Class: Aker::Ldap::Authority
- Inherits:
-
Object
- Object
- Aker::Ldap::Authority
- Includes:
- Authorities::Support::FindSoleUser
- Defined in:
- lib/aker/ldap/authority.rb
Overview
A generic authority for performing authentication and user lookup via an LDAP server. It authenticates username/password combinations and fills in demographic information from the LDAP record. It also implements find_users to provide searches separately from authentication.
This authority supports multiple instances if you need to combine the results from multiple LDAP servers in a single Aker configuration. Setting up multiple instances either requires directly constructing the instances (i.e., not using the ‘:ldap` alias and having Aker construct them for you) or writing separately constructable subclasses. The former makes sense for one-off configurations while the latter is better for reuse. See also Configuration::Slice for setting default parameters in extensions and Configuration#alias_authority for giving pithy names to authority subclasses.
Constant Summary collapse
- DEFAULT_ATTRIBUTE_MAP =
{ :uid => :username, :sn => :last_name, :givenname => :first_name, :title => :title, :mail => :email, :telephonenumber => :business_phone, :facsimiletelephonenumber => :fax, }.freeze
Instance Method Summary collapse
-
#amplify!(user) ⇒ Aker::User
Merges in the authorization information in this authority for the given user.
-
#attribute_map ⇒ Hash<Symbol, Symbol>
The mapping between attributes from the LDAP server and User attributes.
-
#attribute_processors ⇒ Hash<Symbol, #call>
A set of named procs which will be applied while creating a User from an LDAP entry.
-
#criteria_map ⇒ Hash<Symbol,Symbol>
A mapping between attributes from the LDAP server and criteria keys used in #find_users.
-
#find_users(*criteria) ⇒ Array<User>
Searches for and returns users matching the given criteria.
-
#initialize(config, name = :ldap) ⇒ Authority
constructor
Create a new instance.
- #ldap_parameters ⇒ Hash
-
#password ⇒ String?
The password to use with #user.
-
#port ⇒ Integer
The port to use when connecting to the server.
-
#search_domain ⇒ Object
The search domain to use when finding user records.
-
#server ⇒ String
The configured server’s hostname or other address.
-
#use_tls ⇒ Boolean
Whether to use TLS when communicating with the server.
-
#user ⇒ String?
The user to bind as before searching or authenticating.
-
#valid_credentials?(kind, *credentials) ⇒ User, ...
Verifies a username and password using the configured NU LDAP server.
Methods included from Authorities::Support::FindSoleUser
Constructor Details
#initialize(config, name = :ldap) ⇒ Authority
Create a new instance.
115 116 117 118 119 120 121 122 123 124 |
# File 'lib/aker/ldap/authority.rb', line 115 def initialize(config, name=:ldap) @config = case config when Aker::Configuration config.parameters_for(name) else config end validate_config! end |
Instance Method Details
#amplify!(user) ⇒ Aker::User
Merges in the authorization information in this authority for the given user.
335 336 337 338 339 340 341 342 343 |
# File 'lib/aker/ldap/authority.rb', line 335 def amplify!(user) base = self.find_user(user.username) return user unless base user.extend UserExt user.ldap_attributes = base.ldap_attributes user.merge!(base) end |
#attribute_map ⇒ Hash<Symbol, Symbol>
The mapping between attributes from the LDAP server and User attributes. This mapping is used in two ways:
-
When returning users from the LDAP server, the first value for any mapped attribute is used as the value for that attribute in the user object.
-
Aker user attributes in this map will be translated into LDAP attributes when doing a criteria query with #find_users.
There is a default mapping which will be reasonable for many cases. To extend it, provide the ‘:attribute_map` parameter when constructing this authority.
If this mapping is not reversible (i.e., each value is unique), then the behavior of this authority is not defined. Each value in this map must be a writable attribute on Aker::User.
202 203 204 |
# File 'lib/aker/ldap/authority.rb', line 202 def attribute_map @attribute_map ||= DEFAULT_ATTRIBUTE_MAP.merge(@config[:attribute_map] || {}) end |
#attribute_processors ⇒ Hash<Symbol, #call>
A set of named procs which will be applied while creating a User from an LDAP entry. The values in the map should be procs. Each proc should accept three arguments:
-
The user being created from the LDAP entry.
