Class: Devise::LdapAdapter::LdapConnect
- Inherits:
-
Object
- Object
- Devise::LdapAdapter::LdapConnect
- Defined in:
- lib/devise_ldap_authenticatable/ldap_adapter.rb
Instance Attribute Summary collapse
-
#ldap ⇒ Object
readonly
Returns the value of attribute ldap.
-
#login ⇒ Object
readonly
Returns the value of attribute login.
Instance Method Summary collapse
- #authenticate! ⇒ Object
- #authenticated? ⇒ Boolean
- #authorized? ⇒ Boolean
- #change_password! ⇒ Object
- #dn ⇒ Object
- #has_required_attribute? ⇒ Boolean
- #in_required_groups? ⇒ Boolean
-
#initialize(params = {}) ⇒ LdapConnect
constructor
A new instance of LdapConnect.
- #ldap_param_value(param) ⇒ Object
- #user_groups ⇒ Object
- #valid_login? ⇒ Boolean
Constructor Details
#initialize(params = {}) ⇒ LdapConnect
Returns a new instance of LdapConnect.
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 64 def initialize(params = {}) ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env] = params ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true [:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"] @ldap = Net::LDAP.new() @ldap.host = ldap_config["host"] @ldap.port = ldap_config["port"] @ldap.base = ldap_config["base"] @attribute = ldap_config["attribute"] @ldap_auth_username_builder = params[:ldap_auth_username_builder] @group_base = ldap_config["group_base"] @required_groups = ldap_config["required_groups"] @required_attributes = ldap_config["require_attribute"] @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] @login = params[:login] @password = params[:password] @new_password = params[:new_password] end |
Instance Attribute Details
#ldap ⇒ Object (readonly)
Returns the value of attribute ldap.
62 63 64 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 62 def ldap @ldap end |
#login ⇒ Object (readonly)
Returns the value of attribute login.
62 63 64 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 62 def login @login end |
Instance Method Details
#authenticate! ⇒ Object
107 108 109 110 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 107 def authenticate! @ldap.auth(dn, @password) @ldap.bind end |
#authenticated? ⇒ Boolean
112 113 114 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 112 def authenticated? authenticate! end |
#authorized? ⇒ Boolean
116 117 118 119 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 116 def DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}") authenticated? && in_required_groups? && has_required_attribute? end |
#change_password! ⇒ Object
121 122 123 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 121 def change_password! update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password)) end |
#dn ⇒ Object
88 89 90 91 92 93 94 95 96 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 88 def dn DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}") ldap_entry = search_for_login if ldap_entry.nil? @ldap_auth_username_builder.call(@attribute,@login,@ldap) else ldap_entry.dn end end |
#has_required_attribute? ⇒ Boolean
164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 164 def has_required_attribute? return true unless ::Devise.ldap_check_attributes admin_ldap = LdapConnect.admin user = find_ldap_user(admin_ldap) @required_attributes.each do |key,val| unless user[key].include? val DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}") return false end end return true end |
#in_required_groups? ⇒ Boolean
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 125 def in_required_groups? return true unless ::Devise.ldap_check_group_membership ## FIXME set errors here, the ldap.yml isn't set properly. return false if @required_groups.nil? admin_ldap = LdapConnect.admin for group in @required_groups if group.is_a?(Array) group_attribute, group_name = group else group_attribute = "uniqueMember" group_name = group end unless ::Devise.ldap_ad_group_check admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry| unless entry[group_attribute].include? dn DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }") return false end end else # AD optimization - extension will recursively check sub-groups with one query # "(memberof:1.2.840.113556.1.4.1941:=group_name)" search_result = admin_ldap.search(:base => dn, :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name), :scope => Net::LDAP::SearchScope_BaseObject) # Will return the user entry if belongs to group otherwise nothing unless search_result.length == 1 && search_result[0].dn.eql?(dn) DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name }") return false end end end return true end |
#ldap_param_value(param) ⇒ Object
98 99 100 101 102 103 104 105 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 98 def ldap_param_value(param) filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s) ldap_entry = nil @ldap.search(:filter => filter) {|entry| ldap_entry = entry} DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{ldap_entry.send(param)}") ldap_entry.send(param) end |
#user_groups ⇒ Object
181 182 183 184 185 186 187 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 181 def user_groups admin_ldap = LdapConnect.admin DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}") filter = Net::LDAP::Filter.eq("uniqueMember", dn) admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn) end |
#valid_login? ⇒ Boolean
189 190 191 |
# File 'lib/devise_ldap_authenticatable/ldap_adapter.rb', line 189 def valid_login? !search_for_login.nil? end |