pvincent
/
rails-ldap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

3 Commits
79d31f61c4 ... 00e4cadda6

Author SHA1 Message Date
pvincent 00e4cadda6 server2
2 weeks ago
pvincent a4581ce8d9 server
2 weeks ago
pvincent 5b07e0ea9f client authentication from any domain
2 weeks ago
8 changed files with 584 additions and 302 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats
  1. 15
      README.md
  2. 27
      examples/client.rb
  3. 22
      examples/ldapdb.yaml
  4. 46
      examples/rbslapd4.rb
  5. 153
      examples/server1.rb
  6. 93
      examples/server2.rb
  7. 397
      lib/ldap/server/router.rb
  8. 133
      lib/ldap/server/util.rb

15
README.md
View File

@ -1,5 +1,20 @@
# ruby-ldapserver # ruby-ldapserver
## ZOURIT-ADMIN
# dependencies
* gem install simple_ldap_authenticator net-ldap
# server
* ruby rbslapd4.rb
# client
* ruby client.rb
---------------
ruby-ldapserver is a lightweight, pure Ruby framework for implementing LDAP server applications. It is intended primarily for building a gateway from LDAP queries into some other protocol or database. It does not attempt to be a full or correct implementation of the standard LDAP data model itself (although you could build one using this as a frontend). ruby-ldapserver is a lightweight, pure Ruby framework for implementing LDAP server applications. It is intended primarily for building a gateway from LDAP queries into some other protocol or database. It does not attempt to be a full or correct implementation of the standard LDAP data model itself (although you could build one using this as a frontend).
Since it's written entirely in Ruby, it benefits from Ruby's threading engine. Since it's written entirely in Ruby, it benefits from Ruby's threading engine.

27
examples/client.rb
View File

@ -0,0 +1,27 @@
#!/usr/bin/env ruby
require 'simple_ldap_authenticator'
raise 'Error: 2 arguments required => email + password' if ARGV.length != 2
email = ARGV.shift
password = ARGV.shift
# puts "email=#{email}"
user = email.split('@').first
fqdn = email.split('@')[1]
fqdn_items = fqdn.split('.')
tld = fqdn_items.last
domain = fqdn_items[0..-2].join('.')
# puts "user=#{user}"
# puts "domain=#{domain}"
# puts "tld=#{tld}"
#
SimpleLdapAuthenticator.servers = ['127.0.0.1']
SimpleLdapAuthenticator.port = 1389
SimpleLdapAuthenticator.use_ssl = false
# SimpleLdapAuthenticator.login_format = '%s@mydomain.com'
SimpleLdapAuthenticator.login_format = "uid=%s,ou=Users,dc=#{domain},dc=#{tld}"
p SimpleLdapAuthenticator.valid?(user, password)

22
examples/ldapdb.yaml
View File

@ -1,17 +1,21 @@
--- ---
dc=example,dc=com:
dc=zourit,dc=re:
cn: cn:
- Top object - Top object
cn=fred flintstone,dc=example,dc=com:
cn=pvincent,dc=zourit,dc=re:
cn: cn:
- Fred Flintstone
- pvincent
sn: sn:
- Flintstone
- P.Vincent
mail: mail:
- fred@bedrock.org
- fred.flintstone@bedrock.org
cn=wilma flintstone,dc=example,dc=com:
- pvincent@zourit.re
dc=pvincent,dc=re:
cn: cn:
- Wilma Flintstone
- Top object
cn=admin,dc=pvincent,dc=re:
cn:
- admin
sn:
- Vincentdmin
mail: mail:
- wilma@bedrock.org
- admin@pvincent.re

