Mailinglist Archive: opensuse-buildservice (348 mails)

< Previous Next >
Re: [opensuse-buildservice] [PATCH] Minor tweaks for LDAP authentication
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Fri, 9 Apr 2010 17:03:41 +0200
  • Message-id: <201004091703.41326.adrian@xxxxxxx>

Hi Iain,

thanks a lot for your patch.
I have applied it to master and 1.8 branch now.

bye
adrian

Am Mittwoch, 17. März 2010 09:45:50 schrieb Iain Arnell:
* unbind ldap connections after use
* optionally disable ldap referrals (necessary for Windows 2003 AD)
* retrieve all attributes when searching
* properly access LDAP_NAME_ATTR attribute
---
src/api/config/environments/production.rb | 2 ++
src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++-----
2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/api/config/environments/production.rb
b/src/api/config/environments/production.rb
index 12e1268..f16ab90 100644
--- a/src/api/config/environments/production.rb
+++ b/src/api/config/environments/production.rb
@@ -30,6 +30,8 @@ LDAP_SERVERS = "ldap1.mycompany.com:ldap2.mycompany.com"
LDAP_SSL = :on
# LDAP port defaults to 389 for ldap and 686 for ldaps
#LDAP_PORT=
+# Authentication with Windows 2003 AD requires
+LDAP_REFERRALS = :off

# Max number of times to attempt to contact the LDAP servers
LDAP_MAX_ATTEMPTS = 10
diff --git a/src/api/lib/active_rbac_mixins/user_mixins.rb
b/src/api/lib/active_rbac_mixins/user_mixins.rb
index 32dd7ba..484de84 100644
--- a/src/api/lib/active_rbac_mixins/user_mixins.rb
+++ b/src/api/lib/active_rbac_mixins/user_mixins.rb
@@ -331,9 +331,10 @@ module UserMixins
user_filter = "(#{LDAP_SEARCH_ATTR}=#{login})"
logger.debug( "Search for #{user_filter}" )
dn = String.new
- ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE,
user_filter, '') do |entry|
+ ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE,
user_filter ) do |entry|
dn = entry.dn
end
+ ldap_con.unbind()

if dn.empty?
logger.debug( "User not found in ldap" )
@@ -359,7 +360,7 @@ module UserMixins
if authenticated == true
ldap_info = Array.new
ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0])
- ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1])
+ ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0])
end

when :ldap then
@@ -370,18 +371,19 @@ module UserMixins
else
ldap_info = Array.new
# Redo the search as the user for situations where the anon
search may not be able to see attributes
- user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE,
user_filter, '') do |entry|
+ user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE,
user_filter ) do |entry|
if entry[LDAP_MAIL_ATTR] then
ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0])
else
ldap_info[0] = 'fake@xxxxxxxxxx'
end
if entry[LDAP_NAME_ATTR] then
- ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1])
+ ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0])
else
ldap_info[1] = login
end
end
+ user_con.unbind()
end
end
logger.debug( "login success = #{ldap_info}" )
@@ -530,7 +532,7 @@ module UserMixins

logger.debug( "Connecting to #{server} as '#{user_name}'" )
begin
- if LDAP_SSL == :on
+ if defined?( LDAP_SSL ) && LDAP_SSL == :on
port = defined?( LDAP_PORT ) ? LDAP_PORT : 636
conn = LDAP::SSLConn.new( server, port)
else
@@ -538,6 +540,9 @@ module UserMixins
conn = LDAP::Conn.new( server, port)
end
conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+ if defined?( LDAP_REFERRALS ) && LDAP_REFERRALS == :off
+ conn.set_option(LDAP::LDAP_OPT_REFERRALS,
LDAP::LDAP_OPT_OFF)
+ end
conn.bind(user_name, password)
rescue LDAP::ResultError
logger.debug( "Not bound: error #{conn.err}" )



--

Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages