Class: Devise::LDAP::Connection
- Inherits:
-
Object
- Object
- Devise::LDAP::Connection
- Defined in:
- lib/devise_ldap_authenticatable/ldap/connection.rb
Instance Attribute Summary collapse
-
#ldap ⇒ Object
readonly
Returns the value of attribute ldap.
-
#login ⇒ Object
readonly
Returns the value of attribute login.
Instance Method Summary collapse
- #authenticate! ⇒ Object
- #authenticated? ⇒ Boolean
- #authorized? ⇒ Boolean
- #change_password! ⇒ Object
- #delete_param(param) ⇒ Object
- #dn ⇒ Object
- #has_required_attribute? ⇒ Boolean
- #in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) ⇒ Boolean
- #in_required_groups? ⇒ Boolean
-
#initialize(params = {}) ⇒ Connection
constructor
A new instance of Connection.
- #ldap_param_value(param) ⇒ Object
-
#search_for_login ⇒ Object
Searches the LDAP for the login.
- #set_param(param, new_value) ⇒ Object
- #user_groups ⇒ Object
- #valid_login? ⇒ Boolean
Constructor Details
#initialize(params = {}) ⇒ Connection
Returns a new instance of Connection.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 6 def initialize(params = {}) if ::Devise.ldap_config.is_a?(Proc) ldap_config = ::Devise.ldap_config.call else ldap_config = YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env] end = params ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true [:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"] @ldap = Net::LDAP.new() @ldap.host = ldap_config["host"] @ldap.port = ldap_config["port"] @ldap.base = ldap_config["base"] @attribute = ldap_config["attribute"] @allow_unauthenticated_bind = ldap_config["allow_unauthenticated_bind"] @ldap_auth_username_builder = params[:ldap_auth_username_builder] @group_base = ldap_config["group_base"] @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership @required_groups = ldap_config["required_groups"] @required_attributes = ldap_config["require_attribute"] @additional_ldap_filter=ldap_config["additional_ldap_filter"] @ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin] @ldap.auth params[:login], params[:password] if ldap_config["admin_as_user"] @login = params[:login] @password = params[:password] @new_password = params[:new_password] end |
Instance Attribute Details
#ldap ⇒ Object (readonly)
Returns the value of attribute ldap.
4 5 6 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 4 def ldap @ldap end |
#login ⇒ Object (readonly)
Returns the value of attribute login.
4 5 6 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 4 def login @login end |
Instance Method Details
#authenticate! ⇒ Object
78 79 80 81 82 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 78 def authenticate! return false unless (@password.present? || @allow_unauthenticated_bind) @ldap.auth(dn, @password) @ldap.bind end |
#authenticated? ⇒ Boolean
84 85 86 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 84 def authenticated? authenticate! end |
#authorized? ⇒ Boolean
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 88 def DeviseLdapAuthenticatable::Logger.send("Authorizing user #{dn}") if !authenticated? DeviseLdapAuthenticatable::Logger.send("Not authorized because not authenticated.") return false elsif !in_required_groups? DeviseLdapAuthenticatable::Logger.send("Not authorized because not in required groups.") return false elsif !has_required_attribute? DeviseLdapAuthenticatable::Logger.send("Not authorized because does not have required attribute.") return false else return true end end |
#change_password! ⇒ Object
104 105 106 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 104 def change_password! update_ldap(:userpassword => Net::LDAP::Password.generate(:sha, @new_password)) end |
#delete_param(param) ⇒ Object
40 41 42 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 40 def delete_param(param) update_ldap [[:delete, param.to_sym, nil]] end |
#dn ⇒ Object
48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 48 def dn @dn ||= begin DeviseLdapAuthenticatable::Logger.send("LDAP dn lookup: #{@attribute}=#{@login}") ldap_entry = search_for_login if ldap_entry.nil? @ldap_auth_username_builder.call(@attribute,@login,@ldap) else ldap_entry.dn end end end |
#has_required_attribute? ⇒ Boolean
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 154 def has_required_attribute? return true unless ::Devise.ldap_check_attributes admin_ldap = Connection.admin user = find_ldap_user(admin_ldap) @required_attributes.each do |key,val| unless user[key].include? val DeviseLdapAuthenticatable::Logger.send("User #{dn} did not match attribute #{key}:#{val}") return false end end return true end |
#in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) ⇒ Boolean
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 124 def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY) in_group = false admin_ldap = Connection.admin unless ::Devise.ldap_ad_group_check admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry| if entry[group_attribute].include? dn in_group = true end end else # AD optimization - extension will recursively check sub-groups with one query # "(memberof:1.2.840.113556.1.4.1941:=group_name)" search_result = admin_ldap.search(:base => dn, :filter => Net::LDAP::Filter.ex("memberof:1.2.840.113556.1.4.1941", group_name), :scope => Net::LDAP::SearchScope_BaseObject) # Will return the user entry if belongs to group otherwise nothing if search_result.length == 1 && search_result[0].dn.eql?(dn) in_group = true end end unless in_group DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name}") end return in_group end |
#in_required_groups? ⇒ Boolean
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 108 def in_required_groups? return true unless @check_group_membership ## FIXME set errors here, the ldap.yml isn't set properly. return false if @required_groups.nil? for group in @required_groups if group.is_a?(Array) return false unless in_group?(group[1], group[0]) else return false unless in_group?(group) end end return true end |
#ldap_param_value(param) ⇒ Object
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 60 def ldap_param_value(param) ldap_entry = search_for_login if ldap_entry unless ldap_entry[param].empty? value = ldap_entry.send(param) DeviseLdapAuthenticatable::Logger.send("Requested param #{param} has value #{value}") value else DeviseLdapAuthenticatable::Logger.send("Requested param #{param} does not exist") value = nil end else DeviseLdapAuthenticatable::Logger.send("Requested ldap entry does not exist") value = nil end end |
#search_for_login ⇒ Object
Searches the LDAP for the login
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 186 def search_for_login @login_ldap_entry ||= begin DeviseLdapAuthenticatable::Logger.send("LDAP search for login: #{@attribute}=#{@login}") filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s) if @additional_ldap_filter DeviseLdapAuthenticatable::Logger.send("Adding Additional Filter #{@additional_ldap_filter}") additional_filter = Net::LDAP::Filter.from_rfc2254(@additional_ldap_filter) filter = filter & additional_filter end ldap_entry = nil match_count = 0 @ldap.search(:filter => filter) {|entry| ldap_entry = entry; match_count+=1} DeviseLdapAuthenticatable::Logger.send("LDAP search yielded #{match_count} matches") ldap_entry end end |
#set_param(param, new_value) ⇒ Object
44 45 46 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 44 def set_param(param, new_value) update_ldap( { param.to_sym => new_value } ) end |
#user_groups ⇒ Object
171 172 173 174 175 176 177 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 171 def user_groups admin_ldap = Connection.admin DeviseLdapAuthenticatable::Logger.send("Getting groups for #{dn}") filter = Net::LDAP::Filter.eq("uniqueMember", dn) admin_ldap.search(:filter => filter, :base => @group_base).collect(&:dn) end |
#valid_login? ⇒ Boolean
179 180 181 |
# File 'lib/devise_ldap_authenticatable/ldap/connection.rb', line 179 def valid_login? !search_for_login.nil? end |