Class: Devise::LDAP::Connection
- Inherits:
-
Object
- Object
- Devise::LDAP::Connection
- Defined in:
- lib/devise_ldap_authenticatable/ldap/connection.rb
Instance Attribute Summary collapse
-
#ldap ⇒ Object
readonly
Returns the value of attribute ldap.
-
#login ⇒ Object
readonly
Returns the value of attribute login.
Instance Method Summary collapse
- #authenticate! ⇒ Object
- #authenticated? ⇒ Boolean
- #authorized? ⇒ Boolean
- #change_password! ⇒ Object
- #delete_param(param) ⇒ Object
- #dn ⇒ Object
- #expired_valid_credentials? ⇒ Boolean
- #has_required_attribute? ⇒ Boolean
- #has_required_attribute_presence? ⇒ Boolean
- #in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) ⇒ Boolean
- #in_required_groups? ⇒ Boolean
-
#initialize(params = {}) ⇒ Connection
constructor
A new instance of Connection.
- #last_message_bad_credentials? ⇒ Boolean
- #last_message_expired_credentials? ⇒ Boolean
- #ldap_param_value(param) ⇒ Object
-
#search_for_login ⇒ Object
Searches the LDAP for the login.
- #set_param(param, new_value) ⇒ Object
- #user_groups ⇒ Object
- #valid_login? ⇒ Boolean
Constructor Details
#initialize(params = {}) ⇒ Connection
Returns a new instance of Connection.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 6 def initialize(params = {}) if ::Devise.ldap_config.is_a?(Proc) ldap_config = ::Devise.ldap_config.call else ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env] end = params ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true [:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"] @ldap = Net::LDAP.new() @ldap.host = ldap_config["host"] @ldap.port = ldap_config["port"] @ldap.base = ldap_config["base"] @attribute = ldap_config["attribute"] @allow_unauthenticated_bind = ldap_config["allow_unauthenticated_bind"] @ldap_auth_username_builder = params[:ldap_auth_username_builder] @group_base = ldap_config["group_base"] @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership @check_group_membership_without_admin = ldap_config.has_key?("check_group_membership_without_admin") ? ldap_config["check_group_membership_without_admin"] : ::Devise.ldap_check_group_membership_without_admin @required_groups = ldap_config["required_groups"] @group_membership_attribute = ldap_config.has_key?("group_membership_attribute") ? ldap_config["group_membership_attribute"] : "uniqueMember" @required_attributes = ldap_config["require_attribute"] @required_attributes_presence = ldap_config["require_attribute_presence"] @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] @login = params[:login] @password = params[:password] @new_password = params[:new_password] end |
Instance Attribute Details
#ldap ⇒ Object (readonly)
Returns the value of attribute ldap.
4 5 6 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 4 def ldap @ldap end |
#login ⇒ Object (readonly)
Returns the value of attribute login.
4 5 6 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 4 def login @login end |
Instance Method Details
#authenticate! ⇒ Object
78 79 80 81 82 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 78 def authenticate! return false unless (@password.present? || @allow_unauthenticated_bind) @ldap.auth(dn, @password) @ldap.bind end |
#authenticated? ⇒ Boolean
84 85 86 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 84 def authenticated? authenticate! end |
#authorized? ⇒ Boolean
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 96 def DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}") if !authenticated? if DeviseLdapAuthenticatable::Logger.send("Not authorized because of invalid credentials.") elsif DeviseLdapAuthenticatable::Logger.send("Not authorized because of expired credentials.") else DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.") end return false elsif !in_required_groups? DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.") return false elsif !has_required_attribute? DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.") return false elsif !has_required_attribute_presence? DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute present.") return false else return true end end |
#change_password! ⇒ Object
128 129 130 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 128 def change_password! update_ldap(:userPassword => ::Devise.ldap_auth_password_builder.call(@new_password)) end |
#delete_param(param) ⇒ Object
40 41 42 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 40 def delete_param(param) update_ldap [[:delete, param.to_sym, nil]] end |
#dn ⇒ Object
48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 48 def dn @dn ||= begin DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}") ldap_entry = search_for_login if ldap_entry.nil? @ldap_auth_username_builder.call(@attribute,@login,@ldap) else ldap_entry.dn end end end |
#expired_valid_credentials? ⇒ Boolean
122 123 124 125 126 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 122 def expired_valid_credentials? DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}") !authenticated? && end |
