* unbind ldap connections after use * optionally disable ldap referrals (necessary for Windows 2003 AD) * retrieve all attributes when searching * properly access LDAP_NAME_ATTR attribute --- src/api/config/environments/production.rb | 2 ++ src/api/lib/active_rbac_mixins/user_mixins.rb | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/api/config/environments/production.rb b/src/api/config/environments/production.rb index 12e1268..f16ab90 100644 --- a/src/api/config/environments/production.rb +++ b/src/api/config/environments/production.rb @@ -30,6 +30,8 @@ LDAP_SERVERS = "ldap1.mycompany.com:ldap2.mycompany.com" LDAP_SSL = :on # LDAP port defaults to 389 for ldap and 686 for ldaps #LDAP_PORT= +# Authentication with Windows 2003 AD requires +LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 diff --git a/src/api/lib/active_rbac_mixins/user_mixins.rb b/src/api/lib/active_rbac_mixins/user_mixins.rb index 32dd7ba..484de84 100644 --- a/src/api/lib/active_rbac_mixins/user_mixins.rb +++ b/src/api/lib/active_rbac_mixins/user_mixins.rb @@ -331,9 +331,10 @@ module UserMixins user_filter = "(#{LDAP_SEARCH_ATTR}=#{login})" logger.debug( "Search for #{user_filter}" ) dn = String.new - ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + ldap_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| dn = entry.dn end + ldap_con.unbind() if dn.empty? logger.debug( "User not found in ldap" ) @@ -359,7 +360,7 @@ module UserMixins if authenticated == true ldap_info = Array.new ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) end when :ldap then @@ -370,18 +371,19 @@ module UserMixins else ldap_info = Array.new # Redo the search as the user for situations where the anon search may not be able to see attributes - user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter, '') do |entry| + user_con.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| if entry[LDAP_MAIL_ATTR] then ldap_info[0] = String.new(entry[LDAP_MAIL_ATTR][0]) else ldap_info[0] = 'fake@email.ldap' end if entry[LDAP_NAME_ATTR] then - ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][1]) + ldap_info[1] = String.new(entry[LDAP_NAME_ATTR][0]) else ldap_info[1] = login end end + user_con.unbind() end end logger.debug( "login success = #{ldap_info}" ) @@ -530,7 +532,7 @@ module UserMixins logger.debug( "Connecting to #{server} as '#{user_name}'" ) begin - if LDAP_SSL == :on + if defined?( LDAP_SSL ) && LDAP_SSL == :on port = defined?( LDAP_PORT ) ? LDAP_PORT : 636 conn = LDAP::SSLConn.new( server, port) else @@ -538,6 +540,9 @@ module UserMixins conn = LDAP::Conn.new( server, port) end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) + if defined?( LDAP_REFERRALS ) && LDAP_REFERRALS == :off + conn.set_option(LDAP::LDAP_OPT_REFERRALS, LDAP::LDAP_OPT_OFF) + end conn.bind(user_name, password) rescue LDAP::ResultError logger.debug( "Not bound: error #{conn.err}" ) -- 1.6.6.1 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org