Class: Cratus::User

Inherits:

Object

• Object
• Cratus::User

Includes:

Comparable

Defined in:

lib/cratus/user.rb

Overview

An LDAP User representation

Instance Attribute Summary

• #search_base ⇒ Object readonly

  Returns the value of attribute search_base.

• #username ⇒ Object readonly

  Returns the value of attribute username.

Class Method Summary

• .all ⇒ Object

  All the LDAP Users.

• .ldap_dn_attribute ⇒ Object
• .ldap_object_class ⇒ Object
• .ldap_return_attributes ⇒ Object
• .ldap_search_base ⇒ Object

Instance Method Summary

• #<=>(other) ⇒ Object
• #add_to_group(group) ⇒ Object

  Add a user to a group.

• #department ⇒ Object
• #disable ⇒ Object

  Disables an enabled user.

• #disabled? ⇒ Boolean
• #dn ⇒ Object
• #email ⇒ Object
• #enable ⇒ Object

  Enables a disabled user.

• #enabled? ⇒ Boolean
• #fullname ⇒ Object
• #initialize(username) ⇒ User constructor

  A new instance of User.

• #locked? ⇒ Boolean

  fossies.org/linux/web2ldap/pylib/w2lapp/schema/plugins/activedirectory.py msdn.microsoft.com/en-us/library/windows/desktop/ms676843(v=vs.85).aspx.

• #lockoutduration ⇒ Object
• #lockouttime ⇒ Object
• #member_of ⇒ Object (also: #groups)
• #refresh ⇒ Object
• #remove_from_group(group) ⇒ Object

  Remove a user from a group.

• #unlock ⇒ Object

  Unlocks a user.

Constructor Details

#initialize(username) ⇒ User

Returns a new instance of User.

# File 'lib/cratus/user.rb', line 7

def initialize(username)
  @username = username
  @search_base = self.class.ldap_search_base
  refresh
end

Instance Attribute Details

#search_base ⇒ Object (readonly)

Returns the value of attribute search_base.

# File 'lib/cratus/user.rb', line 5

def search_base
  @search_base
end

#username ⇒ Object (readonly)

Returns the value of attribute username.

# File 'lib/cratus/user.rb', line 5

def username
  @username
end

Class Method Details

.all ⇒ Object

All the LDAP Users

# File 'lib/cratus/user.rb', line 158

def self.all
  raw_results = Cratus::LDAP.search(
    "(objectClass=#{ldap_object_class})",
    basedn: ldap_search_base,
    attrs: ldap_dn_attribute
  )
  raw_results.map do |entry|
    new(entry[ldap_dn_attribute.to_sym].last)
  end
end

.ldap_dn_attribute ⇒ Object

# File 'lib/cratus/user.rb', line 169

def self.ldap_dn_attribute
  Cratus.config.user_dn_attribute.to_s
end

.ldap_object_class ⇒ Object

# File 'lib/cratus/user.rb', line 173

def self.ldap_object_class
  Cratus.config.user_objectclass.to_s
end

.ldap_return_attributes ⇒ Object

# File 'lib/cratus/user.rb', line 177

def self.ldap_return_attributes
  [
    Cratus.config.user_dn_attribute.to_s,
    Cratus.config.user_department_attribute.to_s,
    Cratus.config.user_mail_attribute.to_s,
    Cratus.config.user_displayname_attribute.to_s,
    Cratus.config.user_memberof_attribute.to_s,
    Cratus.config.user_lockout_attribute.to_s,
    Cratus.config.user_account_control_attribute.to_s
  ]
end

.ldap_search_base ⇒ Object

# File 'lib/cratus/user.rb', line 189

def self.ldap_search_base
  Cratus.config.user_basedn.to_s
end

Instance Method Details

#<=>(other) ⇒ Object

# File 'lib/cratus/user.rb', line 153

def <=>(other)
  @username <=> other.username
end

#add_to_group(group) ⇒ Object

Add a user to a group

# File 'lib/cratus/user.rb', line 14

def add_to_group(group)
  raise 'InvalidGroup' unless group.respond_to?(:add_user)
  # just be lazy and hand off to the group to do the work...
  group.add_user(self)
end

#department ⇒ Object

# File 'lib/cratus/user.rb', line 27

def department
  @raw_ldap_data[Cratus.config.user_department_attribute].last
end

