client authentication from any domain

2 weeks ago · 5b07e0ea9f
5 changed files with 310 additions and 293 deletions
--- a/README.md
+++ b/README.md
@ -1,5 +1,20 @@
 # ruby-ldapserver

+## ZOURIT-ADMIN 
+
+# dependencies
+* gem install simple_ldap_authenticator net-ldap
+
+# server
+* ruby rbslapd4.rb
+
+# client
+* ruby client.rb
+
+
+---------------
+
+
 ruby-ldapserver is a lightweight, pure Ruby framework for implementing LDAP server applications. It is intended primarily for building a gateway from LDAP queries into some other protocol or database. It does not attempt to be a full or correct implementation of the standard LDAP data model itself (although you could build one using this as a frontend).

 Since it's written entirely in Ruby, it benefits from Ruby's threading engine.
--- a/examples/client.rb
+++ b/examples/client.rb
@ -0,0 +1,12 @@
+require 'simple_ldap_authenticator'
+
+DOMAIN = 'artcode'
+TLD = 're'
+
+SimpleLdapAuthenticator.servers = ['127.0.0.1']
+SimpleLdapAuthenticator.port = 1389
+SimpleLdapAuthenticator.use_ssl = false
+# SimpleLdapAuthenticator.login_format = '%s@mydomain.com'
+SimpleLdapAuthenticator.login_format = "uid=%s,ou=Users,dc=#{DOMAIN},dc=#{TLD}"
+
+p SimpleLdapAuthenticator.valid?('admin', 'adminpassword')
--- a/examples/rbslapd4.rb
+++ b/examples/rbslapd4.rb
@ -17,8 +17,8 @@ $logger = Logger.new($stderr)

 class LDAPController
  def self.bind(request, version, dn, password, params)
-    $logger.debug "Catchall bind request"
-    raise LDAP::ResultError::UnwillingToPerform, "Invalid bind DN"
+    $logger.debug 'Catchall bind request'
+    raise LDAP::ResultError::UnwillingToPerform, 'Invalid bind DN'
  end

  def self.bindUser(request, version, dn, password, params)
@ -26,7 +26,7 @@ class LDAPController
       params[:uid] != 'admin' or
       password != 'adminpassword'
      $logger.warn "Denied access for user #{params[:uid]}: Invalid credentials"
-      raise LDAP::ResultError::InvalidCredentials, "Invalid credentials"
+      raise LDAP::ResultError::InvalidCredentials, 'Invalid credentials'
    end

    $logger.info "Authenticated user #{params[:uid]}"
@ -34,28 +34,28 @@ class LDAPController

  def self.search(request, baseObject, scope, deref, filter, params)
    $logger.info "Catchall search request for #{baseObject}"
-    raise LDAP::ResultError::UnwillingToPerform, "Invalid search DN"
+    raise LDAP::ResultError::UnwillingToPerform, 'Invalid search DN'
  end

  def self.searchUsers(request, baseObject, scope, deref, filter, params)
-    $logger.info "Search users"
+    $logger.info 'Search users'
  end
 end

 router = LDAP::Server::Router.new($logger) do
  # Different syntax but same thing
-  bind    nil => "LDAPController#bind"
-  route   :bind, nil => "LDAPController#bind"
+  bind    nil => 'LDAPController#bind'
+  route   :bind, nil => 'LDAPController#bind'

  # Bind a route using variables. A hash with the variables will be passed
  # to your function as last argument.
-  bind    "uid=:uid,ou=Users,dc=mydomain,dc=com" => "LDAPController#bindUser"
+  bind    'uid=:uid,ou=Users,dc=mydomain,dc=com' => 'LDAPController#bindUser'
+  bind    'uid=:uid,ou=Users,dc=:domain,dc=:tld' => 'LDAPController#bindUser'

-  search  nil => "LDAPController#search"
-  search  "ou=Users,dc=mydomain,dc=com" => "LDAPController#searchUsers"
+  search  nil => 'LDAPController#search'
+  search  'ou=Users,dc=mydomain,dc=com' => 'LDAPController#searchUsers'
 end

