Class: GitHub::Ldap::Domain
- Inherits:
-
Object
- Object
- GitHub::Ldap::Domain
- Includes:
- Filter
- Defined in:
- lib/github/ldap/domain.rb
Overview
A domain represents the base object for an ldap tree. It encapsulates the operations that you can perform against a tree, authenticating users, for instance.
This makes possible to reuse a server connection to perform operations with two different domain bases.
To get a domain, you’ll need to create a ‘Ldap` object and then call the method `domain` with the name of the base.
For example:
domain = GitHub::Ldap.new(options).domain(“dc=github,dc=com”)
Constant Summary
Constants included from Filter
Filter::ALL_GROUPS_FILTER, Filter::MEMBERSHIP_NAMES
Instance Method Summary collapse
-
#all_groups ⇒ Object
List all groups under this tree, including subgroups.
-
#auth(user, password) ⇒ Object
Check if a user can be bound with a password.
-
#authenticate!(login, password, group_names = nil) ⇒ Object
Authenticate a user with the ldap server.
-
#bind ⇒ Object
Get the entry for this domain.
-
#filter_groups(query, opts = {}, &block) ⇒ Object
List all groups under this tree that match the query.
-
#get_operation_result ⇒ Object
Provide a meaningful result after a protocol operation (for example, bind or search) has completed.
-
#groups(group_names) ⇒ Object
List the groups in the ldap server that match the configured ones.
-
#initialize(ldap, base_name, uid) ⇒ Domain
constructor
A new instance of Domain.
-
#is_member?(user_entry, group_names) ⇒ Boolean
Check if the user is include in any of the configured groups.
-
#membership(user_entry, group_names) ⇒ Object
List the groups that a user is member of.
-
#search(options, &block) ⇒ Object
Search entries using this domain as base.
-
#user?(login) ⇒ Boolean
Check if a user exists based in the ‘uid`.
-
#valid_login?(login, password) ⇒ Boolean
Check if the user credentials are valid.
Methods included from Filter
#all_members_by_uid, #group_contains_filter, #group_filter, #login_filter, #member_filter, #members_of_group, #subgroups_of_group
Constructor Details
#initialize(ldap, base_name, uid) ⇒ Domain
Returns a new instance of Domain.
17 18 19 |
# File 'lib/github/ldap/domain.rb', line 17 def initialize(ldap, base_name, uid) @ldap, @base_name, @uid = ldap, base_name, uid end |
Instance Method Details
#all_groups ⇒ Object
List all groups under this tree, including subgroups.
Returns a list of ldap entries.
24 25 26 |
# File 'lib/github/ldap/domain.rb', line 24 def all_groups search(filter: ALL_GROUPS_FILTER) end |
#auth(user, password) ⇒ Object
Check if a user can be bound with a password.
user: is a ldap entry representing the user. password: is the user’s password.
Returns true if the user can be bound.
113 114 115 |
# File 'lib/github/ldap/domain.rb', line 113 def auth(user, password) @ldap.bind(method: :simple, username: user.dn, password: password) end |
#authenticate!(login, password, group_names = nil) ⇒ Object
Authenticate a user with the ldap server.
login: is the user’s login. This method doesn’t accept email identifications. password: is the user’s password. group_names: is an array of group CNs.
Returns the user info if the credentials are valid and there are no groups configured. Returns the user info if the credentials are valid and the user belongs to a configured group. Returns nil if the credentials are invalid
126 127 128 129 130 |
# File 'lib/github/ldap/domain.rb', line 126 def authenticate!(login, password, group_names = nil) user = valid_login?(login, password) return user if user && is_member?(user, group_names) end |
#bind ⇒ Object
Get the entry for this domain.
Returns a Net::LDAP::Entry
159 160 161 |
# File 'lib/github/ldap/domain.rb', line 159 def bind search(size: 1, scope: Net::LDAP::SearchScope_BaseObject).first end |
#filter_groups(query, opts = {}, &block) ⇒ Object
List all groups under this tree that match the query.
query: is the partial name to filter for. opts: additional options to filter with. It’s specially recommended to restrict this search by size. block: is an optional block to pass to the search.
Returns a list of ldap entries.
35 36 37 |
# File 'lib/github/ldap/domain.rb', line 35 def filter_groups(query, opts = {}, &block) search(opts.merge(filter: group_contains_filter(query)), &block) end |
#get_operation_result ⇒ Object
Provide a meaningful result after a protocol operation (for example, bind or search) has completed.
Returns an OpenStruct containing an LDAP result code and a human-readable string. See tools.ietf.org/html/rfc4511#appendix-A
152 153 154 |
# File 'lib/github/ldap/domain.rb', line 152 def get_operation_result @ldap.get_operation_result end |
#groups(group_names) ⇒ Object
List the groups in the ldap server that match the configured ones.
group_names: is an array of group CNs.
Returns a list of ldap entries for the configured groups.
44 45 46 |
# File 'lib/github/ldap/domain.rb', line 44 def groups(group_names) search(filter: group_filter(group_names)) end |
#is_member?(user_entry, group_names) ⇒ Boolean
Check if the user is include in any of the configured groups.
user_entry: is the entry for the user in the server. group_names: is an array of group CNs.
Returns true if the user belongs to any of the groups. Returns false otherwise.
75 76 77 78 79 80 81 82 |
# File 'lib/github/ldap/domain.rb', line 75 def is_member?(user_entry, group_names) return true if group_names.nil? return true if group_names.empty? user_membership = membership(user_entry, group_names) !user_membership.empty? end |
#membership(user_entry, group_names) ⇒ Object
List the groups that a user is member of.
user_entry: is the entry for the user in the server. group_names: is an array of group CNs.
Return an Array with the groups that the given user is member of that belong to the given group list.
54 55 56 57 58 59 60 61 62 63 64 65 66 |
# File 'lib/github/ldap/domain.rb', line 54 def membership(user_entry, group_names) all_groups = search(filter: group_filter(group_names)) groups_map = all_groups.each_with_object({}) {|entry, hash| hash[entry.dn] = entry} if @ldap.virtual_attributes.enabled? member_of = groups_map.keys & user_entry[@ldap.virtual_attributes.virtual_membership] member_of.map {|dn| groups_map[dn]} else groups_map.each_with_object([]) do |(dn, group_entry), acc| acc << group_entry if @ldap.load_group(group_entry).is_member?(user_entry) end end end |
#search(options, &block) ⇒ Object
Search entries using this domain as base.
options: is a Hash with the options for the search. The base option is always overriden. block: is an optional block to pass to the search.
Returns an array with the entries found.
138 139 140 141 142 143 144 |
# File 'lib/github/ldap/domain.rb', line 138 def search(, &block) [:base] = @base_name [:attributes] ||= [] [:paged_searches_supported] = true @ldap.search(, &block) end |
#user?(login) ⇒ Boolean
Check if a user exists based in the ‘uid`.
login: is the user’s login
Returns the user if the login matches any ‘uid`. Returns nil if there are no matches.
103 104 105 |
# File 'lib/github/ldap/domain.rb', line 103 def user?(login) search(filter: login_filter(@uid, login), size: 1).first end |
#valid_login?(login, password) ⇒ Boolean
Check if the user credentials are valid.
login: is the user’s login. password: is the user’s password.
Returns a Ldap::Entry if the credentials are valid. Returns nil if the credentials are invalid.
91 92 93 94 95 |
# File 'lib/github/ldap/domain.rb', line 91 def valid_login?(login, password) if user = user?(login) and auth(user, password) return user end end |