46
examples/rbslapd4.rb
View File

@ -17,16 +17,16 @@ $logger = Logger.new($stderr)
class LDAPController class LDAPController
def self.bind(request, version, dn, password, params) def self.bind(request, version, dn, password, params)
$logger.debug "Catchall bind request"
raise LDAP::ResultError::UnwillingToPerform, "Invalid bind DN"
$logger.debug 'Catchall bind request'
raise LDAP::ResultError::UnwillingToPerform, 'Invalid bind DN'
end end
def self.bindUser(request, version, dn, password, params) def self.bindUser(request, version, dn, password, params)
if params[:uid].nil? or if params[:uid].nil? or
params[:uid] != 'admin' or
password != 'adminpassword'
params[:uid] != 'admin' or
password != 'adminpassword'
$logger.warn "Denied access for user #{params[:uid]}: Invalid credentials" $logger.warn "Denied access for user #{params[:uid]}: Invalid credentials"
raise LDAP::ResultError::InvalidCredentials, "Invalid credentials"
raise LDAP::ResultError::InvalidCredentials, 'Invalid credentials'
end end
$logger.info "Authenticated user #{params[:uid]}" $logger.info "Authenticated user #{params[:uid]}"
@ -34,28 +34,28 @@ class LDAPController
def self.search(request, baseObject, scope, deref, filter, params) def self.search(request, baseObject, scope, deref, filter, params)
$logger.info "Catchall search request for #{baseObject}" $logger.info "Catchall search request for #{baseObject}"
raise LDAP::ResultError::UnwillingToPerform, "Invalid search DN"
raise LDAP::ResultError::UnwillingToPerform, 'Invalid search DN'
end end
def self.searchUsers(request, baseObject, scope, deref, filter, params) def self.searchUsers(request, baseObject, scope, deref, filter, params)
$logger.info "Search users"
$logger.info 'Search users'
end end
end end
router = LDAP::Server::Router.new($logger) do router = LDAP::Server::Router.new($logger) do
# Different syntax but same thing # Different syntax but same thing
bind nil => "LDAPController#bind"
route :bind, nil => "LDAPController#bind"
bind nil => 'LDAPController#bind'
route :bind, nil => 'LDAPController#bind'
# Bind a route using variables. A hash with the variables will be passed # Bind a route using variables. A hash with the variables will be passed
# to your function as last argument. # to your function as last argument.
bind "uid=:uid,ou=Users,dc=mydomain,dc=com" => "LDAPController#bindUser"
# bind 'uid=:uid,ou=Users,dc=mydomain,dc=com' => 'LDAPController#bindUser'
bind 'uid=:uid,ou=Users,dc=:domain,dc=:tld' => 'LDAPController#bindUser'
search nil => "LDAPController#search"
search "ou=Users,dc=mydomain,dc=com" => "LDAPController#searchUsers"
search nil => 'LDAPController#search'
search 'ou=Users,dc=mydomain,dc=com' => 'LDAPController#searchUsers'
end end
# This is the shared object which carries our actual directory entries. # This is the shared object which carries our actual directory entries.
# It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]} # It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]}
@ -65,26 +65,26 @@ directory = {}
require 'yaml' require 'yaml'
begin begin
File.open("ldapdb.yaml") { |f| directory = YAML::load(f.read) }
File.open('ldapdb.yaml') { |f| directory = YAML.load(f.read) }
rescue Errno::ENOENT rescue Errno::ENOENT
end end
at_exit do at_exit do
File.open("ldapdb.new","w") { |f| f.write(YAML::dump(directory)) }
File.rename("ldapdb.new","ldapdb.yaml")
File.open('ldapdb.new', 'w') { |f| f.write(YAML.dump(directory)) }
File.rename('ldapdb.new', 'ldapdb.yaml')
end end
# Listen for incoming LDAP connections. For each one, create a Connection # Listen for incoming LDAP connections. For each one, create a Connection
# object, which will invoke a HashOperation object for each request. # object, which will invoke a HashOperation object for each request.
s = LDAP::Server.new( s = LDAP::Server.new(
:port => 1389,
:nodelay => true,
:listen => 10,
# :ssl_key_file => "key.pem",
# :ssl_cert_file => "cert.pem",
# :ssl_on_connect => true,
:router => router
port: 1389,
nodelay: true,
listen: 10,
# :ssl_key_file => "key.pem",
# :ssl_cert_file => "cert.pem",
# :ssl_on_connect => true,
router: router
) )
s.run_tcpserver s.run_tcpserver
s.join s.join