-
The full ldap entry. This is a hash-like object that allows you to retrieve LDAP attributes using their names in lower case. Values in the entry may be arrays or scalars. They may not be serializable, so before copying a value out you should be sure to dup it.
-
A proc that allows you to safely extract a single value from the entry. The values returned from this proc are safe to set directly in the user.
If there is an entry in this mapping whose key is the same as a key in #attribute_map, the processor will be used instead of the simple mapping implied by ‘attribute_map`.
238 239 240 |
# File 'lib/aker/ldap/authority.rb', line 238 def attribute_processors @attribute_processors ||= attribute_map_processors.merge(@config[:attribute_processors] || {}) end |
#criteria_map ⇒ Hash<Symbol,Symbol>
A mapping between attributes from the LDAP server and criteria keys used in #find_users. This mapping will be used when translating criteria hashes into LDAP queries. It is similar to #attribute_map in that way, but there are two differences:
-
The mapping is [criteria key] => [LDAP attribute]. This is the reverse of ‘attribute_map`.
-
The “criteria” in ‘attribute_map` have to be User attribute names. This map does not have that restriction.
If a criterion appears both in this map and ‘attribute_map`, the mapping in this map is used.
264 265 266 |
# File 'lib/aker/ldap/authority.rb', line 264 def criteria_map @config[:criteria_map] || {} end |
#find_users(*criteria) ⇒ Array<User>
Searches for and returns users matching the given criteria. If the criteria is a ‘String`, it is treated as a username. If it is a `Hash`, the keys are interpreted as User attribute names. Those attributes which are directly mappable to LDAP attributes will be used to build a filtered LDAP query. If the `Hash` contains no keys which are mappable to LDAP attribute names, no query will be performed and an empty array will be returned.
320 321 322 323 324 325 |
# File 'lib/aker/ldap/authority.rb', line 320 def find_users(*criteria) with_ldap do |ldap| result = find_by_criteria(ldap, *criteria) return result.collect { |r| create_user(r) } end end |
#ldap_parameters ⇒ Hash
271 272 273 274 275 276 277 278 279 280 281 |
# File 'lib/aker/ldap/authority.rb', line 271 def ldap_parameters { :host => server, :port => port, :auth => if user { :method => :simple, :username => user, :password => password } else { :method => :anonymous } end, :encryption => (:simple_tls if use_tls) } end |
#password ⇒ String?
The password to use with #user.
156 157 158 |
# File 'lib/aker/ldap/authority.rb', line 156 def password @config[:password] end |
#port ⇒ Integer
The port to use when connecting to the server. Defaults to 636.
142 143 144 |
# File 'lib/aker/ldap/authority.rb', line 142 def port @config[:port] || 636 end |
#search_domain ⇒ Object
The search domain to use when finding user records.
170 171 172 |
# File 'lib/aker/ldap/authority.rb', line 170 def search_domain @config[:search_domain] end |
#server ⇒ String
The configured server’s hostname or other address.
134 135 136 |
# File 'lib/aker/ldap/authority.rb', line 134 def server @config[:server] end |
#use_tls ⇒ Boolean
Whether to use TLS when communicating with the server. TLS is enabled by default.
164 165 166 |
# File 'lib/aker/ldap/authority.rb', line 164 def use_tls @config[:use_tls].nil? ? true : @config[:use_tls] end |
#user ⇒ String?
The user to bind as before searching or authenticating.
149 150 151 |
# File 'lib/aker/ldap/authority.rb', line 149 def user @config[:user] end |
#valid_credentials?(kind, *credentials) ⇒ User, ...
Verifies a username and password using the configured NU LDAP server. Only supports the ‘:user` credential kind. There must be exactly two credentials.
292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 |
# File 'lib/aker/ldap/authority.rb', line 292 def valid_credentials?(kind, *credentials) return :unsupported unless kind == :user username, password = credentials return nil unless password && !password.strip.empty? with_ldap do |ldap| result = find_by_criteria(ldap, :username => username) if result.size == 1 return ldap.authentic?(one_value(result[0], :dn), password) ? create_user(result[0]) : nil else return nil end end end |