#disable ⇒ Object

Disables an enabled user

# File 'lib/cratus/user.rb', line 32

def disable
  if enabled?
    Cratus::LDAP.replace_attribute(
      dn,
      Cratus.config.user_account_control_attribute,
      ['514']
    )
    refresh
  else
    true
  end
end

#disabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/cratus/user.rb', line 45

def disabled?
  status = @raw_ldap_data[Cratus.config.user_account_control_attribute].last
  status.to_s == '514'
end

#dn ⇒ Object

# File 'lib/cratus/user.rb', line 50

def dn
  @raw_ldap_data[:dn].last
end

#email ⇒ Object

# File 'lib/cratus/user.rb', line 54

def email
  @raw_ldap_data[Cratus.config.user_mail_attribute].last
end

#enable ⇒ Object

Enables a disabled user

# File 'lib/cratus/user.rb', line 59

def enable
  if disabled?
    Cratus::LDAP.replace_attribute(
      dn,
      Cratus.config.user_account_control_attribute,
      ['512']
    )
    refresh
  else
    true
  end
end

#enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/cratus/user.rb', line 72

def enabled?
  status = @raw_ldap_data[Cratus.config.user_account_control_attribute].last
  status.to_s == '512'
end

#fullname ⇒ Object

# File 'lib/cratus/user.rb', line 77

def fullname
  @raw_ldap_data[Cratus.config.user_displayname_attribute].last
end

#locked? ⇒ Boolean

fossies.org/linux/web2ldap/pylib/w2lapp/schema/plugins/activedirectory.py msdn.microsoft.com/en-us/library/windows/desktop/ms676843(v=vs.85).aspx

Returns:

• (Boolean)

# File 'lib/cratus/user.rb', line 90

def locked?
  return false if lockouttime.zero?
  epoch = 116_444_736_000_000_000
  current = Time.now.to_i * 10_000_000
  current - (lockouttime - epoch) < lockoutduration
end

#lockoutduration ⇒ Object

# File 'lib/cratus/user.rb', line 97

def lockoutduration
  raw_results = Cratus::LDAP.search(
    '(objectClass=domain)',
    basedn: Cratus.config.basedn,
    attrs: 'lockoutDuration',
    scope: 'object'
  ).last
  Integer(raw_results[:lockoutduration].last) * -1
end

#lockouttime ⇒ Object

# File 'lib/cratus/user.rb', line 81

def lockouttime
  Integer(@raw_ldap_data[Cratus.config.user_lockout_attribute].last.to_s)
rescue => _e
  0 # If we can't determine the value (for instance, if it is empty), just assume 0
end

#member_of ⇒ Object Also known as: groups

# File 'lib/cratus/user.rb', line 107

def member_of
  memrof_attr = Cratus.config.user_memberof_attribute
  # TODO: move the search filter to a configurable param
  if Cratus.config.include_distribution_groups
    raw_groups = @raw_ldap_data[memrof_attr]
  else
    raw_groups = @raw_ldap_data[memrof_attr].reject { |g| g.match(/OU=Distribution Groups/) }
  end
  initial_groups = raw_groups.map do |raw_group|
    Group.new(raw_group.match(/^#{Group.ldap_dn_attribute.to_s.upcase}=([^,]+),/)[1])
  end
  all_the_groups = initial_groups
  initial_groups.each do |group|
    all_the_groups.concat(group.member_of)
  end
  all_the_groups.uniq(&:name)
end

#refresh ⇒ Object

# File 'lib/cratus/user.rb', line 127

def refresh
  @raw_ldap_data = Cratus::LDAP.search(
    "(#{self.class.ldap_dn_attribute}=#{@username})",
    basedn: @search_base,
    attrs: self.class.ldap_return_attributes
  ).last
end

#remove_from_group(group) ⇒ Object

Remove a user from a group

# File 'lib/cratus/user.rb', line 21

def remove_from_group(group)
  raise 'InvalidGroup' unless group.respond_to?(:remove_user)
  # just be lazy and hand off to the group to do the work...
  group.remove_user(self)
end

#unlock ⇒ Object

Unlocks a user

Returns:

• ‘true` on success (or if user is already unlocked)

• ‘false` when the account is disabled (unlocking not permitted)

# File 'lib/cratus/user.rb', line 138

def unlock
  if locked? && enabled?
    Cratus::LDAP.replace_attribute(
      dn,
      Cratus.config.user_lockout_attribute,
      ['0']
    )
    refresh
  elsif disabled?
    false
  else
    true
  end
end