Check User status in LDAP Group w/out admin auth

lib/devise_ldap_authenticatable.rb

@@ -26,6 +26,9 @@ module Devise
   mattr_accessor :ldap_check_group_membership
   @@ldap_check_group_membership = false
 
+  mattr_accessor :ldap_check_group_membership_without_admin
+  @@ldap_check_group_membership_without_admin = false
+
   mattr_accessor :ldap_check_attributes
   @@ldap_check_role_attribute = false
 
@@ -48,4 +51,4 @@ module Devise
                   :route => :session, ## This will add the routes, rather than in the routes.rb
                   :strategy   => true,
                   :controller => :sessions,
-                  :model  => 'devise_ldap_authenticatable/model')
+                  :model  => 'devise_ldap_authenticatable/model')

lib/devise_ldap_authenticatable/ldap/adapter.rb

@@ -45,10 +45,18 @@ def self.get_groups(login)
         self.ldap_connect(login).user_groups
       end
 
+      def self.get_groups_as_user(login)
+        self.ldap_connect(login).auth_user_groups
+      end
+
       def self.in_ldap_group?(login, group_name, group_attribute = nil)
         self.ldap_connect(login).in_group?(group_name, group_attribute)
       end
 
+      def self.user_in_ldap_group?(login, group_name, group_attribute = nil)
+        self.ldap_connect(login).user_in_group?(group_name, group_attribute)
+      end
+
       def self.get_dn(login)
         self.ldap_connect(login).dn
       end
@@ -84,4 +92,4 @@ def self.get_ldap_entry(login)
 
   end
 
-end
+end

lib/devise_ldap_authenticatable/ldap/connection.rb

@@ -18,6 +18,7 @@ def initialize(params = {})
 
         @group_base = ldap_config["group_base"]
         @check_group_membership = ldap_config.has_key?("check_group_membership") ? ldap_config["check_group_membership"] : ::Devise.ldap_check_group_membership
+        @check_group_membership_without_admin = ldap_config.has_key?("check_group_membership_without_admin") ? ldap_config["check_group_membership_without_admin"] : ::Devise.ldap_check_group_membership_without_admin
         @required_groups = ldap_config["required_groups"]
         @required_attributes = ldap_config["require_attribute"]
 
@@ -96,16 +97,24 @@ def change_password!
       end
 
       def in_required_groups?
-        return true unless @check_group_membership
+        return true unless @check_group_membership || @check_group_membership_without_admin
 
         ## FIXME set errors here, the ldap.yml isn't set properly.
         return false if @required_groups.nil?
 
         for group in @required_groups
-          if group.is_a?(Array)
-            return false unless in_group?(group[1], group[0])
+          if @check_group_membership_without_admin
+            if group.is_a?(Array)
+              return false unless user_in_group?(group[1], group[0])
+            else
+              return false unless user_in_group?(group)
+            end
           else
-            return false unless in_group?(group)
+            if group.is_a?(Array)
+              return false unless in_group?(group[1], group[0])
+            else
+              return false unless in_group?(group)
+            end
           end
         end
         return true
@@ -141,6 +150,25 @@ def in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LI
         return in_group
       end
 
+      def user_in_group?(group_name, group_attribute = LDAP::DEFAULT_GROUP_UNIQUE_MEMBER_LIST_KEY)
+        in_group = false
+
+        @ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
+          if entry.uniqueMember.include? dn
+            in_group = true
+            ## Logging because it's a nice thing to do. 
+            DeviseLdapAuthenticatable::Logger.send("User #{dn} IS included in group: #{group_name}")
+          end
+        end
+
+        unless in_group
+          DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group_name}")
+        end
+
+        return in_group
+      end
+
+
       def has_required_attribute?
         return true unless ::Devise.ldap_check_attributes
 
@@ -223,4 +251,4 @@ def update_ldap(ops)
       end
     end
   end
-end
+end

lib/generators/devise_ldap_authenticatable/install_generator.rb

@@ -34,6 +34,7 @@ def default_devise_settings
   # config.ldap_update_password = true
   # config.ldap_config = "\#{Rails.root}/config/ldap.yml"
   # config.ldap_check_group_membership = false
+  # config.ldap_check_group_membership_without_admin = false
   # config.ldap_check_attributes = false
   # config.ldap_use_admin_to_bind = false
   # config.ldap_ad_group_check = false

spec/unit/user_spec.rb

@@ -167,7 +167,24 @@ def should_not_be_validated(user, password, message = "Password is not properly
         assert_equal false, @user.in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
       end
     end
-
+
+    describe "check group membership w/out admin bind" do
+      before do
+        @user = Factory.create(:user)
+      end
+
+      it "should return true for user being in the users group" do
+        assert_equal true, @user.user_in_ldap_group?('cn=users,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for user being in the admins group" do
+        assert_equal false, @user.user_in_ldap_group?('cn=admins,ou=groups,dc=test,dc=com')
+      end
+
+      it "should return false for a user being in a nonexistent group" do
+        assert_equal false, @user.user_in_ldap_group?('cn=thisgroupdoesnotexist,ou=groups,dc=test,dc=com')
+      end
+    end
 
     describe "use role attribute for authorization" do
       before do