Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Basic LDAP auth functionality

  • Loading branch information...
commit 5344e2050a73ca6ad4aa898db6663600f0cd4ed8 1 parent 5506e09
@adamhjk authored
View
7 app/controllers/sessions_controller.rb
@@ -10,7 +10,12 @@ def new
def create
if params[:login] != UUIDREGEX
- self.current_user = User.authenticate(params[:login], params[:password])
+ dbuser = User.authenticate(params[:login], params[:password])
+ if dbuser
+ self.current_user = dbuser
+ else
+ self.current_user = LDAPUser.authenticate(params[:login], params[:password])
+ end
else
logger.info("Attempt to log in to the web interface with a Node UUID (#{params[:login]})!")
self.current_user = nil
View
93 app/models/ldap_user.rb
@@ -0,0 +1,93 @@
+class LDAPUser
+ require 'net/ldap'
+
+ attr_accessor :login, :readwrite
+
+ def initialize(args)
+ @login = args[:login]
+ @readwrite = args[:readwrite]
+ end
+
+ # Authenticates a user by their login name and unencrypted password. Returns the user or nil.
+ def self.authenticate(login, password)
+ self.bind_as?(login,password)
+ end
+
+ def self.bind_as?(login, password)
+ return nil if IC_CONFIG["use_ldap"] != true
+
+ ldap = LDAPUser.ldap_setup()
+ result = ldap.bind_as(
+ :base => ldap_config("auth_basedn"),
+ :filter => sprintf(ldap_config("auth_query"), login),
+ :password => password
+ )
+ if result
+ readwrite = authz_lookup(ldap, login)
+ LDAPUser.new(
+ :login => login,
+ :readwrite => readwrite
+ )
+ else
+ nil
+ end
+ end
+
+ def id
+ @login
+ end
+
+ def forget_me
+ true
+ end
+
+ def self.find_by_id(login)
+ return nil if IC_CONFIG["use_ldap"] != true
+
+ ldap = LDAPUser.ldap_setup()
+ puts sprintf(ldap_config("auth_query"), login)
+ result = ldap.search(
+ :base => ldap_config("auth_basedn"),
+ :filter => sprintf(ldap_config("auth_query"), login)
+ )
+ if result
+ readwrite = authz_lookup(ldap, login)
+ LDAPUser.new(
+ :login => login,
+ :readwrite => readwrite
+ )
+ else
+ nil
+ end
+ end
+
+ def self.authz_lookup(ldap, login)
+ readwrite = ldap_config("authz_default") == "readwrite" ? true : false
+ if ldap_config("authz_use_lookup") == true
+ ar = ldap.search(
+ :base => ldap_config("authz_basedn"),
+ :filter => sprintf(ldap_config("authz_query"), login)
+ )
+ readwrite = ar ? true : false
+ end
+ readwrite
+ end
+
+ def self.ldap_setup()
+ ldap = Net::LDAP.new(
+ :host => ldap_config("host"),
+ :port => ldap_config("port"),
+ :base => ldap_config("auth_basedn")
+ )
+ ldap.encryption = :simple_tls if ldap_config("start_tls") == "true"
+ if ldap_config("auth_needs_bind")
+ ldap.authenticate(ldap_config("auth_bind_dn"), ldap_config("auth_bind_pw"))
+ end
+ ldap
+ end
+
+ def self.ldap_config(field)
+ IC_CONFIG["ldap_config"][field]
+ end
+
+end
View
7 app/views/layouts/_header.rhtml
@@ -24,7 +24,12 @@
<div id="search">
Hello
<% if current_user.readwrite -%>
- <%= link_to(current_user.login, edit_user_path(current_user.id)) %> (<%= link_to('Logout', session_path, :method => :delete)%>)
+ <% if current_user.class.to_s != 'LDAPUser' -%>
+ <%= link_to(current_user.login, edit_user_path(current_user.id)) %>
+ <% else -%>
+ <%= current_user.login %> (from LDAP)
+ <% end -%>
+ (<%= link_to('Logout', session_path, :method => :delete)%>)
|
<%= link_to('User List', users_path)%> |
<%= link_to 'Create a new node', new_node_path %>
View
2  config/database.yml
@@ -22,7 +22,7 @@ development:
#adapter: sqlite3
#database: db/iclassify_development
adapter: mysql
- database: iclassify_production
+ database: iclassify_development
username: root
password:
socket: /tmp/mysql.sock
View
23 config/iclassify.yml
@@ -0,0 +1,23 @@
+#
+# iClassify configuration
+#
+
+development:
+ use_ldap: true
+ ldap_config:
+ host: cyclops.hjksolutions.com
+ port: 389
+ auth_basedn: dc=hjksolutions,dc=com
+ auth_scope: sub
+ auth_needs_bind: false
+ auth_bind_dn: uid=foo,ou=people,dc=hjksolutions,dc=com
+ auth_bind_pw: monkey
+ auth_query: '(uid=%s)'
+ authz_default: readwrite
+ authz_use_lookup: true
+ authz_basedn: dc=hjksolutions,dc=com
+ authz_scope: sub
+ authz_query: '(&(cn=sysadmins)(memberUid=%s))'
+
+production:
+ url: http://localhost:8983/solr
View
1  config/initializers/applicaton_config.rb
@@ -0,0 +1 @@
+IC_CONFIG = YAML.load(File.read(RAILS_ROOT + "/config/iclassify.yml"))[RAILS_ENV]
View
57 db/schema.rb
@@ -1,50 +1,57 @@
-# This file is autogenerated. Instead of editing this file, please use the
-# migrations feature of ActiveRecord to incrementally modify your database, and
