| @@ -1,98 +1,105 | |||
|
|
1 | 1 | # redMine - project management software |
|
|
2 | 2 | # Copyright (C) 2006 Jean-Philippe Lang |
|
|
3 | 3 | # |
|
|
4 | 4 | # This program is free software; you can redistribute it and/or |
|
|
5 | 5 | # modify it under the terms of the GNU General Public License |
|
|
6 | 6 | # as published by the Free Software Foundation; either version 2 |
|
|
7 | 7 | # of the License, or (at your option) any later version. |
|
|
8 | 8 | # |
|
|
9 | 9 | # This program is distributed in the hope that it will be useful, |
|
|
10 | 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
11 | 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
|
12 | 12 | # GNU General Public License for more details. |
|
|
13 | 13 | # |
|
|
14 | 14 | # You should have received a copy of the GNU General Public License |
|
|
15 | 15 | # along with this program; if not, write to the Free Software |
|
|
16 | 16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
|
|
17 | 17 | |
|
|
18 | 18 | require 'net/ldap' |
|
|
19 | 19 | require 'iconv' |
|
|
20 | 20 | |
|
|
21 | 21 | class AuthSourceLdap < AuthSource |
|
|
22 | 22 | validates_presence_of :host, :port, :attr_login |
|
|
23 | 23 | validates_length_of :name, :host, :account_password, :maximum => 60, :allow_nil => true |
|
|
24 | 24 | validates_length_of :account, :base_dn, :maximum => 255, :allow_nil => true |
|
|
25 | 25 | validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true |
|
|
26 | 26 | validates_numericality_of :port, :only_integer => true |
|
|
27 | 27 | |
|
|
28 | 28 | before_validation :strip_ldap_attributes |
|
|
29 | 29 | |
|
|
30 | 30 | def after_initialize |
|
|
31 | 31 | self.port = 389 if self.port == 0 |
|
|
32 | 32 | end |
|
|
33 | 33 | |
|
|
34 | 34 | def authenticate(login, password) |
|
|
35 | 35 | return nil if login.blank? || password.blank? |
|
|
36 | 36 | attrs = [] |
|
|
37 | 37 | # get user's DN |
|
|
38 | 38 | ldap_con = initialize_ldap_con(self.account, self.account_password) |
|
|
39 | 39 | login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) |
|
|
40 | 40 | object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) |
|
|
41 | 41 | dn = String.new |
|
|
42 | 42 | ldap_con.search( :base => self.base_dn, |
|
|
43 | 43 | :filter => object_filter & login_filter, |
|
|
44 | 44 | # only ask for the DN if on-the-fly registration is disabled |
|
|
45 | 45 | :attributes=> (onthefly_register? ? ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail] : ['dn'])) do |entry| |
|
|
46 | 46 | dn = entry.dn |
|
|
47 | attrs = [:firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname), | |
|
|
48 | :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname), | |
|
|
49 | :mail => AuthSourceLdap.get_attr(entry, self.attr_mail), | |
|
|
50 | :auth_source_id => self.id ] if onthefly_register? | |
|
|
47 | attrs = get_user_attributes_from_ldap_entry(entry) if onthefly_register? | |
|
|
48 | ||
|
|
51 | 49 | end |
|
|
52 | 50 | return nil if dn.empty? |
|
|
53 | 51 | logger.debug "DN found for #{login}: #{dn}" if logger && logger.debug? |
|
|
54 | 52 | # authenticate user |
|
|
55 | 53 | ldap_con = initialize_ldap_con(dn, password) |
|
|
56 | 54 | return nil unless ldap_con.bind |
|
|
57 | 55 | # return user's attributes |
