Mercurial > hg > soundsoftware-site
comparison app/models/auth_source_ldap.rb @ 1338:25603efa57b5
Merge from live branch
| author | Chris Cannam |
|---|---|
| date | Thu, 20 Jun 2013 13:14:14 +0100 |
| parents | 433d4f72a19b |
| children | 622f24f53b42 |
comparison
equal
deleted
inserted
replaced
| 1209:1b1138f6f55e | 1338:25603efa57b5 |
|---|---|
| 1 # Redmine - project management software | 1 # Redmine - project management software |
| 2 # Copyright (C) 2006-2011 Jean-Philippe Lang | 2 # Copyright (C) 2006-2012 Jean-Philippe Lang |
| 3 # | 3 # |
| 4 # This program is free software; you can redistribute it and/or | 4 # This program is free software; you can redistribute it and/or |
| 5 # modify it under the terms of the GNU General Public License | 5 # modify it under the terms of the GNU General Public License |
| 6 # as published by the Free Software Foundation; either version 2 | 6 # as published by the Free Software Foundation; either version 2 |
| 7 # of the License, or (at your option) any later version. | 7 # of the License, or (at your option) any later version. |
| 13 # | 13 # |
| 14 # You should have received a copy of the GNU General Public License | 14 # You should have received a copy of the GNU General Public License |
| 15 # along with this program; if not, write to the Free Software | 15 # along with this program; if not, write to the Free Software |
| 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 17 | 17 |
| 18 require 'iconv' | |
| 18 require 'net/ldap' | 19 require 'net/ldap' |
| 19 require 'iconv' | 20 require 'net/ldap/dn' |
| 21 require 'timeout' | |
| 20 | 22 |
| 21 class AuthSourceLdap < AuthSource | 23 class AuthSourceLdap < AuthSource |
| 22 validates_presence_of :host, :port, :attr_login | 24 validates_presence_of :host, :port, :attr_login |
| 23 validates_length_of :name, :host, :maximum => 60, :allow_nil => true | 25 validates_length_of :name, :host, :maximum => 60, :allow_nil => true |
| 24 validates_length_of :account, :account_password, :base_dn, :maximum => 255, :allow_nil => true | 26 validates_length_of :account, :account_password, :base_dn, :filter, :maximum => 255, :allow_blank => true |
| 25 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true | 27 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true |
| 26 validates_numericality_of :port, :only_integer => true | 28 validates_numericality_of :port, :only_integer => true |
| 29 validates_numericality_of :timeout, :only_integer => true, :allow_blank => true | |
| 30 validate :validate_filter | |
| 27 | 31 |
| 28 before_validation :strip_ldap_attributes | 32 before_validation :strip_ldap_attributes |
| 29 | 33 |
| 30 def after_initialize | 34 def initialize(attributes=nil, *args) |
| 35 super | |
| 31 self.port = 389 if self.port == 0 | 36 self.port = 389 if self.port == 0 |
| 32 end | 37 end |
| 33 | 38 |
| 34 def authenticate(login, password) | 39 def authenticate(login, password) |
| 35 return nil if login.blank? || password.blank? | 40 return nil if login.blank? || password.blank? |
| 36 attrs = get_user_dn(login) | |
| 37 | 41 |
| 38 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password) | 42 with_timeout do |
| 39 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? | 43 attrs = get_user_dn(login, password) |
| 40 return attrs.except(:dn) | 44 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password) |
| 45 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? | |
| 46 return attrs.except(:dn) | |
| 47 end | |
| 41 end | 48 end |
| 42 rescue Net::LDAP::LdapError => text | 49 rescue Net::LDAP::LdapError => e |
| 43 raise "LdapError: " + text | 50 raise AuthSourceException.new(e.message) |
| 44 end | 51 end |
| 45 | 52 |
| 46 # test the connection to the LDAP | 53 # test the connection to the LDAP |
| 47 def test_connection | 54 def test_connection |
| 48 ldap_con = initialize_ldap_con(self.account, self.account_password) | 55 with_timeout do |
| 49 ldap_con.open { } | 56 ldap_con = initialize_ldap_con(self.account, self.account_password) |
| 50 rescue Net::LDAP::LdapError => text | 57 ldap_con.open { } |
| 51 raise "LdapError: " + text | 58 end |
| 59 rescue Net::LDAP::LdapError => e | |
| 60 raise AuthSourceException.new(e.message) | |
| 52 end | 61 end |
| 53 | 62 |
| 54 def auth_method_name | 63 def auth_method_name |
| 55 "LDAP" | 64 "LDAP" |
| 56 end | 65 end |
| 57 | 66 |
| 58 private | 67 private |
| 68 | |
| 69 def with_timeout(&block) | |
| 70 timeout = self.timeout | |
| 71 timeout = 20 unless timeout && timeout > 0 | |
| 72 Timeout.timeout(timeout) do | |
| 73 return yield | |
| 74 end | |
| 75 rescue Timeout::Error => e | |
| 76 raise AuthSourceTimeoutException.new(e.message) | |
| 77 end | |
| 78 | |
| 79 def ldap_filter | |
| 80 if filter.present? | |
| 81 Net::LDAP::Filter.construct(filter) | |
| 82 end | |
| 83 rescue Net::LDAP::LdapError | |
| 84 nil | |
| 85 end | |
| 86 | |
| 87 def validate_filter | |
| 88 if filter.present? && ldap_filter.nil? | |
| 89 errors.add(:filter, :invalid) | |
| 90 end | |
| 91 end | |
| 59 | 92 |
| 60 def strip_ldap_attributes | 93 def strip_ldap_attributes |
| 61 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr| | 94 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr| |
| 62 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil? | 95 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil? |
| 63 end | 96 end |
| 98 initialize_ldap_con(dn, password).bind | 131 initialize_ldap_con(dn, password).bind |
| 99 end | 132 end |
| 100 end | 133 end |
| 101 | 134 |
| 102 # Get the user's dn and any attributes for them, given their login | 135 # Get the user's dn and any attributes for them, given their login |
| 103 def get_user_dn(login) | 136 def get_user_dn(login, password) |
| 104 ldap_con = initialize_ldap_con(self.account, self.account_password) | 137 ldap_con = nil |
| 138 if self.account && self.account.include?("$login") | |
| 139 ldap_con = initialize_ldap_con(self.account.sub("$login", Net::LDAP::DN.escape(login)), password) | |
| 140 else | |
| 141 ldap_con = initialize_ldap_con(self.account, self.account_password) | |
| 142 end | |
| 105 login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) | 143 login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) |
| 106 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) | 144 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) |
| 107 attrs = {} | 145 attrs = {} |
| 108 | 146 |
| 147 search_filter = object_filter & login_filter | |
| 148 if f = ldap_filter | |
| 149 search_filter = search_filter & f | |
| 150 end | |
| 151 | |
| 109 ldap_con.search( :base => self.base_dn, | 152 ldap_con.search( :base => self.base_dn, |
| 110 :filter => object_filter & login_filter, | 153 :filter => search_filter, |
| 111 :attributes=> search_attributes) do |entry| | 154 :attributes=> search_attributes) do |entry| |
| 112 | 155 |
| 113 if onthefly_register? | 156 if onthefly_register? |
| 114 attrs = get_user_attributes_from_ldap_entry(entry) | 157 attrs = get_user_attributes_from_ldap_entry(entry) |
| 115 else | 158 else |