153
examples/server1.rb
View File

@ -0,0 +1,153 @@
#!/usr/bin/env ruby
# This is a modified version of rbslapd1.rb which uses a Router instead of
# subclassing the LDAP::Server::Operation class.
# This is a trivial LDAP server which just stores directory entries in RAM.
# It does no validation or authentication. This is intended just to
# demonstrate the API, it's not for real-world use!!
$:.unshift('../lib')
$debug = false
require 'ldap/server'
require 'ldap/server/router'
$logger = Logger.new($stderr)
class HashOperation < LDAP::Server::Operation
def initialize
super
@hash = YAML.load_from_file('ldapdbp.yaml') # an object reference to our directory data
end
def search(basedn, scope, deref, filter)
basedn = basedn.downcase
case scope
when LDAP::Server::BaseObject
# client asked for single object by DN
obj = @hash[basedn]
raise LDAP::ResultError::NoSuchObject unless obj
send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
when LDAP::Server::WholeSubtree
@hash.each do |dn, av|
next unless dn.index(basedn, -basedn.length) # under basedn?
next unless LDAP::Server::Filter.run(filter, av) # attribute filter?
send_SearchResultEntry(dn, av)
end
else
raise LDAP::ResultError::UnwillingToPerform, 'OneLevel not implemented'
end
end
end
class LDAPController
def initialize
@directory = {}
File.open('ldapdb.yaml') { |f| @directory = YAML.load(f.read) }
end
def self.bind(request, version, dn, password, params)
$logger.debug 'Catchall bind request'
raise LDAP::ResultError::UnwillingToPerform, 'Invalid bind DN'
end
def self.bindUser(request, version, dn, password, params)
user = params[:uid]
domain = params[:domain]
tld = params[:tld]
# p "bindUser user=#{user} dn=#{dn}, password=#{password}, params=#{params}"
if user.length < 2
$logger.warn "Denied access for user #{user}: Size < 2"
raise LDAP::ResultError::InvalidCredentials, 'Invalid credentials'
end
$logger.info "Authenticated email=#{user}@#{domain}.#{tld} with password=<ANY>"
end
def self.searchUsers(request, baseObject, scope, deref, filter, params)
$logger.info 'Search users'
domain = params[:domain]
tld = params[:tld]
basedn = "#{domain}.#{tld}"
operation = HashOperation.new
case scope
when LDAP::Server::BaseObject
# client asked for single object by DN
obj = directory
raise LDAP::ResultError::NoSuchObject unless obj
operation.send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
when LDAP::Server::WholeSubtree
directory.each do |dn, av|
next unless dn.index(basedn, -basedn.length) # under basedn?
next unless LDAP::Server::Filter.run(filter, av) # attribute filter?
operation.send_SearchResultEntry(dn, av)
end
else
raise LDAP::ResultError::UnwillingToPerform, 'OneLevel not implemented'
end
end
end
router = LDAP::Server::Router.new($logger) do
# Different syntax but same thing
# bind nil => 'LDAPController#bind'
# route :bind, nil => 'LDAPController#bind'
# Bind a route using variables. A hash with the variables will be passed
# to your function as last argument.
# bind 'uid=:uid,ou=Users,dc=mydomain,dc=com' => 'LDAPController#bindUser'
bind 'uid=:uid,dc=:domain,dc=:tld' => 'LDAPController#bindUser'
search 'dc=:domain,dc=:tld' => 'LDAPController#searchUsers'
# search nil => 'LDAPController#search'
# search 'ou=Users,dc=mydomain,dc=com' => 'LDAPController#searchUsers'
end
# This is the shared object which carries our actual directory entries.
# It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]}
directory = {}
# Let's put some backing store on it
require 'yaml'
begin
File.open('ldapdb.yaml') { |f| directory = YAML.load(f.read) }
rescue Errno::ENOENT
end
at_exit do
File.open('ldapdb.new', 'w') { |f| f.write(YAML.dump(directory)) }
File.rename('ldapdb.new', 'ldapdb.yaml')
end
# Listen for incoming LDAP connections. For each one, create a Connection
# object, which will invoke a HashOperation object for each request.
s = LDAP::Server.new(
port: 1389,
nodelay: true,
listen: 10,
# :ssl_key_file => "key.pem",
# :ssl_cert_file => "cert.pem",
# :ssl_on_connect => true,
router: router
)
s.run_tcpserver
s.join

