Module: ASF::LDAP
- Defined in:
- lib/whimsy/asf/ldap.rb,
lib/whimsy/asf/ldap.rb
Constant Summary collapse
- HOSTS =
www.pingmybox.com/dashboard?location=304 github.com/apache/infrastructure-puppet/blob/deployment/data/common.yaml (ldapserver::slapd_peers) Updated 2016-04-11
%w( ldaps://devops.apache.org:636 ldaps://ldap1-lw-eu.apache.org:636 ldaps://ldap1-lw-us.apache.org:636 ldaps://ldap2-lw-eu.apache.org:636 ldaps://ldap2-lw-us.apache.org:636 ldaps://snappy5.apache.org:636 ldaps://themis.apache.org:636 )
- CONNECT_LOCK =
Mutex.new
- HOST_QUEUE =
Queue.new
Class Method Summary collapse
- .bind(user, password, &block) ⇒ Object
-
.configure ⇒ Object
update /etc/ldap.conf.
-
.connect(test = true) ⇒ Object
connect to LDAP.
-
.extract_cert ⇒ Object
query and extract cert from openssl output.
- .getHOSTS ⇒ Object
-
.host ⇒ Object
Return the last chosen host (if any).
-
.hosts ⇒ Object
determine what LDAP hosts are available.
-
.http_auth(string, &block) ⇒ Object
validate HTTP authorization, and optionally invoke a block bound to that user.
-
.puppet_cert ⇒ Object
extract the ldapcert from the puppet configuration.
-
.puppet_config ⇒ Object
fetch configuration from apache/infrastructure-puppet.
-
.puppet_ldapservers ⇒ Object
extract the ldap servers from the puppet configuration.
Class Method Details
.bind(user, password, &block) ⇒ Object
117 118 119 120 121 122 123 124 125 126 127 128 129 |
# File 'lib/whimsy/asf/ldap.rb', line 117 def self.bind(user, password, &block) dn = ASF::Person.new(user).dn raise ::LDAP::ResultError.new('Unknown user') unless dn ASF.ldap.unbind if ASF.ldap.bound? rescue nil ldap = ASF.init_ldap(true) if block ldap.bind(dn, password, &block) ASF.init_ldap(true) else ldap.bind(dn, password) end end |
.configure ⇒ Object
update /etc/ldap.conf. Usage:
sudo ruby -r whimsy/asf -e "ASF::LDAP.configure"
195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 |
# File 'lib/whimsy/asf/ldap.rb', line 195 def self.configure cert = Dir["#{ETCLDAP}/asf*-ldap-client.pem"].first # verify/obtain/write the cert if not cert cert = "#{ETCLDAP}/asf-ldap-client.pem" File.write cert, ASF::LDAP.puppet_cert || self.extract_cert end # read the current configuration file ldap_conf = "#{ETCLDAP}/ldap.conf" content = File.read(ldap_conf) # ensure that the right cert is used unless content =~ /asf.*-ldap-client\.pem/ content.gsub!(/^TLS_CACERT/i, '# TLS_CACERT') content += "TLS_CACERT #{ETCLDAP}/asf-ldap-client.pem\n" end # provide the URIs of the ldap hosts content.gsub!(/^URI/, '# URI') content += "uri \n" unless content =~ /^uri / content[/uri (.*)\n/, 1] = hosts.join(' ') # verify/set the base unless content.include? 'base dc=apache' content.gsub!(/^BASE/i, '# BASE') content += "base dc=apache,dc=org\n" end # ensure TLS_REQCERT is allow (Mac OS/X only) if ETCLDAP.include? 'openldap' and not content.include? 'REQCERT allow' content.gsub!(/^TLS_REQCERT/i, '# TLS_REQCERT') content += "TLS_REQCERT allow\n" end # write the configuration if there were any changes File.write(ldap_conf, content) unless content == File.read(ldap_conf) end |
.connect(test = true) ⇒ Object
connect to LDAP