-
 # This is the shared object which carries our actual directory entries.
 # It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]}

@ -65,26 +65,26 @@ directory = {}

 require 'yaml'
 begin
-  File.open("ldapdb.yaml") { |f| directory = YAML::load(f.read) }
+  File.open('ldapdb.yaml') { |f| directory = YAML.load(f.read) }
 rescue Errno::ENOENT
 end

 at_exit do
-  File.open("ldapdb.new","w") { |f| f.write(YAML::dump(directory)) }
-  File.rename("ldapdb.new","ldapdb.yaml")
+  File.open('ldapdb.new', 'w') { |f| f.write(YAML.dump(directory)) }
+  File.rename('ldapdb.new', 'ldapdb.yaml')
 end

 # Listen for incoming LDAP connections. For each one, create a Connection
 # object, which will invoke a HashOperation object for each request.

 s = LDAP::Server.new(
-  :port       => 1389,
-  :nodelay    => true,
-  :listen     => 10,
-# :ssl_key_file   => "key.pem",
-# :ssl_cert_file  => "cert.pem",
-# :ssl_on_connect => true,
-  :router     => router
+  port: 1389,
+  nodelay: true,
+  listen: 10,
+  # :ssl_key_file   => "key.pem",
+  # :ssl_cert_file  => "cert.pem",
+  # :ssl_on_connect => true,
+  router: router
 )
 s.run_tcpserver
 s.join
--- a/lib/ldap/server/router.rb
+++ b/lib/ldap/server/router.rb
@ -5,11 +5,8 @@ require 'ldap/server/request'
 require 'ldap/server/filter'

 module LDAP
-class Server
-class Router
-  @logger
-  @routes
-
+  class Server
+    class Router
      # Scope
      BaseObject    = 0
      SingleLevel   = 1
@ -24,14 +21,14 @@ class Router
      def initialize(logger, &block)
        @logger = logger

-    @routes = Hash.new
+        @routes = {}
        @routes = Trie.new do |trie|
          # Add an artificial LDAP component
-      trie << "op=bind"
-      trie << "op=search"
+          trie << 'op=bind'
+          trie << 'op=search'
        end

-    self.instance_eval(&block)
+        instance_eval(&block)
      end

      def log_exception(e, level = :error)
@ -46,30 +43,29 @@ class Router
      def route(operation, hash)
        hash.each do |key, value|
          if key.nil?
-        @routes.insert "op=#{operation.to_s}", value
-        @logger.debug "map operation #{operation.to_s} all routes to #{value}"
+            @routes.insert "op=#{operation}", value
+            @logger.debug "map operation #{operation} all routes to #{value}"
          else
-        @routes.insert "#{key},op=#{operation.to_s}", value
-        @logger.debug "map #{operation.to_s} #{key} to #{value}"
+            @routes.insert "#{key},op=#{operation}", value
+            @logger.debug "map #{operation} #{key} to #{value}"
          end
        end
      end

      def method_missing(name, *args, &block)
-    if [:bind, :search, :add, :modify, :modifydn, :del, :compare].include? name
+        if %i[bind search add modify modifydn del compare].include? name
          send :route, name, *args
        else
          super
        end
      end

-
      ####################################################
      ### Methods to parse and route each request type ###
      ####################################################
      def parse_route(dn, method)
-    route, action = @routes.match("#{dn},op=#{method.to_s}")
-    if not route or route.empty?
+        route, action = @routes.match("#{dn},op=#{method}")
+        if !route or route.empty?
          @logger.warn "No route defined for \'#{route}\'"
          raise LDAP::ResultError::UnwillingToPerform
        end
@ -81,12 +77,12 @@ class Router
        class_name = action.split('#').first
        method_name = action.split('#').last

-    params = LDAP::Server::DN.new("#{dn},op=#{method.to_s}").parse(route)
+        params = LDAP::Server::DN.new("#{dn},op=#{method}").parse(route)

-    return class_name, method_name, params
+        [class_name, method_name, params]
      end

