Mercurial > hg > soundsoftware-site
comparison app/models/.svn/text-base/auth_source_ldap.rb.svn-base @ 0:513646585e45
* Import Redmine trunk SVN rev 3859
| author | Chris Cannam |
|---|---|
| date | Fri, 23 Jul 2010 15:52:44 +0100 |
| parents | |
| children | 051f544170fe |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:513646585e45 |
|---|---|
| 1 # redMine - project management software | |
| 2 # Copyright (C) 2006 Jean-Philippe Lang | |
| 3 # | |
| 4 # This program is free software; you can redistribute it and/or | |
| 5 # modify it under the terms of the GNU General Public License | |
| 6 # as published by the Free Software Foundation; either version 2 | |
| 7 # of the License, or (at your option) any later version. | |
| 8 # | |
| 9 # This program is distributed in the hope that it will be useful, | |
| 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 12 # GNU General Public License for more details. | |
| 13 # | |
| 14 # You should have received a copy of the GNU General Public License | |
| 15 # along with this program; if not, write to the Free Software | |
| 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |
| 17 | |
| 18 require 'net/ldap' | |
| 19 require 'iconv' | |
| 20 | |
| 21 class AuthSourceLdap < AuthSource | |
| 22 validates_presence_of :host, :port, :attr_login | |
| 23 validates_length_of :name, :host, :account_password, :maximum => 60, :allow_nil => true | |
| 24 validates_length_of :account, :base_dn, :maximum => 255, :allow_nil => true | |
| 25 validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true | |
| 26 validates_numericality_of :port, :only_integer => true | |
| 27 | |
| 28 before_validation :strip_ldap_attributes | |
| 29 | |
| 30 def after_initialize | |
| 31 self.port = 389 if self.port == 0 | |
| 32 end | |
| 33 | |
| 34 def authenticate(login, password) | |
| 35 return nil if login.blank? || password.blank? | |
| 36 attrs = get_user_dn(login) | |
| 37 | |
| 38 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password) | |
| 39 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? | |
| 40 return attrs.except(:dn) | |
| 41 end | |
| 42 rescue Net::LDAP::LdapError => text | |
| 43 raise "LdapError: " + text | |
| 44 end | |
| 45 | |
| 46 # test the connection to the LDAP | |
| 47 def test_connection | |
| 48 ldap_con = initialize_ldap_con(self.account, self.account_password) | |
| 49 ldap_con.open { } | |
| 50 rescue Net::LDAP::LdapError => text | |
| 51 raise "LdapError: " + text | |
| 52 end | |
| 53 | |
| 54 def auth_method_name | |
| 55 "LDAP" | |
| 56 end | |
| 57 | |
| 58 private | |
| 59 | |
| 60 def strip_ldap_attributes | |
| 61 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr| | |
| 62 write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil? | |
| 63 end | |
| 64 end | |
| 65 | |
| 66 def initialize_ldap_con(ldap_user, ldap_password) | |
| 67 options = { :host => self.host, | |
| 68 :port => self.port, | |
| 69 :encryption => (self.tls ? :simple_tls : nil) | |
| 70 } | |
| 71 options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank? | |
| 72 Net::LDAP.new options | |
| 73 end | |
| 74 | |
| 75 def get_user_attributes_from_ldap_entry(entry) | |
| 76 { | |
| 77 :dn => entry.dn, | |
| 78 :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname), | |
| 79 :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname), | |
| 80 :mail => AuthSourceLdap.get_attr(entry, self.attr_mail), | |
| 81 :auth_source_id => self.id | |
| 82 } | |
| 83 end | |
| 84 | |
| 85 # Return the attributes needed for the LDAP search. It will only | |
| 86 # include the user attributes if on-the-fly registration is enabled | |
| 87 def search_attributes | |
| 88 if onthefly_register? | |
| 89 ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail] | |
| 90 else | |
| 91 ['dn'] | |
| 92 end | |
| 93 end | |
| 94 | |
| 95 # Check if a DN (user record) authenticates with the password | |
| 96 def authenticate_dn(dn, password) | |
| 97 if dn.present? && password.present? | |
| 98 initialize_ldap_con(dn, password).bind | |
| 99 end | |
| 100 end | |
| 101 | |
| 102 # Get the user's dn and any attributes for them, given their login | |
| 103 def get_user_dn(login) | |
| 104 ldap_con = initialize_ldap_con(self.account, self.account_password) | |
| 105 login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) | |
| 106 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) | |
| 107 attrs = {} | |
| 108 | |
| 109 ldap_con.search( :base => self.base_dn, | |
| 110 :filter => object_filter & login_filter, | |
| 111 :attributes=> search_attributes) do |entry| | |
| 112 | |
| 113 if onthefly_register? | |
| 114 attrs = get_user_attributes_from_ldap_entry(entry) | |
| 115 else | |
| 116 attrs = {:dn => entry.dn} | |
| 117 end | |
| 118 | |
| 119 logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug? | |
| 120 end | |
| 121 | |
| 122 attrs | |
| 123 end | |
| 124 | |
| 125 def self.get_attr(entry, attr_name) | |
| 126 if !attr_name.blank? | |
| 127 entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name] | |
| 128 end | |
| 129 end | |
| 130 end |