Mercurial > hg > soundsoftware-site

annotate app/models/auth_source_ldap.rb @ 8:0c83d98252d9 yuya

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
* Add custom repo prefix and proper auth realm, remove auth cache (seems like an unwise feature), pass DB handle around, various other bits of tidying
author Chris Cannam
date Thu, 12 Aug 2010 15:31:37 +0100
parents 513646585e45
children 051f544170fe
rev   line source
Chris@0 1 # redMine - project management software
Chris@0 2 # Copyright (C) 2006 Jean-Philippe Lang
Chris@0 3 #
Chris@0 4 # This program is free software; you can redistribute it and/or
Chris@0 5 # modify it under the terms of the GNU General Public License
Chris@0 6 # as published by the Free Software Foundation; either version 2
Chris@0 7 # of the License, or (at your option) any later version.
Chris@0 8 #
Chris@0 9 # This program is distributed in the hope that it will be useful,
Chris@0 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
Chris@0 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Chris@0 12 # GNU General Public License for more details.
Chris@0 13 #
Chris@0 14 # You should have received a copy of the GNU General Public License
Chris@0 15 # along with this program; if not, write to the Free Software
Chris@0 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Chris@0 17
Chris@0 18 require 'net/ldap'
Chris@0 19 require 'iconv'
Chris@0 20
Chris@0 21 class AuthSourceLdap < AuthSource
Chris@0 22 validates_presence_of :host, :port, :attr_login
Chris@0 23 validates_length_of :name, :host, :account_password, :maximum => 60, :allow_nil => true
Chris@0 24 validates_length_of :account, :base_dn, :maximum => 255, :allow_nil => true
Chris@0 25 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
Chris@0 26 validates_numericality_of :port, :only_integer => true
Chris@0 27
Chris@0 28 before_validation :strip_ldap_attributes
Chris@0 29
Chris@0 30 def after_initialize
Chris@0 31 self.port = 389 if self.port == 0
Chris@0 32 end
Chris@0 33
Chris@0 34 def authenticate(login, password)
Chris@0 35 return nil if login.blank? || password.blank?
Chris@0 36 attrs = get_user_dn(login)
Chris@0 37
Chris@0 38 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
Chris@0 39 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
Chris@0 40 return attrs.except(:dn)
Chris@0 41 end
Chris@0 42 rescue Net::LDAP::LdapError => text
Chris@0 43 raise "LdapError: " + text
Chris@0 44 end
Chris@0 45
Chris@0 46 # test the connection to the LDAP
Chris@0 47 def test_connection
Chris@0 48 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@0 49 ldap_con.open { }
Chris@0 50 rescue Net::LDAP::LdapError => text
Chris@0 51 raise "LdapError: " + text
Chris@0 52 end
Chris@0 53
Chris@0 54 def auth_method_name
Chris@0 55 "LDAP"
Chris@0 56 end
Chris@0 57
Chris@0 58 private
Chris@0 59
Chris@0 60 def strip_ldap_attributes
Chris@0 61 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr|
Chris@0 62 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil?
Chris@0 63 end
Chris@0 64 end
Chris@0 65
Chris@0 66 def initialize_ldap_con(ldap_user, ldap_password)
Chris@0 67 options = { :host => self.host,
Chris@0 68 :port => self.port,
Chris@0 69 :encryption => (self.tls ? :simple_tls : nil)
Chris@0 70 }
Chris@0 71 options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
Chris@0 72 Net::LDAP.new options
Chris@0 73 end
Chris@0 74
Chris@0 75 def get_user_attributes_from_ldap_entry(entry)
Chris@0 76 {
Chris@0 77 :dn => entry.dn,
Chris@0 78 :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname),
Chris@0 79 :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname),
Chris@0 80 :mail => AuthSourceLdap.get_attr(entry, self.attr_mail),
Chris@0 81 :auth_source_id => self.id
Chris@0 82 }
Chris@0 83 end
Chris@0 84
Chris@0 85 # Return the attributes needed for the LDAP search. It will only
Chris@0 86 # include the user attributes if on-the-fly registration is enabled
Chris@0 87 def search_attributes
Chris@0 88 if onthefly_register?
Chris@0 89 ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail]
Chris@0 90 else
Chris@0 91 ['dn']
Chris@0 92 end
Chris@0 93 end
Chris@0 94
Chris@0 95 # Check if a DN (user record) authenticates with the password
Chris@0 96 def authenticate_dn(dn, password)
Chris@0 97 if dn.present? && password.present?
Chris@0 98 initialize_ldap_con(dn, password).bind
Chris@0 99 end
Chris@0 100 end
Chris@0 101
Chris@0 102 # Get the user's dn and any attributes for them, given their login
Chris@0 103 def get_user_dn(login)
Chris@0 104 ldap_con = initialize_ldap_con(self.account, self.account_password)
Chris@0 105 login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
Chris@0 106 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" )
Chris@0 107 attrs = {}
Chris@0 108
Chris@0 109 ldap_con.search( :base => self.base_dn,
Chris@0 110 :filter => object_filter & login_filter,
Chris@0 111 :attributes=> search_attributes) do |entry|
Chris@0 112
Chris@0 113 if onthefly_register?
Chris@0 114 attrs = get_user_attributes_from_ldap_entry(entry)
Chris@0 115 else
Chris@0 116 attrs = {:dn => entry.dn}
Chris@0 117 end
Chris@0 118
Chris@0 119 logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug?
Chris@0 120 end
Chris@0 121
Chris@0 122 attrs
Chris@0 123 end
Chris@0 124
Chris@0 125 def self.get_attr(entry, attr_name)
Chris@0 126 if !attr_name.blank?
Chris@0 127 entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
Chris@0 128 end
Chris@0 129 end
Chris@0 130 end