-  def do_bind(connection, messageId, protocolOp, controls) # :nodoc:
+      def do_bind(connection, messageId, protocolOp, _controls) # :nodoc:
        request = Request.new(connection, messageId)
        version = protocolOp.value[0].value
        dn = protocolOp.value[1].value
@ -102,28 +98,28 @@ class Router
        when 0
          Object.const_get(class_name).send method_name, request, version, dn, authentication.value, params
        when 3
-      mechanism = authentication.value[0].value
-      credentials = authentication.value[1].value
+          authentication.value[0].value
+          authentication.value[1].value
          # sasl_bind(version, dn, mechanism, credentials)
          # FIXME: needs to exchange further BindRequests
          # route_sasl_bind(request, version, dn, mechanism, credentials)
          raise LDAP::ResultError::AuthMethodNotSupported
        else
-      raise LDAP::ResultError::ProtocolError, "BindRequest bad AuthenticationChoice"
+          raise LDAP::ResultError::ProtocolError, 'BindRequest bad AuthenticationChoice'
        end
        request.send_BindResponse(0)
-    return dn, version
+        [dn, version]
      rescue NoMethodError => e
        log_exception e
-    request.send_BindResponse(LDAP::ResultError::OperationsError.new.to_i, :errorMessage => e.message)
-    return nil, version
+        request.send_BindResponse(LDAP::ResultError::OperationsError.new.to_i, errorMessage: e.message)
+        [nil, version]
      rescue LDAP::ResultError => e
        log_exception e
-    request.send_BindResponse(e.to_i, :errorMessage => e.message)
-    return nil, version
+        request.send_BindResponse(e.to_i, errorMessage: e.message)
+        [nil, version]
      end

-  def do_search(connection, messageId, protocolOp, controls) # :nodoc:
+      def do_search(connection, messageId, protocolOp, _controls) # :nodoc:
        request = Request.new(connection, messageId)
        server = connection.opt[:server]
        schema = connection.opt[:schema]
@ -133,8 +129,8 @@ class Router
        client_sizelimit = protocolOp.value[3].value
        client_timelimit = protocolOp.value[4].value.to_i
        request.typesOnly = protocolOp.value[5].value
-    filter = LDAP::Server::Filter::parse(protocolOp.value[6], schema)
-    request.attributes = protocolOp.value[7].value.collect {|x| x.value}
+        filter = LDAP::Server::Filter.parse(protocolOp.value[6], schema)
+        request.attributes = protocolOp.value[7].value.collect { |x| x.value }

        sizelimit = request.server_sizelimit
        sizelimit = client_sizelimit if client_sizelimit > 0 and
@ -142,7 +138,7 @@ class Router
        request.sizelimit = sizelimit

        if baseObject.empty? and scope == BaseObject
-      request.send_SearchResultEntry("", server.root_dse) if
+          request.send_SearchResultEntry('', server.root_dse) if
            server.root_dse and LDAP::Server::Filter.run(filter, server.root_dse)
          request.send_SearchResultDone(0)
          return
@ -162,15 +158,14 @@ class Router
        # Find a route in the routing tree
        class_name, method_name, params = parse_route(baseObject, :search)

-    Timeout::timeout(t, LDAP::ResultError::TimeLimitExceeded) do
+        Timeout.timeout(t, LDAP::ResultError::TimeLimitExceeded) do
          Object.const_get(class_name).send method_name, request, baseObject, scope, deref, filter, params
        end
        request.send_SearchResultDone(0)

      # Note that TimeLimitExceeded is a subclass of LDAP::ResultError
      rescue LDAP::ResultError => e
-    request.send_SearchResultDone(e.to_i, :errorMessage=>e.message)
-
+        request.send_SearchResultDone(e.to_i, errorMessage: e.message)
      rescue Abandon
      # send no response

@ -178,13 +173,11 @@ class Router
      # catch all other exceptions. Otherwise, in the event of a programming
      # error, this thread will silently terminate and the client will wait
      # forever for a response.
-
      rescue Exception => e
        log_exception e
-    request.send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, :errorMessage=>e.message)
+        request.send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, errorMessage: e.message)
      end

