[opensuse-buildservice] [PATCH] Minor tweaks for LDAP authentication
Many thanks to all involved in adding support for LDAP authentication. I have a couple of tweaks that are necessary to get it working in my environment (Windows 2003 Active Directory). Most of it's pretty simple and self explanatory and shouldn't break existing setup. Iain Arnell (1): Minor tweaks for LDAP authentication src/api/config/environments/production.rb | 2 ++ src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
* unbind ldap connections after use * optionally disable ldap referrals (necessary for Windows 2003 AD) * retrieve all attributes when searching * properly access LDAP_NAME_ATTR attribute --- src/api/config/environments/production.rb | 2 ++ src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/api/config/environments/production.rb b/src/api/config/environments/production.rb index 12e1268..f16ab90 100644 --- a/src/api/config/environments/production.rb +++ b/src/api/config/environments/production.rb @@ -30,6 +30,8 @@ LDAP_SERVERS = "ldap1.mycompany.com:ldap2.mycompany.com" LDAP_SSL = :on # LDAP port defaults to 389 for ldap and 686 for ldaps #LDAP_PORT= +# Authentication with Windows 2003 AD requires +LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 diff --git a/src/api/lib/active_rbac_mixins/user_mixins.rb b/src/api/lib/active_rbac_mixins/user_mixins.rb index 32dd7ba..484de84 100644 --- a/src/api/lib/active_rbac_mixins/user_mixins.rb +++ b/src/api/lib/active_rbac_mixins/user_mixins.rb @@ -331,9 +331,10 @@ module UserMixins user_filter = "(#{LDAP_SEARCH_ATTR}=#{login})" logger.debug( "Search for #{user_filter}" ) dn = String.new - ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| dn = entry.dn end + ldap_con.unbind() if dn.empty? logger.debug( "User not found in ldap" ) @@ -359,7 +360,7 @@ module UserMixins if authenticated == true ldap_info = Array.new ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) end when :ldap then @@ -370,18 +371,19 @@ module UserMixins else ldap_info = Array.new # Redo the search as the user for situations where the anon search may not be able to see attributes - user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| if entry[LDAP_MAIL_ATTR] then ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) else ldap_info[0] = 'fake@email.ldap' end if entry[LDAP_NAME_ATTR] then - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) else ldap_info[1] = login end end + user_con.unbind() end end logger.debug( "login success = #{ldap_info}" ) @@ -530,7 +532,7 @@ module UserMixins logger.debug( "Connecting to #{server} as '#{user_name}'" ) begin - if LDAP_SSL == :on + if defined?( LDAP_SSL ) && LDAP_SSL == :on port = defined?( LDAP_PORT ) ? LDAP_PORT : 636 conn = LDAP::SSLConn.new( server, port) else @@ -538,6 +540,9 @@ module UserMixins conn = LDAP::Conn.new( server, port) end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) + if defined?( LDAP_REFERRALS ) && LDAP_REFERRALS == :off + conn.set_option(LDAP::LDAP_OPT_REFERRALS, LDAP::LDAP_OPT_OFF) + end conn.bind(user_name, password) rescue LDAP::ResultError logger.debug( "Not bound: error #{conn.err}" ) -- 1.6.6.1 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Iain, thanks a lot for your patch. I have applied it to master and 1.8 branch now. bye adrian Am Mittwoch, 17. März 2010 09:45:50 schrieb Iain Arnell:
* unbind ldap connections after use * optionally disable ldap referrals (necessary for Windows 2003 AD) * retrieve all attributes when searching * properly access LDAP_NAME_ATTR attribute --- src/api/config/environments/production.rb | 2 ++ src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/api/config/environments/production.rb b/src/api/config/environments/production.rb index 12e1268..f16ab90 100644 --- a/src/api/config/environments/production.rb +++ b/src/api/config/environments/production.rb @@ -30,6 +30,8 @@ LDAP_SERVERS = "ldap1.mycompany.com:ldap2.mycompany.com" LDAP_SSL = :on # LDAP port defaults to 389 for ldap and 686 for ldaps #LDAP_PORT= +# Authentication with Windows 2003 AD requires +LDAP_REFERRALS = :off
# Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 diff --git a/src/api/lib/active_rbac_mixins/user_mixins.rb b/src/api/lib/active_rbac_mixins/user_mixins.rb index 32dd7ba..484de84 100644 --- a/src/api/lib/active_rbac_mixins/user_mixins.rb +++ b/src/api/lib/active_rbac_mixins/user_mixins.rb @@ -331,9 +331,10 @@ module UserMixins user_filter = "(#{LDAP_SEARCH_ATTR}=#{login})" logger.debug( "Search for #{user_filter}" ) dn = String.new - ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| dn = entry.dn end + ldap_con.unbind()
if dn.empty? logger.debug( "User not found in ldap" ) @@ -359,7 +360,7 @@ module UserMixins if authenticated == true ldap_info = Array.new ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) end
when :ldap then @@ -370,18 +371,19 @@ module UserMixins else ldap_info = Array.new # Redo the search as the user for situations where the anon search may not be able to see attributes - user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| if entry[LDAP_MAIL_ATTR] then ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) else ldap_info[0] = 'fake@email.ldap' end if entry[LDAP_NAME_ATTR] then - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) else ldap_info[1] = login end end + user_con.unbind() end end logger.debug( "login success = #{ldap_info}" ) @@ -530,7 +532,7 @@ module UserMixins
logger.debug( "Connecting to #{server} as '#{user_name}'" ) begin - if LDAP_SSL == :on + if defined?( LDAP_SSL ) && LDAP_SSL == :on port = defined?( LDAP_PORT ) ? LDAP_PORT : 636 conn = LDAP::SSLConn.new( server, port) else @@ -538,6 +540,9 @@ module UserMixins conn = LDAP::Conn.new( server, port) end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) + if defined?( LDAP_REFERRALS ) && LDAP_REFERRALS == :off + conn.set_option(LDAP::LDAP_OPT_REFERRALS, LDAP::LDAP_OPT_OFF) + end conn.bind(user_name, password) rescue LDAP::ResultError logger.debug( "Not bound: error #{conn.err}" )
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Iain Arnell wrote:
Many thanks to all involved in adding support for LDAP authentication. I have a couple of tweaks that are necessary to get it working in my environment (Windows 2003 Active Directory). Most of it's pretty simple and self explanatory and shouldn't break existing setup.
Iain Arnell (1): Minor tweaks for LDAP authentication
src/api/config/environments/production.rb | 2 ++ src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-)
Thanks Iain Looks good to me, some nice catches and good to know it'll support 2003 AD too. I'll test and commit soonish. David -- "Don't worry, you'll be fine; I saw it work in a cartoon once..." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Adrian Schröter -
David Greaves -
Iain Arnell