|
|
58 | 56 | logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? |
|
|
59 | 57 | attrs |
|
|
60 | 58 | rescue Net::LDAP::LdapError => text |
|
|
61 | 59 | raise "LdapError: " + text |
|
|
62 | 60 | end |
|
|
63 | 61 | |
|
|
64 | 62 | # test the connection to the LDAP |
|
|
65 | 63 | def test_connection |
|
|
66 | 64 | ldap_con = initialize_ldap_con(self.account, self.account_password) |
|
|
67 | 65 | ldap_con.open { } |
|
|
68 | 66 | rescue Net::LDAP::LdapError => text |
|
|
69 | 67 | raise "LdapError: " + text |
|
|
70 | 68 | end |
|
|
71 | 69 | |
|
|
72 | 70 | def auth_method_name |
|
|
73 | 71 | "LDAP" |
|
|
74 | 72 | end |
|
|
75 | 73 | |
|
|
76 | 74 | private |
|
|
77 | 75 | |
|
|
78 | 76 | def strip_ldap_attributes |
|
|
79 | 77 | [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr| |
|
|
80 | 78 | write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil? |
|
|
81 | 79 | end |
|
|
82 | 80 | end |
|
|
83 | 81 | |
|
|
84 | 82 | def initialize_ldap_con(ldap_user, ldap_password) |
|
|
85 | 83 | options = { :host => self.host, |
|
|
86 | 84 | :port => self.port, |
|
|
87 | 85 | :encryption => (self.tls ? :simple_tls : nil) |
|
|
88 | 86 | } |
|
|
89 | 87 | options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank? |
|
|
90 | 88 | Net::LDAP.new options |
|
|
91 | 89 | end |
|
|
90 | ||
|
|
91 | def get_user_attributes_from_ldap_entry(entry) | |
|
|
92 | [ | |
|
|
93 | :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname), | |
|
|
94 | :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname), | |
|
|
95 | :mail => AuthSourceLdap.get_attr(entry, self.attr_mail), | |
|
|
96 | :auth_source_id => self.id | |
|
|
97 | ] | |
|
|
98 | end | |
|
|
92 | 99 | |
|
|
93 | 100 | def self.get_attr(entry, attr_name) |
|
|
94 | 101 | if !attr_name.blank? |
|
|
95 | 102 | entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name] |
|
|
96 | 103 | end |
|
|
97 | 104 | end |
|
|
98 | 105 | end |
| @@ -1,94 +1,97 | |||
|
|
1 | 1 | # Redmine - project management software |
|
|
2 | 2 | # Copyright (C) 2006-2008 Jean-Philippe Lang |
|
|
3 | 3 | # |
|
|
4 | 4 | # This program is free software; you can redistribute it and/or |
|
|
5 | 5 | # modify it under the terms of the GNU General Public License |
|
|
6 | 6 | # as published by the Free Software Foundation; either version 2 |
|
|
7 | 7 | # of the License, or (at your option) any later version. |
|
|
8 | 8 | # |
|
|
9 | 9 | # This program is distributed in the hope that it will be useful, |
|
|
10 | 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
|
11 | 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
|
12 | 12 | # GNU General Public License for more details. |
|
|
13 | 13 | # |
|
|
14 | 14 | # You should have received a copy of the GNU General Public License |
|
|
15 | 15 | # along with this program; if not, write to the Free Software |
|
|
16 | 16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
|
|
17 | 17 | |
|
|
18 | 18 | require File.dirname(__FILE__) + '/../test_helper' |
|
|
19 | 19 | |
|
|
20 | 20 | class AuthSourceLdapTest < ActiveSupport::TestCase |
|
|
21 | 21 | |
|
|
22 | 22 | def setup |
|
|
23 | 23 | end |
|
|
24 | 24 | |
|
|
25 | 25 | def test_create |
|
|
