Class: GitHub::Ldap::Domain

Inherits:

Object

• Object
• GitHub::Ldap::Domain

Includes:

Filter

Defined in:

lib/github/ldap/domain.rb

Overview

A domain represents the base object for an ldap tree. It encapsulates the operations that you can perform against a tree, authenticating users, for instance.

This makes possible to reuse a server connection to perform operations with two different domain bases.

To get a domain, you’ll need to create a ‘Ldap` object and then call the method `domain` with the name of the base.

For example:

domain = GitHub::Ldap.new(options).domain(“dc=github,dc=com”)

Instance Method Summary

• #auth(user, password) ⇒ Object

  Check if a user can be bound with a password.

• #authenticate!(login, password, group_names = nil) ⇒ Object

  Authenticate a user with the ldap server.

• #groups(group_names) ⇒ Object

  List the groups in the ldap server that match the configured ones.

• #initialize(base_name, connection, uid) ⇒ Domain constructor

  A new instance of Domain.

• #is_member?(user_dn, group_names) ⇒ Boolean

  Check if the user is include in any of the configured groups.

• #membership(user_dn, group_names) ⇒ Object

  List the groups that a user is member of.

• #search(options) ⇒ Object

  Search entries using this domain as base.

• #user?(login) ⇒ Boolean

  Check if a user exists based in the ‘uid`.

• #valid_login?(login, password) ⇒ Boolean

  Check if the user credentials are valid.

Methods included from Filter

#group_filter, #member_filter

Constructor Details

#initialize(base_name, connection, uid) ⇒ Domain

Returns a new instance of Domain.

# File 'lib/github/ldap/domain.rb', line 17

def initialize(base_name, connection, uid)
  @base_name, @connection, @uid = base_name, connection, uid
end

Instance Method Details

#auth(user, password) ⇒ Object

Check if a user can be bound with a password.

user: is a ldap entry representing the user. password: is the user’s password.

Returns true if the user can be bound.

# File 'lib/github/ldap/domain.rb', line 89

def auth(user, password)
  @connection.bind(method: :simple, username: user.dn, password: password)
end

#authenticate!(login, password, group_names = nil) ⇒ Object

Authenticate a user with the ldap server.

login: is the user’s login. This method doesn’t accept email identifications. password: is the user’s password. group_names: is an array of group CNs.

Returns the user info if the credentials are valid and there are no groups configured. Returns the user info if the credentials are valid and the user belongs to a configured group. Returns nil if the credentials are invalid

# File 'lib/github/ldap/domain.rb', line 102

def authenticate!(login, password, group_names = nil)
  user = valid_login?(login, password)

  return user if user && is_member?(user.dn, group_names)
end

#groups(group_names) ⇒ Object

List the groups in the ldap server that match the configured ones.

group_names: is an array of group CNs.

Returns a list of ldap entries for the configured groups.

# File 'lib/github/ldap/domain.rb', line 26

def groups(group_names)
  search(filter: group_filter(group_names))
end

#is_member?(user_dn, group_names) ⇒ Boolean

Check if the user is include in any of the configured groups.

user_dn: is the dn for the user ldap entry. group_names: is an array of group CNs.

Returns true if the user belongs to any of the groups. Returns false otherwise.

Returns:

• (Boolean)

# File 'lib/github/ldap/domain.rb', line 47

def is_member?(user_dn, group_names)
  return true if group_names.nil?
  return true if group_names.empty?

  user_membership = membership(user_dn, group_names)

  !user_membership.empty?
end

#membership(user_dn, group_names) ⇒ Object

List the groups that a user is member of.

user_dn: is the dn for the user ldap entry. group_names: is an array of group CNs.

Return an Array with the groups that the given user is member of that belong to the given group list.

# File 'lib/github/ldap/domain.rb', line 36

def membership(user_dn, group_names)
  search(filter: group_filter(group_names, user_dn))
end

#search(options) ⇒ Object

Search entries using this domain as base.

options: is a Hash with the options for the search. The base option is always overriden.

Returns an array with the entries found. Returns nil if there are no entries.

# File 'lib/github/ldap/domain.rb', line 115

def search(options)
  options[:base] = @base_name
  options[:attributes] ||= %w{ou cn dn sAMAccountName member}

  @connection.search(options)
end

#user?(login) ⇒ Boolean

Check if a user exists based in the ‘uid`.

login: is the user’s login

Returns the user if the login matches any ‘uid`. Returns nil if there are no matches.

Returns:

• (Boolean)

# File 'lib/github/ldap/domain.rb', line 75

def user?(login)
  rs = search(
    filter: Net::LDAP::Filter.eq(@uid, login),
    attributes: [],
    limit: 1)
  rs and rs.first
end

#valid_login?(login, password) ⇒ Boolean

Check if the user credentials are valid.

login: is the user’s login. password: is the user’s password.

Returns a Ldap::Entry if the credentials are valid. Returns nil if the credentials are invalid.

Returns:

• (Boolean)

# File 'lib/github/ldap/domain.rb', line 63

def valid_login?(login, password)
  if user = user?(login) and auth(user, password)
    return user
  end
end