-
      ###########################################################
      ### Methods to actually perform the work requested      ###
      ### Use the signatures below to write your own handlers ###
@ -195,14 +188,14 @@ class Router
      #
      # Write your own class method using this signature

-#  def simple_bind(request, version, dn, password, params)
-#    if version != 3
-#      raise LDAP::ResultError::ProtocolError, "version 3 only"
-#    end
-#    if dn
-#      raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
-#    end
-#  end
+      #  def simple_bind(request, version, dn, password, params)
+      #    if version != 3
+      #      raise LDAP::ResultError::ProtocolError, "version 3 only"
+      #    end
+      #    if dn
+      #      raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
+      #    end
+      #  end

      # Handle a search request
      #
@ -211,10 +204,10 @@ class Router
      # typesOnly are taken care of, but you need to perform all
      # authorisation checks yourself, using @connection.binddn

-#    def search(basedn, scope, deref, filter)
-#      debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
-#      raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
-#    end
-end
-end
+      #    def search(basedn, scope, deref, filter)
+      #      debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
+      #      raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
+      #    end
+    end
+  end
 end
--- a/lib/ldap/server/util.rb
+++ b/lib/ldap/server/util.rb
@ -1,10 +1,8 @@
 require 'ldap/server/result'

 module LDAP
-class Server
-
+  class Server
    class Operation
-
      # Return true if connection is not authenticated

      def anonymous?
@ -33,7 +31,8 @@ class Server

      def self.split_dn(dn)
        # convert \\ to \5c, \+ to \2b etc
-      dn.gsub!(/\\([ #,+"\\<>;])/) { |match| format "\\%02x", match[1].ord }
+        p "dn=#{dn}"
+        dn.gsub!(/\\([ #,+"\\<>;])/) { |match| format '\\%02x', match[1].ord }

        # Now we know that \\ and \, do not exist, it's safe to split
        parts = dn.split(/\s*[,;]\s*/)
@ -46,13 +45,13 @@ class Server

          avs.each do |av|
            # These should all be of form attr=value
-          unless av =~ /^([^=]+)=(.*)$/
-            raise LDAP::ResultError::ProtocolError, "Bad DN component: #{av}"
-          end
-          attr, val = $1.downcase, $2
+            raise LDAP::ResultError::ProtocolError, "Bad DN component: #{av}" unless av =~ /^([^=]+)=(.*)$/
+
+            attr = ::Regexp.last_match(1).downcase
+            val = ::Regexp.last_match(2)
            # Now we can decode those bits
-          attr.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
-          val.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
+            attr.gsub!(/\\([a-f0-9][a-f0-9])/i) { ::Regexp.last_match(1).hex.chr }
+            val.gsub!(/\\([a-f0-9][a-f0-9])/i) { ::Regexp.last_match(1).hex.chr }
            res[attr] = val
          end
          res
@ -64,25 +63,23 @@ class Server
      # or just [attr,val]

      def self.join_dn(elements)
-      dn = ""
+        dn = ''
        elements.each do |elem|
-        av = ""
+          av = ''
          elem = [elem] if elem[0].is_a?(String)
-        elem.each do |attr,val|
-          av << "+" unless av == ""
+          elem.each do |attr, val|
+            av << '+' unless av == ''

-          av << attr << "=" <<
-                     val.sub(/^([# ])/, '\\\\\\1').
-                     sub(/( )$/, '\\\\\\1').
-                     gsub(/([,+"\\<>;])/, '\\\\\\1')
+            av << attr << '=' <<
+              val.sub(/^([# ])/, '\\\\\\1')
+                 .sub(/( )$/, '\\\\\\1')
+                 .gsub(/([,+"\\<>;])/, '\\\\\\1')
          end
-        dn << "," unless dn == ""
+          dn << ',' unless dn == ''
          dn << av
        end
        dn
      end
-
    end # class Operation
-
-end # class Server
+  end # class Server
 end # module LDAP