93
examples/server2.rb
View File

@ -0,0 +1,93 @@
#!/usr/bin/env ruby
$:.unshift('lib')
$debug = true
require 'ldap/server'
$logger = Logger.new($stderr)
# We subclass the Operation class, overriding the methods to do what we need
class HashOperation < LDAP::Server::Operation
def initialize(connection, messageID, hash)
super(connection, messageID)
@hash = hash # an object reference to our directory data
end
# ici, c'est bizarre
# systèmatiquement appelé (SEARCH ou AUTH)
# du coup, je retourne super si pas de dn => SEARCH normal sans authentication
# sinon ça passe aussi !!!
def do_bind(protocolOp, controls) # :nodoc:
dn = protocolOp.value[1].value
dn = nil if dn == ''
return super if dn.nil?
version = protocolOp.value[0].value
authentication = protocolOp.value[2]
password = authentication.value
$logger.info("AUTHENTICATION ..version=#{version}, dn=#{dn}")
super
end
# def simple_bind(version, dn, password)
# super.simple_bind(version, dn, password)
# $logger.info("SIMPLE BIND...version=#{version}, dn=#{dn}")
#
# raise LDAP::ResultError::ProtocolError, 'version 3 only' if version != 3
# raise LDAP::ResultError::InvalidCredentials, 'Invalid credentials' if password.nil? || password == ''
#
# $logger.info('authentication SUCCESS')
# end
#
def search(basedn, scope, deref, filter)
$logger.info("SEARCHING...basedn=#{basedn}, scope=#{scope}, deref=#{deref}, filter=#{filter}")
basedn = basedn.downcase
result = nil
case scope
when LDAP::Server::BaseObject
# client asked for single object by DN
obj = @hash[basedn]
raise LDAP::ResultError::NoSuchObject unless obj
result = send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
when LDAP::Server::WholeSubtree
@hash.each do |dn, av|
next unless dn.index(basedn, -basedn.length) # under basedn?
next unless LDAP::Server::Filter.run(filter, av) # attribute filter?
result = send_SearchResultEntry(dn, av)
end
else
raise LDAP::ResultError::UnwillingToPerform, 'OneLevel not implemented'
end
$logger.info "result=#{result}"
result
end
end
# This is the shared object which carries our actual directory entries.
# It's just a hash of {dn=>entry}, where each entry is {attr=>[val,val,...]}
directory = {}
require 'yaml'
File.open('examples/ldapdb.yaml') { |f| directory = YAML.load(f.read) }
$logger.info("DIRECTORY=#{directory}")
# Listen for incoming LDAP connections. For each one, create a Connection
# object, which will invoke a HashOperation object for each request.
s = LDAP::Server.new(
port: 1389,
nodelay: true,
listen: 10,
operation_class: HashOperation,
operation_args: [directory]
)
$logger.info('server2 RUNNING...')
s.run_tcpserver
s.join

