Class: GitHub::Ldap::Domain

Inherits:
Object
  • Object
show all
Includes:
Filter
Defined in:
lib/github/ldap/domain.rb

Overview

A domain represents the base object for an ldap tree. It encapsulates the operations that you can perform against a tree, authenticating users, for instance.

This makes possible to reuse a server connection to perform operations with two different domain bases.

To get a domain, you’ll need to create a ‘Ldap` object and then call the method `domain` with the name of the base.

For example:

domain = GitHub::Ldap.new(options).domain(“dc=github,dc=com”)

Constant Summary

Constants included from Filter

Filter::ALL_GROUPS_FILTER

Instance Method Summary collapse

Methods included from Filter

#group_contains_filter, #group_filter, #login_filter, #member_filter

Constructor Details

#initialize(base_name, connection, uid) ⇒ Domain

Returns a new instance of Domain.



17
18
19
 
# File 'lib/github/ldap/domain.rb', line 17

def initialize(base_name, connection, uid)
  @base_name, @connection, @uid = base_name, connection, uid
end

Instance Method Details

#all_groupsObject

List all groups under this tree, including subgroups.

Returns a list of ldap entries.



24
25
26
 
# File 'lib/github/ldap/domain.rb', line 24

def all_groups
  search(filter: ALL_GROUPS_FILTER)
end

#auth(user, password) ⇒ Object

Check if a user can be bound with a password.

user: is a ldap entry representing the user. password: is the user’s password.

Returns true if the user can be bound.



99
100
101
 
# File 'lib/github/ldap/domain.rb', line 99

def auth(user, password)
  @connection.bind(method: :simple, username: user.dn, password: password)
end

#authenticate!(login, password, group_names = nil) ⇒ Object

Authenticate a user with the ldap server.

login: is the user’s login. This method doesn’t accept email identifications. password: is the user’s password. group_names: is an array of group CNs.

Returns the user info if the credentials are valid and there are no groups configured. Returns the user info if the credentials are valid and the user belongs to a configured group. Returns nil if the credentials are invalid



112
113
114
115
116
 
# File 'lib/github/ldap/domain.rb', line 112

def authenticate!(, password, group_names = nil)
  user = valid_login?(, password)

  return user if user && is_member?(user.dn, group_names)
end

#bindObject

Get the entry for this domain.

Returns a Net::LDAP::Entry



146
147
148
 
# File 'lib/github/ldap/domain.rb', line 146

def bind
  search({}).first
end

#filter_groups(query) ⇒ Object

List all groups under this tree that match the query.

Returns a list of ldap entries.



31
32
33
 
# File 'lib/github/ldap/domain.rb', line 31

def filter_groups(query)
  search(filter: group_contains_filter(query))
end

#get_operation_resultObject

Provide a meaningful result after a protocol operation (for example, bind or search) has completed.

Returns an OpenStruct containing an LDAP result code and a human-readable string. See tools.ietf.org/html/rfc4511#appendix-A



139
140
141
 
# File 'lib/github/ldap/domain.rb', line 139

def get_operation_result
  @connection.get_operation_result
end

#groups(group_names) ⇒ Object

List the groups in the ldap server that match the configured ones.

group_names: is an array of group CNs.

Returns a list of ldap entries for the configured groups.



40
41
42
 
# File 'lib/github/ldap/domain.rb', line 40

def groups(group_names)
  search(filter: group_filter(group_names))
end

#is_member?(user_dn, group_names) ⇒ Boolean

Check if the user is include in any of the configured groups.

user_dn: is the dn for the user ldap entry. group_names: is an array of group CNs.

Returns true if the user belongs to any of the groups. Returns false otherwise.

Returns:

  • (Boolean) 


61
62
63
64
65
66
67
68
 
# File 'lib/github/ldap/domain.rb', line 61

def is_member?(user_dn, group_names)
  return true if group_names.nil?
  return true if group_names.empty?

  user_membership = membership(user_dn, group_names)

  !user_membership.empty?
end

#membership(user_dn, group_names) ⇒ Object

List the groups that a user is member of.

user_dn: is the dn for the user ldap entry. group_names: is an array of group CNs.

Return an Array with the groups that the given user is member of that belong to the given group list.



50
51
52
 
# File 'lib/github/ldap/domain.rb', line 50

def membership(user_dn, group_names)
  search(filter: group_filter(group_names, user_dn))
end

#search(options) ⇒ Object

Search entries using this domain as base.

options: is a Hash with the options for the search. The base option is always overriden.

Returns an array with the entries found.



124
125
126
127
128
129
130
131
 
# File 'lib/github/ldap/domain.rb', line 124

def search(options)
  options[:base] = @base_name
  options[:attributes] ||= []
  options[:ignore_server_caps] ||= true
  options[:paged_searches_supported] ||= true

  Array(@connection.search(options))
end

#user?(login) ⇒ Boolean

Check if a user exists based in the ‘uid`.

login: is the user’s login

Returns the user if the login matches any ‘uid`. Returns nil if there are no matches.

Returns:

  • (Boolean) 


89
90
91
 
# File 'lib/github/ldap/domain.rb', line 89

def user?()
  search(filter: (@uid, ), limit: 1).first
end

#valid_login?(login, password) ⇒ Boolean

Check if the user credentials are valid.

login: is the user’s login. password: is the user’s password.

Returns a Ldap::Entry if the credentials are valid. Returns nil if the credentials are invalid.

Returns:

  • (Boolean) 


77
78
79
80
81
 
# File 'lib/github/ldap/domain.rb', line 77

def valid_login?(, password)
  if user = user?() and auth(user, password)
    return user
  end
end