Module: ASF::LDAP

Defined in:

lib/whimsy/asf/ldap.rb,
lib/whimsy/asf/ldap.rb

Constant Summary

HOSTS =

www.pingmybox.com/dashboard?location=304 github.com/apache/infrastructure-puppet/blob/deployment/data/common.yaml (ldapserver::slapd_peers)

%w(
  ldaps://ldap1-us-west.apache.org:636
  ldaps://ldap1-lw-us.apache.org:636
  ldaps://ldap2-us-west.apache.org:636
  ldaps://ldap1-lw-eu.apache.org:636
  ldaps://snappy5.apache.org:636
  ldaps://ldap2-lw-us.apache.org:636
  ldaps://ldap2-lw-eu.apache.org:636
)

CONNECT_LOCK =

Mutex.new

HOST_QUEUE =

Queue.new

Class Method Summary

• .bind(user, password, &block) ⇒ Object
• .configure ⇒ Object

  update /etc/ldap.conf.

• .connect(test = true) ⇒ Object

  connect to LDAP.

• .extract_cert ⇒ Object

  query and extract cert from openssl output.

• .hosts ⇒ Object

  determine what LDAP hosts are available.

• .http_auth(string, &block) ⇒ Object

  validate HTTP authorization, and optionally invoke a block bound to that user.

• .puppet_cert ⇒ Object

  extract the ldapcert from the puppet configuration.

• .puppet_config ⇒ Object

  fetch configuration from apache/infrastructure-puppet.

• .puppet_ldapservers ⇒ Object

  extract the ldap servers from the puppet configuration.

Class Method Details

.bind(user, password, &block) ⇒ Object

Raises:

• (::LDAP::ResultError)

# File 'lib/whimsy/asf/ldap.rb', line 566

def self.bind(user, password, &block)
  dn = ASF::Person.new(user).dn
  raise ::LDAP::ResultError.new('Unknown user') unless dn

  ASF.ldap.unbind if ASF.ldap.bound? rescue nil
  ldap = ASF.init_ldap(true)
  if block
    ldap.bind(dn, password, &block)
    ASF.init_ldap(true)
  else
    ldap.bind(dn, password)
  end
end

.configure ⇒ Object

update /etc/ldap.conf. Usage:

sudo ruby -r whimsy/asf -e "ASF::LDAP.configure"

# File 'lib/whimsy/asf/ldap.rb', line 639

def self.configure
  cert = Dir["#{ETCLDAP}/asf*-ldap-client.pem"].first

  # verify/obtain/write the cert
  if not cert
    cert = "#{ETCLDAP}/asf-ldap-client.pem"
    File.write cert, ASF::LDAP.puppet_cert || self.extract_cert
  end

  # read the current configuration file
  ldap_conf = "#{ETCLDAP}/ldap.conf"
  content = File.read(ldap_conf)

  # ensure that the right cert is used
  unless content =~ /asf.*-ldap-client\.pem/
    content.gsub!(/^TLS_CACERT/i, '# TLS_CACERT')
    content += "TLS_CACERT #{ETCLDAP}/asf-ldap-client.pem\n"
  end

  # provide the URIs of the ldap hosts
  content.gsub!(/^URI/, '# URI')
  content += "uri \n" unless content =~ /^uri /
  content[/uri (.*)\n/, 1] = hosts.join(' ')

  # verify/set the base
  unless content.include? 'base dc=apache'
    content.gsub!(/^BASE/i, '# BASE')
    content += "base dc=apache,dc=org\n"
  end

  # ensure TLS_REQCERT is allow (Mac OS/X only)
  if ETCLDAP.include? 'openldap' and not content.include? 'REQCERT allow'
    content.gsub!(/^TLS_REQCERT/i, '# TLS_REQCERT')
    content += "TLS_REQCERT allow\n"
  end

  # write the configuration if there were any changes
  File.write(ldap_conf, content) unless content == File.read(ldap_conf)
end