#has_required_attribute? ⇒ Boolean
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 184 def has_required_attribute? return true unless ::Devise.ldap_check_attributes admin_ldap = Connection.admin user = find_ldap_user(admin_ldap) @required_attributes.each do |key,val| matching_attributes = user[key] & Array(val) unless (matching_attributes).any? DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}") return false end end return true end |
#has_required_attribute_presence? ⇒ Boolean
201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 201 def has_required_attribute_presence? return true unless ::Devise.ldap_check_attributes_presence user = search_for_login @required_attributes_presence.each do |key,val| if val && !user.attribute_names.include?(key.to_sym) DeviseLdapAuthenticatable::Logger.send("User #{dn} doesn't include attribute #{key}") return false elsif !val && user.attribute_names.include?(key.to_sym) DeviseLdapAuthenticatable::Logger.send("User #{dn} includes attribute #{key}") return false end end return true end |
#in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) ⇒ Boolean
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 148 def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) in_group = false if @check_group_membership_without_admin group_checking_ldap = @ldap else group_checking_ldap = Connection.admin end unless ::Devise.ldap_ad_group_check group_checking_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry| if entry[group_attribute].include? dn in_group = true DeviseLdapAuthenticatable::Logger.send("User #{dn} IS included in group: #{group_name}") end end else # AD optimization - extension will recursively check sub-groups with one query # "(memberof:1.2.840.113556.1.4.1941:=group_name)" search_result = group_checking_ldap.search(:base => dn, :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name), :scope => Net::LDAP::SearchScope_BaseObject) # Will return the user entry if belongs to group otherwise nothing if search_result.length == 1 && search_result[0].dn.eql?(dn) in_group = true DeviseLdapAuthenticatable::Logger.send("User #{dn} IS included in group: #{group_name}") end end unless in_group DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name}") end return in_group end |
#in_required_groups? ⇒ Boolean
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 132 def in_required_groups? return true unless @check_group_membership || @check_group_membership_without_admin ## FIXME set errors here, the ldap.yml isn't set properly. return false if @required_groups.nil? for group in @required_groups if group.is_a?(Array) return false unless in_group?(group[1], group[0]) else return false unless in_group?(group) end end return true end |
#last_message_bad_credentials? ⇒ Boolean
88 89 90 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 88 def @ldap.get_operation_result..to_s.include? 'AcceptSecurityContext error, data 52e' end |
#last_message_expired_credentials? ⇒ Boolean
92 93 94 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 92 def @ldap.get_operation_result..to_s.include? 'AcceptSecurityContext error, data 773' end |
#ldap_param_value(param) ⇒ Object
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 60 def ldap_param_value(param) ldap_entry = search_for_login if ldap_entry unless ldap_entry[param].empty? value = ldap_entry.send(param) DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{value}") value else DeviseLdapAuthenticatable::Logger.send("Requested param #{param} does not exist") value = nil end else DeviseLdapAuthenticatable::Logger.send("Requested ldap entry does not exist") value = nil end end |
#search_for_login ⇒ Object
Searches the LDAP for the login
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 233 def search_for_login @login_ldap_entry ||= begin DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}") filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s) ldap_entry = nil match_count = 0 @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1} op_result= @ldap.get_operation_result if op_result.code!=0 then DeviseLdapAuthenticatable::Logger.send("LDAP Error #{op_result.code}: #{op_result.}") end DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches") ldap_entry end end |
#set_param(param, new_value) ⇒ Object
44 45 46 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 44 def set_param(param, new_value) update_ldap( { param.to_sym => new_value } ) end |
#user_groups ⇒ Object
219 220 221 222 223 224 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 219 def user_groups admin_ldap = Connection.admin DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}") filter = Net::LDAP::Filter.eq(@group_membership_attribute, dn) admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn) end |
#valid_login? ⇒ Boolean
226 227 228 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 226 def valid_login? !search_for_login.nil? end |