| @@ -1,203 +1,204 | |||
|
|
1 | 1 | # Redmine - project management software |
|
|
2 | 2 | # Copyright (C) 2006-2015 Jean-Philippe Lang |
|
|
3 | 3 | # |
|
|
4 | 4 | # This program is free software; you can redistribute it and/or |
|
|
5 | 5 | # modify it under the terms of the GNU General Public License |
|
|
6 | 6 | # as published by the Free Software Foundation; either version 2 |
|
|
7 | 7 | # of the License, or (at your option) any later version. |
|
|
8 | 8 | # |
|
|
9 | 9 | # This program is distributed in the hope that it will be useful, |
|
|
10 | 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
11 | 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
|
12 | 12 | # GNU General Public License for more details. |
|
|
13 | 13 | # |
|
|
14 | 14 | # You should have received a copy of the GNU General Public License |
|
|
15 | 15 | # along with this program; if not, write to the Free Software |
|
|
16 | 16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
|
|
17 | 17 | |
|
|
18 | 18 | require 'net/ldap' |
|
|
19 | 19 | require 'net/ldap/dn' |
|
|
20 | 20 | require 'timeout' |
|
|
21 | 21 | |
|
|
22 | 22 | class AuthSourceLdap < AuthSource |
|
|
23 | 23 | NETWORK_EXCEPTIONS = [ |
|
|
24 | 24 | Net::LDAP::LdapError, |
|
|
25 | 25 | Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::ECONNRESET, |
|
|
26 | 26 | Errno::EHOSTDOWN, Errno::EHOSTUNREACH, |
|
|
27 | 27 | SocketError |
|
|
28 | 28 | ] |
|
|
29 | 29 | |
|
|
30 | 30 | validates_presence_of :host, :port, :attr_login |
|
|
31 | 31 | validates_length_of :name, :host, :maximum => 60, :allow_nil => true |
|
|
32 | 32 | validates_length_of :account, :account_password, :base_dn, :maximum => 255, :allow_blank => true |
|
|
33 | 33 | validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true |
|
|
34 | 34 | validates_numericality_of :port, :only_integer => true |
|
|
35 | 35 | validates_numericality_of :timeout, :only_integer => true, :allow_blank => true |
|
|
36 | 36 | validate :validate_filter |
|
|
37 | 37 | |
|
|
38 | 38 | before_validation :strip_ldap_attributes |
|
|
39 | 39 | |
|
|
40 | 40 | def initialize(attributes=nil, *args) |
|
|
41 | 41 | super |
|
|
42 | 42 | self.port = 389 if self.port == 0 |
|
|
43 | 43 | end |
|
|
44 | 44 | |
|
|
45 | 45 | def authenticate(login, password) |
|
|
46 | 46 | return nil if login.blank? || password.blank? |
|
|
47 | 47 | |
|
|
48 | 48 | with_timeout do |
|
|
49 | 49 | attrs = get_user_dn(login, password) |
|
|
50 | 50 | if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password) |
|
|
51 | 51 | logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? |
|
|
52 | 52 | return attrs.except(:dn) |
|
|
53 | 53 | end |
|
|
54 | 54 | end |
|
|
55 | 55 | rescue *NETWORK_EXCEPTIONS => e |
|
|
56 | 56 | raise AuthSourceException.new(e.message) |
|
|
57 | 57 | end |
|
|
58 | 58 | |
|
|
59 | 59 | # test the connection to the LDAP |
|
|
60 | 60 | def test_connection |
|
|
61 | 61 | with_timeout do |
|
|
62 | 62 | ldap_con = initialize_ldap_con(self.account, self.account_password) |
|
|
63 | 63 | ldap_con.open { } |
|
|
64 | 64 | end |
|
|
65 | 65 | rescue *NETWORK_EXCEPTIONS => e |
|
|
66 | 66 | raise AuthSourceException.new(e.message) |
|
|
67 | 67 | end |
|
|
68 | 68 | |
|
|
69 | 69 | def auth_method_name |
|
|
70 | 70 | "LDAP" |
|
|
71 | 71 | end |
|
|
72 | 72 | |
|
|
73 | 73 | # Returns true if this source can be searched for users |
|
|
74 | 74 | def searchable? |
|
|
75 | 75 | !account.to_s.include?("$login") && %w(login firstname lastname mail).all? {|a| send("attr_#{a}?")} |
|
|
76 | 76 | end |
|
|
77 | 77 | |
|
|
78 | 78 | # Searches the source for users and returns an array of results |
|
|
79 | 79 | def search(q) |
|
|
80 | 80 | q = q.to_s.strip |
|
|
81 | 81 | return [] unless searchable? && q.present? |
|
|
82 | 82 | |
|
|
83 | 83 | results = [] |
|
|
84 | 84 | search_filter = base_filter & Net::LDAP::Filter.begins(self.attr_login, q) |
|
|
85 | 85 | ldap_con = initialize_ldap_con(self.account, self.account_password) |
|
|
86 | 86 | ldap_con.search(:base => self.base_dn, |
|
|
87 | 87 | :filter => search_filter, |
|
|
88 | 88 | :attributes => ['dn', self.attr_login, self.attr_firstname, self.attr_lastname, self.attr_mail], |
|
|
89 | 89 | :size => 10) do |entry| |
|
|
90 | 90 | attrs = get_user_attributes_from_ldap_entry(entry) |
|
|
91 | 91 | attrs[:login] = AuthSourceLdap.get_attr(entry, self.attr_login) |
|
|
92 | 92 | results << attrs |
|
|
93 | 93 | end |
|
|
94 | 94 | results |
|
|
95 | 95 | rescue *NETWORK_EXCEPTIONS => e |
|
|
96 | 96 | raise AuthSourceException.new(e.message) |
|
|
97 | 97 | end |
|
|
98 | 98 | |
