprocess_username
+      # add prefix to username, if prefix was specified in the config
+      @username = @options[:ldap][:username_prefix] + @username if @options[:ldap][:username_prefix]
+    end
+    
+    def bind_with_preauthentication
+      # If an auth_user is specified, we will connect ("pre-authenticate") to the
+      # LDAP server using the authenticator account, and then attempt to bind as the
+      # user who is actually trying to authenticate. Note that you need to set up 
+      # the special authenticator account first. Also, auth_user must be the authenticator
+      # user's full CN, which is probably not the same as their username.
+      #
+      # This pre-authentication process is necessary because binding can only be done
+      # using the CN, so having just the username is not enough. We connect as auth_user, 
+      # and then try to find the target user's CN based on the given username. Then we bind
+      # as the target user to validate their credentials.
+      
+      raise CASServer::AuthenticatorError, "A password must be specified in the configuration for the authenticator user!" unless 
+        @options[:ldap][:auth_password]
+      
+      @ldap.authenticate(@options[:ldap][:auth_user], @options[:ldap][:auth_password])
+      
+      username_attribute = options[:ldap][:username_attribute] || default_username_attribute
+      
+      filter = Net::LDAP::Filter.construct(@options[:ldap][:filter]) & 
+        Net::LDAP::Filter.eq(username_attribute, @username)
+      
+      @ldap.bind_as(:base => @options[:ldap][:base], :password => @password, :filter => filter)
+    end
+    
+    def bind_directly
+      # When no auth_user is specified, we will try to connect directly as the user
+      # who is trying to authenticate. Note that for this to work, the username must
+      # be equivalent to the user's CN, and this is often not the case (for example,
+      # in Active Directory, the username is the 'sAMAccountName' attribute, while the
+      # user's CN is generally their full name.)
+      
+      cn = @username
+      
+      @ldap.authenticate(cn, @password)
+      @ldap.bind
+    end
 end

data/lib/casserver/cas.rb

@@ -103,20 +103,20 @@ module CASServer::CAS
   
     success = false
     if ticket.nil?
-      error = "Your login request did not include a login ticket."
+      error = "Your login request did not include a login ticket. There may be a problem with the authentication system."
       $LOG.warn("Missing login ticket.")
     elsif lt = LoginTicket.find_by_ticket(ticket)
       if lt.consumed?
-        error = "The login ticket you provided has already been used up."
+        error = "The login ticket you provided has already been used up. Please try logging in again."
         $LOG.warn("Login ticket '#{ticket}' previously used up")
       elsif Time.now - lt.created_on < CASServer::Conf.login_ticket_expiry
         $LOG.info("Login ticket '#{ticket}' successfully validated")
       else
-        error = "Your login ticket has expired."
+        error = "Your login ticket has expired. Please try logging in again."
         $LOG.warn("Expired login ticket '#{ticket}'")
       end
     else
-      error = "The login ticket you provided is invalid."
+      error = "The login ticket you provided is invalid. Please try logging in again."
       $LOG.warn("Invalid login ticket '#{ticket}'")
     end
     

data/lib/casserver/controllers.rb

@@ -74,18 +74,18 @@ module CASServer::Controllers
       $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{$AUTH}")
       
       begin
-        credentials_are_valid = $AUTH.validate(:username => @username, :password => @password)
-      rescue AuthenticatorError => e
+        credentials_are_valid = $AUTH.validate(:username => @username, :password => @password, :service => @service)
+      rescue CASServer::AuthenticatorError => e
         $LOG.error(e)
         @message = {:type => 'mistake', :message => e.to_s}
-        render :login and return
+        return render(:login)
       end
       
       if credentials_are_valid
-        $LOG.info("Credentials for username '#{@username}' successfully validated")
+        $LOG.info("Credentials for username '#{$AUTH.username}' successfully validated")
         
         # 3.6 (ticket-granting cookie)
-        tgt = generate_ticket_granting_ticket(@username)
+        tgt = generate_ticket_granting_ticket($AUTH.username)
         
         if CASServer::Conf.expire_sessions
           expires = CASServer::Conf.ticket_granting_ticket_expiry.to_i.from_now
@@ -98,17 +98,17 @@ module CASServer::Controllers
         #        seem to be an easy way to set cookie expire times in Camping :(
         @cookies[:tgt] = tgt.to_s
         
-        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{@username}'. #{expiry_info}")
+        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{$AUTH.username}'. #{expiry_info}")
                 
         if @service.blank?
-          $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
+          $LOG.info("Successfully authenticated user '#{$AUTH.username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
           @message = {:type => 'confirmation', :message => "You have successfully logged in."}
         else
-          @st = generate_service_ticket(@service, @username)
+          @st = generate_service_ticket(@service, $AUTH.username)
           begin
             service_with_ticket = service_uri_with_ticket(@service, @st)
             
-            $LOG.info("Redirecting authenticated user '#{@username}' at '#{@st.client_hostname}' to service '#{@service}'")
+            $LOG.info("Redirecting authenticated user '#{$AUTH.username}' at '#{@st.client_hostname}' to service '#{@service}'")
             return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
           rescue URI::InvalidURIError
             $LOG.error("The service '#{@service}' is not a valid URI!")
@@ -116,7 +116,7 @@ module CASServer::Controllers
           end
         end
       else
-        $LOG.warn("Invalid credentials given for user '#{@username}'")
+        $LOG.warn("Invalid credentials given for user '#{$AUTH.username}'")
         @message = {:type => 'mistake', :message => "Incorrect username or password."}
       end
       

data/lib/casserver/version.rb

@@ -2,7 +2,7 @@ module CASServer
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 4
-    TINY  = 1
+    TINY  = 2
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

metadata

@@ -3,8 +3,8 @@ rubygems_version: 0.9.2
 specification_version: 1
 name: rubycas-server
 version: !ruby/object:Gem::Version 
-  version: 0.4.1
-date: 2007-06-07 00:00:00 -04:00
+  version: 0.4.2
+date: 2007-07-26 00:00:00 -04:00
 summary: Provides single sign on for web applications using the CAS protocol.
 require_paths: 
 - lib