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/whimsy/asf/ldap.rb', line 81 def self.connect(test = true) # Try each host at most once hosts.length.times do # Ensure we use each host in turn hosts.each {|host| HOST_QUEUE.push host} if HOST_QUEUE.empty? host = HOST_QUEUE.shift Wunderbar.info "[#{host}] - Connecting to LDAP server" begin # request connection uri = URI.parse(host) if uri.scheme == 'ldaps' ldap = ::LDAP::SSLConn.new(uri.host, uri.port) else ldap = ::LDAP::Conn.new(uri.host, uri.port) end # test the connection ldap.bind if test # save the host @host = host return ldap rescue ::LDAP::ResultError => re Wunderbar.warn "[#{host}] - Error connecting to LDAP server: " + re. + " (continuing)" end end Wunderbar.error "Failed to connect to any LDAP host" return nil end |
.extract_cert ⇒ Object
query and extract cert from openssl output
183 184 185 186 187 188 189 |
# File 'lib/whimsy/asf/ldap.rb', line 183 def self.extract_cert host = hosts.sample[%r{//(.*?)(/|$)}, 1] puts ['openssl', 's_client', '-connect', host, '-showcerts'].join(' ') out, err, rc = Open3.capture3 'openssl', 's_client', '-connect', host, '-showcerts' out[/^-+BEGIN.*?\n-+END[^\n]+\n/m] end |
.getHOSTS ⇒ Object
776 777 778 |
# File 'lib/whimsy/asf/ldap.rb', line 776 def self.getHOSTS HOSTS end |
.host ⇒ Object
Return the last chosen host (if any)
151 152 153 |
# File 'lib/whimsy/asf/ldap.rb', line 151 def self.host @host end |
.hosts ⇒ Object
determine what LDAP hosts are available
156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
# File 'lib/whimsy/asf/ldap.rb', line 156 def self.hosts return @hosts if @hosts # cache the hosts list # try whimsy config hosts = Array(ASF::Config.get(:ldap)) # check system configuration if hosts.empty? conf = "#{ETCLDAP}/ldap.conf" if File.exist? conf uris = File.read(conf)[/^uri\s+(.*)/i, 1].to_s hosts = uris.scan(/ldaps?:\/\/\S+?:\d+/) Wunderbar.debug "Using hosts from LDAP config" end else Wunderbar.debug "Using hosts from Whimsy config" end # if all else fails, use default list Wunderbar.debug "Using default host list" if hosts.empty? hosts = ASF::LDAP::HOSTS if hosts.empty? hosts.shuffle! #Wunderbar.debug "Hosts:\n#{hosts.join(' ')}" @hosts = hosts end |
.http_auth(string, &block) ⇒ Object
validate HTTP authorization, and optionally invoke a block bound to that user.
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
# File 'lib/whimsy/asf/ldap.rb', line 133 def self.http_auth(string, &block) auth = Base64.decode64(string.to_s[/Basic (.*)/, 1] || '') user, password = auth.split(':', 2) return unless password if block self.bind(user, password, &block) else begin ASF::LDAP.bind(user, password) {} return ASF::Person.new(user) rescue ::LDAP::ResultError return nil end end end |
.puppet_cert ⇒ Object
extract the ldapcert from the puppet configuration
68 69 70 |
# File 'lib/whimsy/asf/ldap.rb', line 68 def self.puppet_cert puppet_config['ldapclient::ldapcert'] end |
.puppet_config ⇒ Object
fetch configuration from apache/infrastructure-puppet
57 58 59 60 61 62 63 64 65 |
# File 'lib/whimsy/asf/ldap.rb', line 57 def self.puppet_config return @puppet if @puppet file = '/apache/infrastructure-puppet/deployment/data/common.yaml' http = Net::HTTP.new('raw.githubusercontent.com', 443) http.use_ssl = true # the enclosing method is optional, so we only require the gem here require 'yaml' @puppet = YAML.load(http.request(Net::HTTP::Get.new(file)).body) end |
.puppet_ldapservers ⇒ Object
extract the ldap servers from the puppet configuration
73 74 75 76 77 78 |
# File 'lib/whimsy/asf/ldap.rb', line 73 def self.puppet_ldapservers puppet_config['ldapserver::slapd_peers'].values. map {|host| "ldaps://#{host}:636"} rescue nil end |