Class: RIMS::Password::LDAPSource

Inherits:
Source
  • Object
show all
Defined in:
lib/rims/passwd/ldap.rb

Overview

to enable LDAP pass-source plug-in, add the entry of rims/passwd/ldap to load_libraries list.

ex.
   load_libraries:
     - rims/passwd/ldap

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(host, port, base_dn, attr, scope: 'sub', filter: nil, search_bind_auth: { :method => :anonymous }, search_bind_verification_skip: false, encryption: false) ⇒ LDAPSource

Returns a new instance of LDAPSource.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
# File 'lib/rims/passwd/ldap.rb', line 16

def initialize(host, port, base_dn, attr, scope: 'sub', filter: nil,
               search_bind_auth: { :method => :anonymous },
               search_bind_verification_skip: false,
               encryption: false)
  @host = host
  @port = port
  @base_dn = base_dn
  @attr = attr
  @scope_src = scope
  @filter_src = filter
  @search_bind_auth = search_bind_auth
  @search_bind_verification_skip = search_bind_verification_skip
  @encryption = encryption
end

Class Method Details

.build_from_conf(config) ⇒ Object

configuration entries:

  • "ldap_uri"

  • "base_dn"

  • "attribute"

  • "scope"

  • "filter"

  • "search_bind_auth"

    * <tt>"method"</tt>
* <tt>"username"</tt>
* <tt>"password"</tt>

  • "search_bind_verification_skip"



170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
 
# File 'lib/rims/passwd/ldap.rb', line 170

def build_from_conf(config)
  unless (config.key? 'ldap_uri') then
    raise 'required ldap_uri parameter at LDAP pass-source configuration.'
  end
  ldap_params = parse_uri(config['ldap_uri'])
  ldap_args = []

  for name in [ :host, :port ]
    value = ldap_params.delete(name) or raise "internal error: #{name}"
    ldap_args << value
  end

  for name in [ :base_dn, :attribute ]
    value = ldap_params.delete(name)
    if (config.key? name.to_s) then
      value = config[name.to_s]
    end
    unless (value) then
      raise "required #{name} parameter at LDAP pass-source configuration."
    end
    ldap_args << value
  end

  for name in [ :scope, :filter, :search_bind_verification_skip ]
    if (config.key? name.to_s) then
      ldap_params[name] = config[name.to_s]
    end
  end

  if (config.key? 'search_bind_auth') then
    case (config['search_bind_auth']['method'])
    when 'anonymous'
      auth = { method: :anonymous }
    when 'simple'
      auth = { method: :simple }
      auth[:username] = config['search_bind_auth']['username'] or raise 'required serach bind username at LDAP pass-source configuration.'
      auth[:password] = config['search_bind_auth']['password'] or raise 'required search bind password at LDAP pass-source configuration.'
    else
      raise "unknown or unsupported bind method type: #{config['search_bind_auth'].inspect}"
    end
    ldap_params[:search_bind_auth] = auth
  end

  self.new(*ldap_args, **ldap_params)
end

.parse_uri(uri_string) ⇒ Object 



135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# File 'lib/rims/passwd/ldap.rb', line 135

def parse_uri(uri_string)
  ldap_params = {}

  ldap_uri = URI.parse(uri_string)
  case (ldap_uri)
  when URI::LDAPS
    ldap_params[:encryption] = true
  when URI::LDAP
    # OK
  else
    raise "not a LDAP URI: #{uri_string}"
  end

  ldap_params[:host] = ldap_uri.host || 'localhost'
  ldap_params[:port] = ldap_uri.port or raise "required LDAP port: #{uri_string}"
  ldap_params[:base_dn] = uri_decode(ldap_uri.dn) if (ldap_uri.dn && ! ldap_uri.dn.empty?)
  ldap_params[:attribute] = uri_decode(ldap_uri.attributes) if ldap_uri.attributes
  ldap_params[:scope] = uri_decode(ldap_uri.scope) if ldap_uri.scope
  ldap_params[:filter] = uri_decode(ldap_uri.filter) if ldap_uri.filter

  ldap_params
end

.uri_decode(string) ⇒ Object 



131
132
133
 
# File 'lib/rims/passwd/ldap.rb', line 131

def uri_decode(string)
  string.gsub(/%(\h)(\h)/) { [$&[1, 2].hex].pack('C') }.force_encoding(string.encoding)
end

Instance Method Details

#compare_password(username, password) ⇒ Object 



118
119
120
121
122
123
124
125
126
127
128
 
# File 'lib/rims/passwd/ldap.rb', line 118

def compare_password(username, password)
  ldap_open{|ldap|
    if (user_dn = search(ldap, username)) then
      if (ldap.bind(method: :simple, username: user_dn, password: password)) then
        true
      else
        false
      end
    end
  }
end

#raw_password?Boolean

Returns:

  • (Boolean) 


58
59
60
 
# File 'lib/rims/passwd/ldap.rb', line 58

def raw_password?
  false
end

#startObject 



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/rims/passwd/ldap.rb', line 31

def start
  scheme = @encryption ? 'ldaps' : 'ldap'
  @logger.info("LDAP pass-source: #{scheme}://#{@host}:#{@port}/#{@base_dn}?#{@attr}?#{@scope_src}?#{@filter_src}")

  case (@scope_src)
  when 'base'
    @scope = Net::LDAP::SearchScope_BaseObject
  when 'one'
    @scope = Net::LDAP::SearchScope_SingleLevel
  when 'sub'
    @scope = Net::LDAP::SearchScope_WholeSubtree
  else
    raise "unknown ldap search scope: #{@scope_src}"
  end

  if (@filter_src) then
    filter = Net::LDAP::Filter.construct(@filter_src)
    @filter_factory = proc{|username|
      Net::LDAP::Filter.eq(@attr, username) & filter
    }
  else
    @filter_factory = proc{|username|
      Net::LDAP::Filter.eq(@attr, username)
    }
  end
end

#user?(username) ⇒ Boolean

Returns:

  • (Boolean) 


108
109
110
111
112
113
114
115
116
 
# File 'lib/rims/passwd/ldap.rb', line 108

def user?(username)
  ldap_open{|ldap|
    if (search(ldap, username)) then
      true
    else
      false
    end
  }
end