397
lib/ldap/server/router.rb
View File

@ -5,216 +5,209 @@ require 'ldap/server/request'
require 'ldap/server/filter' require 'ldap/server/filter'
module LDAP module LDAP
class Server
class Router
@logger
@routes
# Scope
BaseObject = 0
SingleLevel = 1
WholeSubtree = 2
# DerefAliases
NeverDerefAliases = 0
DerefInSearching = 1
DerefFindingBaseObj = 2
DerefAlways = 3
def initialize(logger, &block)
@logger = logger
@routes = Hash.new
@routes = Trie.new do |trie|
# Add an artificial LDAP component
trie << "op=bind"
trie << "op=search"
end
self.instance_eval(&block)
end
def log_exception(e, level = :error)
@logger.send level, e.message
e.backtrace.each { |line| @logger.send level, "\tfrom#{line}" } if e.backtrace
end
######################
### Initialization ###
######################
def route(operation, hash)
hash.each do |key, value|
if key.nil?
@routes.insert "op=#{operation.to_s}", value
@logger.debug "map operation #{operation.to_s} all routes to #{value}"
else
@routes.insert "#{key},op=#{operation.to_s}", value
@logger.debug "map #{operation.to_s} #{key} to #{value}"
class Server
class Router
# Scope
BaseObject = 0
SingleLevel = 1
WholeSubtree = 2
# DerefAliases
NeverDerefAliases = 0
DerefInSearching = 1
DerefFindingBaseObj = 2
DerefAlways = 3
def initialize(logger, &block)
@logger = logger
@routes = {}
@routes = Trie.new do |trie|
# Add an artificial LDAP component
trie << 'op=bind'
trie << 'op=search'
end
instance_eval(&block)
end end
end
end
def method_missing(name, *args, &block)
if [:bind, :search, :add, :modify, :modifydn, :del, :compare].include? name
send :route, name, *args
else
super
end
end
####################################################
### Methods to parse and route each request type ###
####################################################
def parse_route(dn, method)
route, action = @routes.match("#{dn},op=#{method.to_s}")
if not route or route.empty?
@logger.warn "No route defined for \'#{route}\'"
raise LDAP::ResultError::UnwillingToPerform
end
if action.nil?
@logger.error "No action defined for route \'#{route}\'"
raise LDAP::ResultError::UnwillingToPerform
end
class_name = action.split('#').first
method_name = action.split('#').last
params = LDAP::Server::DN.new("#{dn},op=#{method.to_s}").parse(route)
return class_name, method_name, params
end
def log_exception(e, level = :error)
@logger.send level, e.message
e.backtrace.each { |line| @logger.send level, "\tfrom#{line}" } if e.backtrace
end
def do_bind(connection, messageId, protocolOp, controls) # :nodoc:
request = Request.new(connection, messageId)
version = protocolOp.value[0].value
dn = protocolOp.value[1].value
dn = nil if dn.empty?
authentication = protocolOp.value[2]
@logger.debug "subject:#{connection.binddn} predicate:bind object:#{dn}"
# Find a route in the routing tree
class_name, method_name, params = parse_route(dn, :bind)
case authentication.tag # tag_class == :CONTEXT_SPECIFIC (check why)
when 0
Object.const_get(class_name).send method_name, request, version, dn, authentication.value, params
when 3
mechanism = authentication.value[0].value
credentials = authentication.value[1].value
# sasl_bind(version, dn, mechanism, credentials)
# FIXME: needs to exchange further BindRequests
# route_sasl_bind(request, version, dn, mechanism, credentials)
raise LDAP::ResultError::AuthMethodNotSupported
else
raise LDAP::ResultError::ProtocolError, "BindRequest bad AuthenticationChoice"
end
request.send_BindResponse(0)
return dn, version
rescue NoMethodError => e
log_exception e
request.send_BindResponse(LDAP::ResultError::OperationsError.new.to_i, :errorMessage => e.message)
return nil, version
rescue LDAP::ResultError => e
log_exception e
request.send_BindResponse(e.to_i, :errorMessage => e.message)
return nil, version
end
######################
### Initialization ###
######################
def route(operation, hash)
hash.each do |key, value|
if key.nil?
@routes.insert "op=#{operation}", value
@logger.debug "map operation #{operation} all routes to #{value}"
else
@routes.insert "#{key},op=#{operation}", value
@logger.debug "map #{operation} #{key} to #{value}"
end
end
end
def do_search(connection, messageId, protocolOp, controls) # :nodoc:
request = Request.new(connection, messageId)
server = connection.opt[:server]
schema = connection.opt[:schema]