.connect(test = true) ⇒ Object

connect to LDAP

# File 'lib/whimsy/asf/ldap.rb', line 78

def self.connect(test = true)
  # Try each host at most once
  hosts.length.times do
    # Ensure we use each host in turn
    hosts.each {|host| HOST_QUEUE.push host} if HOST_QUEUE.empty?
    host = HOST_QUEUE.shift

    Wunderbar.info "Connecting to LDAP server: #{host}"

    begin
      # request connection
      uri = URI.parse(host)
      if uri.scheme == 'ldaps'
        ldap = ::LDAP::SSLConn.new(uri.host, uri.port)
      else
        ldap = ::LDAP::Conn.new(uri.host, uri.port)
      end

      # test the connection
      ldap.bind if test

      # save the host
      @host = host

      return ldap
    rescue ::LDAP::ResultError => re
      Wunderbar.warn "Error connecting to LDAP server #{host}: " +
        re.message + " (continuing)"
    end

  end

  Wunderbar.error "Failed to connect to any LDAP host"
  return nil
end

.extract_cert ⇒ Object

query and extract cert from openssl output

# File 'lib/whimsy/asf/ldap.rb', line 627

def self.extract_cert
  host = hosts.sample[%r{//(.*?)(/|$)}, 1]
  puts ['openssl', 's_client', '-connect', host, '-showcerts'].join(' ')
  out, err, rc = Open3.capture3 'openssl', 's_client',
    '-connect', host, '-showcerts'
  out[/^-+BEGIN.*?\n-+END[^\n]+\n/m]
end

.hosts ⇒ Object

determine what LDAP hosts are available

# File 'lib/whimsy/asf/ldap.rb', line 600

def self.hosts
  return @hosts if @hosts # cache the hosts list
  # try whimsy config
  hosts = Array(ASF::Config.get(:ldap))

  # check system configuration
  if hosts.empty?
    conf = "#{ETCLDAP}/ldap.conf"
    if File.exist? conf
      uris = File.read(conf)[/^uri\s+(.*)/i, 1].to_s
      hosts = uris.scan(/ldaps?:\/\/\S+?:\d+/)
      Wunderbar.debug "Using hosts from LDAP config"
    end
  else
    Wunderbar.debug "Using hosts from Whimsy config"
  end

  # if all else fails, use default list
  Wunderbar.debug "Using default host list" if hosts.empty?
  hosts = ASF::LDAP::HOSTS if hosts.empty?

  hosts.shuffle!
  #Wunderbar.debug "Hosts:\n#{hosts.join(' ')}"
  @hosts = hosts
end

.http_auth(string, &block) ⇒ Object

validate HTTP authorization, and optionally invoke a block bound to that user.

# File 'lib/whimsy/asf/ldap.rb', line 582

def self.http_auth(string, &block)
  auth = Base64.decode64(string.to_s[/Basic (.*)/, 1] || '')
  user, password = auth.split(':', 2)
  return unless password

  if block
    self.bind(user, password, &block)
  else
    begin
      ASF::LDAP.bind(user, password) {}
      return ASF::Person.new(user)
    rescue ::LDAP::ResultError
      return nil
    end
  end
end

.puppet_cert ⇒ Object

extract the ldapcert from the puppet configuration

# File 'lib/whimsy/asf/ldap.rb', line 65

def self.puppet_cert
  puppet_config['ldapclient::ldapcert']
end

.puppet_config ⇒ Object

fetch configuration from apache/infrastructure-puppet

# File 'lib/whimsy/asf/ldap.rb', line 56

def self.puppet_config
  return @puppet if @puppet
  file = '/apache/infrastructure-puppet/deployment/data/common.yaml'
  http = Net::HTTP.new('raw.githubusercontent.com', 443)
  http.use_ssl = true
  @puppet = YAML.load(http.request(Net::HTTP::Get.new(file)).body)
end

.puppet_ldapservers ⇒ Object

extract the ldap servers from the puppet configuration

# File 'lib/whimsy/asf/ldap.rb', line 70

def self.puppet_ldapservers
  puppet_config['ldapserver::slapd_peers'].values.
    map {|host| "ldaps://#{host}:636"}
rescue
  nil
end