Class: Devise::LdapAdapter::LdapConnect

Inherits:

Object

Object
Devise::LdapAdapter::LdapConnect

show all

Defined in:: lib/devise_ldap_authenticatable/ldap_adapter.rb

Instance Attribute Summary collapse

#ldap ⇒ Object readonly

Returns the value of attribute ldap.
#login ⇒ Object readonly

Returns the value of attribute login.

Instance Method Summary collapse

#authenticate! ⇒ Object
#authenticated? ⇒ Boolean
#authorized? ⇒ Boolean
#change_password! ⇒ Object
#dn ⇒ Object
#has_required_attribute? ⇒ Boolean
#in_required_groups? ⇒ Boolean
#initialize(params = {}) ⇒ LdapConnect constructor

A new instance of LdapConnect.
#ldap_param_value(param) ⇒ Object
#user_groups ⇒ Object
#valid_login? ⇒ Boolean

Constructor Details

#initialize(params = {}) ⇒ `LdapConnect`

Returns a new instance of LdapConnect.

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 64

def initialize(params = {})
  ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]
  ldap_options = params
  ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true
  ldap_options[:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"]

  @ldap = Net::LDAP.new(ldap_options)
  @ldap.host = ldap_config["host"]
  @ldap.port = ldap_config["port"]
  @ldap.base = ldap_config["base"]
  @attribute = ldap_config["attribute"]
  @ldap_auth_username_builder = params[:ldap_auth_username_builder]
  
  @group_base = ldap_config["group_base"]
  @required_groups = ldap_config["required_groups"]        
  @required_attributes = ldap_config["require_attribute"]
  
  @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] 
          
  @login = params[:login]
  @password = params[:password]
  @new_password = params[:new_password]
end

Instance Attribute Details

#ldap ⇒ `Object` (readonly)

Returns the value of attribute ldap.



62
63
64

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 62

def ldap
  @ldap
end

Returns the value of attribute login.



62
63
64

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 62

def login
  @login
end

Instance Method Details

#authenticate! ⇒ `Object`

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 107

def authenticate!
  @ldap.auth(dn, @password)
  @ldap.bind
end

#authenticated? ⇒ `Boolean`

Returns:

(Boolean)



112
113
114

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 112

def authenticated?
  authenticate!
end

#authorized? ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 116

def authorized?
  DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}")
  authenticated? && in_required_groups? && has_required_attribute?
end

#change_password! ⇒ `Object`



121
122
123

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 121

def change_password!
  update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password))
end

#dn ⇒ `Object`

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 88

def dn
  DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}")
  ldap_entry = search_for_login
  if ldap_entry.nil?
    @ldap_auth_username_builder.call(@attribute,@login,@ldap)
  else
    ldap_entry.dn
  end
end

#has_required_attribute? ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 164

def has_required_attribute?
  return true unless ::Devise.ldap_check_attributes
  
  admin_ldap = LdapConnect.admin
  
  user = find_ldap_user(admin_ldap)
          
  @required_attributes.each do |key,val|
    unless user[key].include? val
      DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}")
      return false 
    end
  end
  
  return true
end

#in_required_groups? ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 125

def in_required_groups?     
  return true unless ::Devise.ldap_check_group_membership
  
  ## FIXME set errors here, the ldap.yml isn't set properly.
  return false if @required_groups.nil?   
     
  admin_ldap = LdapConnect.admin
          
  for group in @required_groups
    if group.is_a?(Array)
      group_attribute, group_name = group
    else
      group_attribute = "uniqueMember"
      group_name = group
    end
    unless ::Devise.ldap_ad_group_check
      admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
        unless entry[group_attribute].include? dn
          DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
          return false
        end
      end
    else
      # AD optimization - extension will recursively check sub-groups with one query
      # "(memberof:1.2.840.113556.1.4.1941:=group_name)"
      search_result = admin_ldap.search(:base => dn, 
                        :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name),
                        :scope => Net::LDAP::SearchScope_BaseObject) 
      # Will return  the user entry if belongs to group otherwise nothing
      unless search_result.length == 1 && search_result[0].dn.eql?(dn)
        DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }")
        return false
      end
    end
  end
 
  return true
end

#ldap_param_value(param) ⇒ `Object`

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 98

def ldap_param_value(param)
	filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
     ldap_entry = nil
     @ldap.search(:filter => filter) {|entry| ldap_entry = entry}

	DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{ldap_entry.send(param)}")
	ldap_entry.send(param)
end

#user_groups ⇒ `Object`

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 181

def user_groups
  admin_ldap = LdapConnect.admin

  DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}")
  filter = Net::LDAP::Filter.eq("uniqueMember", dn)
  admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn)
end

#valid_login? ⇒ `Boolean`

Returns:

(Boolean)



189
190
191

# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 189

def valid_login?
  !search_for_login.nil?
end

Class: Devise::LdapAdapter::LdapConnect

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(params = {}) ⇒ LdapConnect

Instance Attribute Details

#ldap ⇒ Object (readonly)

#login ⇒ Object (readonly)

Instance Method Details

#authenticate! ⇒ Object

#authenticated? ⇒ Boolean

#authorized? ⇒ Boolean

#change_password! ⇒ Object

#dn ⇒ Object

#has_required_attribute? ⇒ Boolean

#in_required_groups? ⇒ Boolean

#ldap_param_value(param) ⇒ Object

#user_groups ⇒ Object

#valid_login? ⇒ Boolean

#initialize(params = {}) ⇒ `LdapConnect`

#ldap ⇒ `Object` (readonly)

#login ⇒ `Object` (readonly)

#authenticate! ⇒ `Object`

#authenticated? ⇒ `Boolean`

#authorized? ⇒ `Boolean`

#change_password! ⇒ `Object`

#dn ⇒ `Object`

#has_required_attribute? ⇒ `Boolean`

#in_required_groups? ⇒ `Boolean`

#ldap_param_value(param) ⇒ `Object`

#user_groups ⇒ `Object`

#valid_login? ⇒ `Boolean`