+# This file is auto-generated from the current state of the database. Instead of editing this file,
+# please use the migrations feature of ActiveRecord to incrementally modify your database, and
# then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your database schema. If you need
+# to create the application database on another system, you should be using db:schema:load, not running
+# all the migrations from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 11) do
create_table "attribs", :force => true do |t|
- t.column "node_id", :integer, :null => false
- t.column "name", :string, :null => false
+ t.integer "node_id", :null => false
+ t.string "name", :default => "", :null => false
end
create_table "avalues", :force => true do |t|
- t.column "attrib_id", :integer, :null => false
- t.column "value", :text, :null => false
+ t.integer "attrib_id", :null => false
+ t.text "value", :default => "", :null => false
end
create_table "nodes", :force => true do |t|
- t.column "uuid", :string, :limit => 38, :null => false
- t.column "description", :string
- t.column "notes", :text
- t.column "crypted_password", :string, :limit => 40
- t.column "salt", :string, :limit => 40
- t.column "quarantined", :boolean, :default => false
+ t.string "uuid", :limit => 38, :default => "", :null => false
+ t.string "description"
+ t.text "notes"
+ t.string "crypted_password", :limit => 40
+ t.string "salt", :limit => 40
+ t.boolean "quarantined", :default => false
end
create_table "nodes_tags", :id => false, :force => true do |t|
- t.column "node_id", :integer, :null => false
- t.column "tag_id", :integer, :null => false
+ t.integer "node_id", :null => false
+ t.integer "tag_id", :null => false
end
- add_index "nodes_tags", ["tag_id"], :name => "index_nodes_tags_on_tag_id"
add_index "nodes_tags", ["node_id"], :name => "index_nodes_tags_on_node_id"
+ add_index "nodes_tags", ["tag_id"], :name => "index_nodes_tags_on_tag_id"
create_table "tags", :force => true do |t|
- t.column "name", :string, :null => false
+ t.string "name", :default => "", :null => false
end
create_table "users", :force => true do |t|
- t.column "login", :string
- t.column "email", :string
- t.column "crypted_password", :string, :limit => 40
- t.column "salt", :string, :limit => 40
- t.column "created_at", :datetime
- t.column "updated_at", :datetime
- t.column "remember_token", :string
- t.column "remember_token_expires_at", :datetime
- t.column "readwrite", :boolean, :default => true
+ t.string "login"
+ t.string "email"
+ t.string "crypted_password", :limit => 40
+ t.string "salt", :limit => 40
+ t.datetime "created_at"
+ t.datetime "updated_at"
+ t.string "remember_token"
+ t.datetime "remember_token_expires_at"
+ t.boolean "readwrite", :default => true
end
end
View
17 lib/authenticated_system.rb
@@ -100,11 +100,14 @@ def self.included(base)
# Called from #current_user. First attempt to login by the user id stored in the session.
def login_from_session
+ logger.info(session.to_yaml)
if session[:user]
if session[:user_type] == 'Node'
self.current_user = Node.find_by_id(session[:user])
- else
- self.current_user = User.find_by_id(session[:user])
+ elsif session[:user_type] == 'User'
+ self.current_user = User.find_by_id(session[:user])
+ elsif session[:user_type] == 'LDAPUser'
+ self.current_user = LDAPUser.find_by_id(session[:user])
end
end
end
@@ -112,10 +115,18 @@ def login_from_session
# Called from #current_user. Now, attempt to login by basic authentication information.
def login_from_basic_auth
username, passwd = get_auth_data
+ logger.info("I have #{username} and passwd #{passwd}")
if username =~ UUIDREGEX
self.current_user = Node.authenticate(username, passwd) if username && passwd
else
- self.current_user = User.authenticate(username, passwd) if username && passwd
+ dbuser = User.authenticate(username, passwd) if username && passwd
+ if dbuser
+ self.current_user = dbuser
+ else
+ ldapuser = LDAPUser.authenticate(username, passwd) if username && passwd
+ logger.info("I have #{username} #{passwd} #{ldapuser.to_yaml}")
+ self.current_user = ldapuser
+ end
end
end
View
2  lib/authorized_as_user.rb
@@ -1,7 +1,7 @@
module AuthorizedAsUser
protected
def authorized?
- logged_in? && current_user.class.to_s == "User"
+ logged_in? && current_user.class.to_s == "User" || current_user.class.to_s == "LDAPUser"
end
def can_write
Please sign in to comment.
Something went wrong with that request. Please try again.