26 | 26 | a = AuthSourceLdap.new(:name => 'My LDAP', :host => 'ldap.example.net', :port => 389, :base_dn => 'dc=example,dc=net', :attr_login => 'sAMAccountName') |
|
|
27 | 27 | assert a.save |
|
|
28 | 28 | end |
|
|
29 | 29 | |
|
|
30 | 30 | def test_should_strip_ldap_attributes |
|
|
31 | 31 | a = AuthSourceLdap.new(:name => 'My LDAP', :host => 'ldap.example.net', :port => 389, :base_dn => 'dc=example,dc=net', :attr_login => 'sAMAccountName', |
|
|
32 | 32 | :attr_firstname => 'givenName ') |
|
|
33 | 33 | assert a.save |
|
|
34 | 34 | assert_equal 'givenName', a.reload.attr_firstname |
|
|
35 | 35 | end |
|
|
36 | 36 | |
|
|
37 | 37 | if ldap_configured? |
|
|
38 | 38 | context '#authenticate' do |
|
|
39 | 39 | setup do |
|
|
40 | 40 | @auth = AuthSourceLdap.generate!(:name => 'on the fly', |
|
|
41 | 41 | :host => '127.0.0.1', |
|
|
42 | 42 | :port => 389, |
|
|
43 | 43 | :base_dn => 'OU=Person,DC=redmine,DC=org', |
|
|
44 | 44 | :attr_login => 'uid', |
|
|
45 | 45 | :attr_firstname => 'givenName', |
|
|
46 | 46 | :attr_lastname => 'sn', |
|
|
47 | 47 | :attr_mail => 'mail', |
|
|
48 | 48 | :onthefly_register => true) |
|
|
49 | 49 | |
|
|
50 | 50 | end |
|
|
51 | 51 | |
|
|
52 | 52 | context 'with a valid LDAP user' do |
|
|
53 | 53 | should 'return the firstname user attributes' do |
|
|
54 | 54 | response = @auth.authenticate('example1','123456') |
|
|
55 | assert response | |
|
|
55 | assert response.is_a?(Array), "An array was not returned" | |
|
|
56 | assert response.first.present?, "No user data returned" | |
|
|
56 | 57 | assert_equal 'Example', response.first[:firstname] |
|
|
57 | 58 | end |
|
|
58 | 59 | |
|
|
59 | 60 | should 'return the lastname user attributes' do |
|
|
60 | 61 | response = @auth.authenticate('example1','123456') |
|
|
61 | assert response | |
|
|
62 | assert response.is_a?(Array), "An array was not returned" | |
|
|
63 | assert response.first.present?, "No user data returned" | |
|
|
62 | 64 | assert_equal 'One', response.first[:lastname] |
|
|
63 | 65 | end |
|
|
64 | 66 | |
|
|
65 | 67 | should 'return mail user attributes' do |
|
|
66 | 68 | response = @auth.authenticate('example1','123456') |
|
|
67 | assert response | |
|
|
69 | assert response.is_a?(Array), "An array was not returned" | |
|
|
70 | assert response.first.present?, "No user data returned" | |
|
|
68 | 71 | assert_equal 'example1@redmine.org', response.first[:mail] |
|
|
69 | 72 | end |
|
|
70 | 73 | end |
|
|
71 | 74 | |
|
|
72 | 75 | context 'with an invalid LDAP user' do |
|
|
73 | 76 | should 'return nil' do |
|
|
74 | 77 | assert_equal nil, @auth.authenticate('nouser','123456') |
|
|
75 | 78 | end |
|
|
76 | 79 | end |
|
|
77 | 80 | |
|
|
78 | 81 | context 'without a login' do |
|
|
79 | 82 | should 'return nil' do |
|
|
80 | 83 | assert_equal nil, @auth.authenticate('','123456') |
|
|
81 | 84 | end |
|
|
82 | 85 | end |
|
|
83 | 86 | |
|
|
84 | 87 | context 'without a password' do |
|
|
85 | 88 | should 'return nil' do |
|
|
86 | 89 | assert_equal nil, @auth.authenticate('edavis','') |
|
|
87 | 90 | end |
|
|
88 | 91 | end |
|
|
89 | 92 | |
|
|
90 | 93 | end |
|
|
91 | 94 | else |
|
|
92 | 95 | puts '(Test LDAP server not configured)' |
|
|
93 | 96 | end |
|
|
94 | 97 | end |
General Comments 0
You need to be logged in to leave comments.
Login now