baseObject = protocolOp.value[0].value
scope = protocolOp.value[1].value
deref = protocolOp.value[2].value
client_sizelimit = protocolOp.value[3].value
client_timelimit = protocolOp.value[4].value.to_i
request.typesOnly = protocolOp.value[5].value
filter = LDAP::Server::Filter::parse(protocolOp.value[6], schema)
request.attributes = protocolOp.value[7].value.collect {|x| x.value}
sizelimit = request.server_sizelimit
sizelimit = client_sizelimit if client_sizelimit > 0 and
(sizelimit.nil? or client_sizelimit < sizelimit)
request.sizelimit = sizelimit
if baseObject.empty? and scope == BaseObject
request.send_SearchResultEntry("", server.root_dse) if
server.root_dse and LDAP::Server::Filter.run(filter, server.root_dse)
request.send_SearchResultDone(0)
return
elsif schema and baseObject == schema.subschema_dn
request.send_SearchResultEntry(baseObject, schema.subschema_subentry) if
schema and schema.subschema_subentry and
LDAP::Server::Filter.run(filter, schema.subschema_subentry)
request.send_SearchResultDone(0)
return
end
def method_missing(name, *args, &block)
if %i[bind search add modify modifydn del compare].include? name
send :route, name, *args
else
super
end
end
t = request.server_timelimit || 10
t = client_timelimit if client_timelimit > 0 and client_timelimit < t
####################################################
### Methods to parse and route each request type ###
####################################################
def parse_route(dn, method)
route, action = @routes.match("#{dn},op=#{method}")
if !route or route.empty?
@logger.warn "No route defined for \'#{route}\'"
raise LDAP::ResultError::UnwillingToPerform
end
if action.nil?
@logger.error "No action defined for route \'#{route}\'"
raise LDAP::ResultError::UnwillingToPerform
end
class_name = action.split('#').first
method_name = action.split('#').last
params = LDAP::Server::DN.new("#{dn},op=#{method}").parse(route)
[class_name, method_name, params]
end
@logger.debug "subject:#{connection.binddn} predicate:search object:#{baseObject}"
def do_bind(connection, messageId, protocolOp, _controls) # :nodoc:
request = Request.new(connection, messageId)
version = protocolOp.value[0].value
dn = protocolOp.value[1].value
dn = nil if dn.empty?
authentication = protocolOp.value[2]
@logger.debug "subject:#{connection.binddn} predicate:bind object:#{dn}"
# Find a route in the routing tree
class_name, method_name, params = parse_route(dn, :bind)
case authentication.tag # tag_class == :CONTEXT_SPECIFIC (check why)
when 0
Object.const_get(class_name).send method_name, request, version, dn, authentication.value, params
when 3
authentication.value[0].value
authentication.value[1].value
# sasl_bind(version, dn, mechanism, credentials)
# FIXME: needs to exchange further BindRequests
# route_sasl_bind(request, version, dn, mechanism, credentials)
raise LDAP::ResultError::AuthMethodNotSupported
else
raise LDAP::ResultError::ProtocolError, 'BindRequest bad AuthenticationChoice'
end
request.send_BindResponse(0)
[dn, version]
rescue NoMethodError => e
log_exception e
request.send_BindResponse(LDAP::ResultError::OperationsError.new.to_i, errorMessage: e.message)
[nil, version]
rescue LDAP::ResultError => e
log_exception e
request.send_BindResponse(e.to_i, errorMessage: e.message)
[nil, version]
end
# Find a route in the routing tree
class_name, method_name, params = parse_route(baseObject, :search)
def do_search(connection, messageId, protocolOp, _controls) # :nodoc:
request = Request.new(connection, messageId)
server = connection.opt[:server]
schema = connection.opt[:schema]
baseObject = protocolOp.value[0].value
scope = protocolOp.value[1].value
deref = protocolOp.value[2].value
client_sizelimit = protocolOp.value[3].value
client_timelimit = protocolOp.value[4].value.to_i
request.typesOnly = protocolOp.value[5].value
filter = LDAP::Server::Filter.parse(protocolOp.value[6], schema)
request.attributes = protocolOp.value[7].value.collect { |x| x.value }
sizelimit = request.server_sizelimit
sizelimit = client_sizelimit if client_sizelimit > 0 and
(sizelimit.nil? or client_sizelimit < sizelimit)
request.sizelimit = sizelimit
if baseObject.empty? and scope == BaseObject
request.send_SearchResultEntry('', server.root_dse) if
server.root_dse and LDAP::Server::Filter.run(filter, server.root_dse)
request.send_SearchResultDone(0)
