##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed: LDAP authentication without password may be possible (#714)....
Jean-Philippe Lang -
r1155:b935aebd9936
parent child
Show More
Side by Side Unified
Context file:
r1155:b935aebd9936 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,82 +1,83
1 1 # redMine - project management software
2 2 # Copyright (C) 2006 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require 'net/ldap'
19 19 require 'iconv'
20 20
21 21 class AuthSourceLdap < AuthSource
22 22 validates_presence_of :host, :port, :attr_login
23 23 validates_presence_of :attr_firstname, :attr_lastname, :attr_mail, :if => Proc.new { |a| a.onthefly_register? }
24 24
25 25 def after_initialize
26 26 self.port = 389 if self.port == 0
27 27 end
28 28
29 29 def authenticate(login, password)
30 return nil if login.blank? || password.blank?
30 31 attrs = []
31 32 # get user's DN
32 33 ldap_con = initialize_ldap_con(self.account, self.account_password)
33 34 login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
34 35 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" )
35 36 dn = String.new
36 37 ldap_con.search( :base => self.base_dn,
37 38 :filter => object_filter & login_filter,
38 39 # only ask for the DN if on-the-fly registration is disabled
39 40 :attributes=> (onthefly_register? ? ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail] : ['dn'])) do |entry|
40 41 dn = entry.dn
41 42 attrs = [:firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname),
42 43 :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname),
43 44 :mail => AuthSourceLdap.get_attr(entry, self.attr_mail),
44 45 :auth_source_id => self.id ] if onthefly_register?
45 46 end
46 47 return nil if dn.empty?
47 48 logger.debug "DN found for #{login}: #{dn}" if logger && logger.debug?
48 49 # authenticate user
49 50 ldap_con = initialize_ldap_con(dn, password)
50 51 return nil unless ldap_con.bind
51 52 # return user's attributes
52 53 logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
53 54 attrs
54 55 rescue Net::LDAP::LdapError => text
55 56 raise "LdapError: " + text
56 57 end
57 58
58 59 # test the connection to the LDAP
59 60 def test_connection
60 61 ldap_con = initialize_ldap_con(self.account, self.account_password)
61 62 ldap_con.open { }
62 63 rescue Net::LDAP::LdapError => text
63 64 raise "LdapError: " + text
64 65 end
65 66
66 67 def auth_method_name
67 68 "LDAP"
68 69 end
69 70
70 71 private
71 72 def initialize_ldap_con(ldap_user, ldap_password)
72 73 Net::LDAP.new( {:host => self.host,
73 74 :port => self.port,
74 75 :auth => { :method => :simple, :username => ldap_user, :password => ldap_password },
75 76 :encryption => (self.tls ? :simple_tls : nil)}
76 77 )
77 78 end
78 79
79 80 def self.get_attr(entry, attr_name)
80 81 entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
81 82 end
82 83 end
General Comments 0
You need to be logged in to leave comments. Login now