|
|
99 | 99 | private |
|
|
100 | 100 | |
|
|
101 | 101 | def with_timeout(&block) |
|
|
102 | 102 | timeout = self.timeout |
|
|
103 | 103 | timeout = 20 unless timeout && timeout > 0 |
|
|
104 | 104 | Timeout.timeout(timeout) do |
|
|
105 | 105 | return yield |
|
|
106 | 106 | end |
|
|
107 | 107 | rescue Timeout::Error => e |
|
|
108 | 108 | raise AuthSourceTimeoutException.new(e.message) |
|
|
109 | 109 | end |
|
|
110 | 110 | |
|
|
111 | 111 | def ldap_filter |
|
|
112 | 112 | if filter.present? |
|
|
113 | 113 | Net::LDAP::Filter.construct(filter) |
|
|
114 | 114 | end |
|
|
115 | 115 | rescue Net::LDAP::LdapError, Net::LDAP::FilterSyntaxInvalidError |
|
|
116 | 116 | nil |
|
|
117 | 117 | end |
|
|
118 | 118 | |
|
|
119 | 119 | def base_filter |
|
|
120 | 120 | filter = Net::LDAP::Filter.eq("objectClass", "*") |
|
|
121 | 121 | if f = ldap_filter |
|
|
122 | 122 | filter = filter & f |
|
|
123 | 123 | end |
|
|
124 | 124 | filter |
|
|
125 | 125 | end |
|
|
126 | 126 | |
|
|
127 | 127 | def validate_filter |
|
|
128 | 128 | if filter.present? && ldap_filter.nil? |
|
|
129 | 129 | errors.add(:filter, :invalid) |
|
|
130 | 130 | end |
|
|
131 | 131 | end |
|
|
132 | 132 | |
|
|
133 | 133 | def strip_ldap_attributes |
|
|
134 | 134 | [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr| |
|
|
135 | 135 | write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil? |
|
|
136 | 136 | end |
|
|
137 | 137 | end |
|
|
138 | 138 | |
|
|
139 | 139 | def initialize_ldap_con(ldap_user, ldap_password) |
|
|
140 | 140 | options = { :host => self.host, |
|
|
141 | 141 | :port => self.port, |
|
|
142 | 142 | :encryption => (self.tls ? :simple_tls : nil) |
|
|
143 | 143 | } |
|
|
144 | 144 | options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank? |
|
|
145 | 145 | Net::LDAP.new options |
|
|
146 | 146 | end |
|
|
147 | 147 | |
|
|
148 | 148 | def get_user_attributes_from_ldap_entry(entry) |
|
|
149 | 149 | { |
|
|
150 | 150 | :dn => entry.dn, |
|
|
151 | 151 | :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname), |
|
|
152 | 152 | :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname), |
|
|
153 | 153 | :mail => AuthSourceLdap.get_attr(entry, self.attr_mail), |
|
|
154 | 154 | :auth_source_id => self.id |
|
|
155 | 155 | } |
|
|
156 | 156 | end |
|
|
157 | 157 | |
|
|
158 | 158 | # Return the attributes needed for the LDAP search. It will only |
|
|
159 | 159 | # include the user attributes if on-the-fly registration is enabled |
|
|
160 | 160 | def search_attributes |
|
|
161 | 161 | if onthefly_register? |
|
|
162 | 162 | ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail] |
|
|
163 | 163 | else |
|
|
164 | 164 | ['dn'] |
|
|
165 | 165 | end |
|
|
166 | 166 | end |
|
|
167 | 167 | |
|
|
168 | 168 | # Check if a DN (user record) authenticates with the password |
|
|
169 | 169 | def authenticate_dn(dn, password) |
|
|
170 | 170 | if dn.present? && password.present? |
|
|
171 | 171 | initialize_ldap_con(dn, password).bind |
|
|
172 | 172 | end |
|
|
173 | 173 | end |
|
|
174 | 174 | |
|
|
175 | 175 | # Get the user's dn and any attributes for them, given their login |
|
|
176 | 176 | def get_user_dn(login, password) |
|
|
177 | 177 | ldap_con = nil |
|
|
178 | 178 | if self.account && self.account.include?("$login") |
|
|
179 | 179 | ldap_con = initialize_ldap_con(self.account.sub("$login", Net::LDAP::DN.escape(login)), password) |
|
|
180 | 180 | else |
|
|
181 | 181 | ldap_con = initialize_ldap_con(self.account, self.account_password) |
|
|
182 | 182 | end |
|
|
183 | 183 | attrs = {} |
|
|
184 | 184 | search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login) |
|
|
185 | 185 | ldap_con.search( :base => self.base_dn, |
|
|
186 | 186 | :filter => search_filter, |
|
|
187 | 187 | :attributes=> search_attributes) do |entry| |
|
|
188 | 188 | if onthefly_register? |
|
|
189 | 189 | attrs = get_user_attributes_from_ldap_entry(entry) |
|
|
190 | 190 | else |
|
|
191 | 191 | attrs = {:dn => entry.dn} |
|
|
192 | 192 | end |
|
|
193 | 193 | logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug? |
|
|
194 | 194 | end |
|
|
195 | 195 | attrs |
|
|
196 | 196 | end |
|
|
197 | 197 | |
|
|
198 | 198 | def self.get_attr(entry, attr_name) |
|
|
199 | 199 | if !attr_name.blank? |
|
|
200 | entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name] | |
|
|
200 | value = entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name] | |
|
|
201 | value.force_encoding('UTF-8') | |
|
|
201 | 202 | end |
|
|
202 | 203 | end |
|
|
203 | 204 | end |
General Comments 0
You need to be logged in to leave comments.
Login now