return
elsif schema and baseObject == schema.subschema_dn
request.send_SearchResultEntry(baseObject, schema.subschema_subentry) if
schema and schema.subschema_subentry and
LDAP::Server::Filter.run(filter, schema.subschema_subentry)
request.send_SearchResultDone(0)
return
end
t = request.server_timelimit || 10
t = client_timelimit if client_timelimit > 0 and client_timelimit < t
@logger.debug "subject:#{connection.binddn} predicate:search object:#{baseObject}"
# Find a route in the routing tree
class_name, method_name, params = parse_route(baseObject, :search)
Timeout.timeout(t, LDAP::ResultError::TimeLimitExceeded) do
Object.const_get(class_name).send method_name, request, baseObject, scope, deref, filter, params
end
request.send_SearchResultDone(0)
# Note that TimeLimitExceeded is a subclass of LDAP::ResultError
rescue LDAP::ResultError => e
request.send_SearchResultDone(e.to_i, errorMessage: e.message)
rescue Abandon
# send no response
# Since this Operation is running in its own thread, we have to
# catch all other exceptions. Otherwise, in the event of a programming
# error, this thread will silently terminate and the client will wait
# forever for a response.
rescue Exception => e
log_exception e
request.send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, errorMessage: e.message)
end
Timeout::timeout(t, LDAP::ResultError::TimeLimitExceeded) do
Object.const_get(class_name).send method_name, request, baseObject, scope, deref, filter, params
###########################################################
### Methods to actually perform the work requested ###
### Use the signatures below to write your own handlers ###
###########################################################
# Handle a simple bind request; raise an exception if the bind is
# not acceptable, otherwise just return to accept the bind.
#
# Write your own class method using this signature
# def simple_bind(request, version, dn, password, params)
# if version != 3
# raise LDAP::ResultError::ProtocolError, "version 3 only"
# end
# if dn
# raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
# end
# end
# Handle a search request
#
# Call request. send_SearchResultEntry for each result found. Raise
# an exception if there is a problem. timeLimit, sizeLimit and
# typesOnly are taken care of, but you need to perform all
# authorisation checks yourself, using @connection.binddn
# def search(basedn, scope, deref, filter)
# debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
# raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
# end
end end
request.send_SearchResultDone(0)
# Note that TimeLimitExceeded is a subclass of LDAP::ResultError
rescue LDAP::ResultError => e
request.send_SearchResultDone(e.to_i, :errorMessage=>e.message)
rescue Abandon
# send no response
# Since this Operation is running in its own thread, we have to
# catch all other exceptions. Otherwise, in the event of a programming
# error, this thread will silently terminate and the client will wait
# forever for a response.
rescue Exception => e
log_exception e
request.send_SearchResultDone(LDAP::ResultError::OperationsError.new.to_i, :errorMessage=>e.message)
end end
###########################################################
### Methods to actually perform the work requested ###
### Use the signatures below to write your own handlers ###
###########################################################
# Handle a simple bind request; raise an exception if the bind is
# not acceptable, otherwise just return to accept the bind.
#
# Write your own class method using this signature
# def simple_bind(request, version, dn, password, params)
# if version != 3
# raise LDAP::ResultError::ProtocolError, "version 3 only"
# end
# if dn
# raise LDAP::ResultError::InappropriateAuthentication, "This server only supports anonymous bind"
# end
# end
# Handle a search request
#
# Call request. send_SearchResultEntry for each result found. Raise
# an exception if there is a problem. timeLimit, sizeLimit and
# typesOnly are taken care of, but you need to perform all
# authorisation checks yourself, using @connection.binddn
# def search(basedn, scope, deref, filter)
# debug "search(#{basedn}, #{scope}, #{deref}, #{filter})"
# raise LDAP::ResultError::UnwillingToPerform, "search not implemented"
# end
end
end
end end

133
lib/ldap/server/util.rb
View File

@ -1,88 +1,85 @@
require 'ldap/server/result' require 'ldap/server/result'
module LDAP module LDAP
class Server
class Server
class Operation
# Return true if connection is not authenticated
class Operation
# Return true if connection is not authenticated
def anonymous?
@connection.binddn.nil?
end
def anonymous?
@connection.binddn.nil?
end
# Split dn string into its component parts, returning
# [ {attr=>val}, {attr=>val}, ... ]
#
# This is pretty horrible legacy stuff from X500; see RFC2253 for the
# full gore. It's stupid that the LDAP protocol sends the DN in string
# form, rather than in ASN1 form (as it does with search filters, for
# example), even though the DN syntax is defined in terms of ASN1!
#
# Attribute names are downcased, but values are not. For any
# case-insensitive attributes it's up to you to downcase them.
#
# Note that only v2 clients should add extra space around the comma.
# This is accepted, and so is semicolon instead of comma, but the
# full RFC1779 backwards-compatibility rules (e.g. quoted values)
# are not implemented.
#
# I *think* these functions will work correctly with UTF8-encoded
# characters, given that a multibyte UTF8 character does not contain
# the bytes 00-7F and therefore we cannot confuse '\', '+' etc
# Split dn string into its component parts, returning
# [ {attr=>val}, {attr=>val}, ... ]
#
# This is pretty horrible legacy stuff from X500; see RFC2253 for the
# full gore. It's stupid that the LDAP protocol sends the DN in string
# form, rather than in ASN1 form (as it does with search filters, for
# example), even though the DN syntax is defined in terms of ASN1!
#
# Attribute names are downcased, but values are not. For any
# case-insensitive attributes it's up to you to downcase them.
#
# Note that only v2 clients should add extra space around the comma.
# This is accepted, and so is semicolon instead of comma, but the
# full RFC1779 backwards-compatibility rules (e.g. quoted values)
# are not implemented.
#
# I *think* these functions will work correctly with UTF8-encoded
# characters, given that a multibyte UTF8 character does not contain
# the bytes 00-7F and therefore we cannot confuse '\', '+' etc
def self.split_dn(dn)
# convert \\ to \5c, \+ to \2b etc
p "dn=#{dn}"
dn.gsub!(/\\([ #,+"\\<>;])/) { |match| format '\\%02x', match[1].ord }
def self.split_dn(dn)
# convert \\ to \5c, \+ to \2b etc
dn.gsub!(/\\([ #,+"\\<>;])/) { |match| format "\\%02x", match[1].ord }
# Now we know that \\ and \, do not exist, it's safe to split
parts = dn.split(/\s*[,;]\s*/)
# Now we know that \\ and \, do not exist, it's safe to split
parts = dn.split(/\s*[,;]\s*/)
parts.collect do |part|
res = {}
parts.collect do |part|
res = {}
# Split each part into attr=val+attr=val
avs = part.split(/\+/)
# Split each part into attr=val+attr=val
avs = part.split(/\+/)
avs.each do |av|
# These should all be of form attr=value
raise LDAP::ResultError::ProtocolError, "Bad DN component: #{av}" unless av =~ /^([^=]+)=(.*)$/
avs.each do |av|
# These should all be of form attr=value
unless av =~ /^([^=]+)=(.*)$/
raise LDAP::ResultError::ProtocolError, "Bad DN component: #{av}"
attr = ::Regexp.last_match(1).downcase
val = ::Regexp.last_match(2)
# Now we can decode those bits
attr.gsub!(/\\([a-f0-9][a-f0-9])/i) { ::Regexp.last_match(1).hex.chr }
val.gsub!(/\\([a-f0-9][a-f0-9])/i) { ::Regexp.last_match(1).hex.chr }
res[attr] = val
end end
attr, val = $1.downcase, $2
# Now we can decode those bits
attr.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
val.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
res[attr] = val
res
end end
res
end end
end
# Reverse of split_dn. Join [elements...]
# where each element can be {attr=>val,...} or [[attr,val],...]
# or just [attr,val]
# Reverse of split_dn. Join [elements...]
# where each element can be {attr=>val,...} or [[attr,val],...]
# or just [attr,val]
def self.join_dn(elements)
dn = ""
elements.each do |elem|
av = ""
elem = [elem] if elem[0].is_a?(String)
elem.each do |attr,val|
av << "+" unless av == ""
def self.join_dn(elements)
dn = ''
elements.each do |elem|
av = ''
elem = [elem] if elem[0].is_a?(String)
elem.each do |attr, val|
av << '+' unless av == ''
av << attr << "=" <<
val.sub(/^([# ])/, '\\\\\\1').
sub(/( )$/, '\\\\\\1').
gsub(/([,+"\\<>;])/, '\\\\\\1')
av << attr << '=' <<
val.sub(/^([# ])/, '\\\\\\1')
.sub(/( )$/, '\\\\\\1')
.gsub(/([,+"\\<>;])/, '\\\\\\1')
end
dn << ',' unless dn == ''
dn << av
end end
dn << "," unless dn == ""
dn << av
dn
end end
dn
end
end # class Operation
end # class Server
end # class Operation
end # class Server
end # module LDAP end # module LDAP
Write Preview
Loading…
Cancel
Save