ldap provided by ldap_fluff. Adds support for FreeIPA & Active Directory

puppet/default-answer-file

@@ -104,6 +104,12 @@ auth_method = database
 # LDAP server hostname
 ldap_server = localhost
 
+# LDAP server hostname
+ldap_port = 389
+
+# LDAP server type (:posix, :active_directory, :free_ipa)
+ldap_server_type = :posix
+
 # encryption method used in communication with LDAP server (<empty>, start_tls)
 ldap_encryption = 
 
@@ -115,3 +121,13 @@ ldap_groups_basedn = ou=Groups,dc=company,dc=com
 
 # Use LDAP for roles membership definition (true, false)
 ldap_roles = false
+
+# allow anonymous queries (true, false) for AD or FreeIPA
+ldap_anon_queries = false
+
+# service user & pass for non-anon queries (IPA, AD)
+ldap_service_user =
+ldap_service_pass =
+
+# domain for AD LDAP queries
+ldap_ad_domain =

puppet/modules/katello/manifests/config.pp

@@ -67,6 +67,12 @@
       group   => $katello::params::group,
       mode    => "600",
       notify  => Exec["reload-apache2"];
+
+    "/etc/ldap_fluff.yml":
+      content => template("katello/etc/ldap_fluff.yml.erb"),
+      owner   => $katello::params::user,
+      group   => $katello::params::group,
+      mode    => "600",
   }
 
   exec {"httpd-restart":

puppet/modules/katello/manifests/params.pp

@@ -67,10 +67,16 @@
 
   # LDAP settings
   $ldap_server = katello_config_value('ldap_server')
+  $ldap_port = katello_config_value('ldap_port')
+  $ldap_server_type = katello_config_value('ldap_server_type')
   $ldap_encryption = katello_config_value('ldap_encryption')
   $ldap_users_basedn = katello_config_value('ldap_users_basedn')
   $ldap_groups_basedn = katello_config_value('ldap_groups_basedn')
   $ldap_roles = katello_config_value('ldap_roles')
+  $ldap_service_user = katello_config_value('ldap_service_user')
+  $ldap_service_pass = katello_config_value('ldap_service_pass')
+  $ldap_anon_queries = katello_config_value('ldap_anon_queries')
+  $ldap_ad_domain = katello_config_value('ldap_ad_domain')
 
   # auth method
   $auth_method = katello_config_value('auth_method') 

puppet/modules/katello/templates/etc/katello/katello.yml.erb

@@ -20,11 +20,6 @@
 #   minutes that a password reset token will remain valid.
 #
 common:
-  ldap:
-    host: <%= scope.lookupvar("katello::params::ldap_server") %>
-    encryption: <%= scope.lookupvar("katello::params::ldap_encryption") %>
-    base: <%= scope.lookupvar("katello::params::ldap_users_basedn") %>
-    group_base: <%= scope.lookupvar("katello::params::ldap_groups_basedn") %>
 
   warden:  <%= scope.lookupvar("katello::params::auth_method") %>
   ldap_roles: <%= scope.lookupvar("katello::params::ldap_roles") %>

puppet/modules/katello/templates/etc/ldap_fluff.yml.erb

@@ -0,0 +1,11 @@
+---
+host: <%= scope.lookupvar("katello::params::ldap_server") %>
+port: <%= scope.lookupvar("katello::params::ldap_port") %>
+encryption: <%= scope.lookupvar("katello::params::ldap_encryption") %>
+base_dn: <%= scope.lookupvar("katello::params::ldap_users_basedn") %>
+group_base: <%= scope.lookupvar("katello::params::ldap_groups_basedn") %>
+server_type: <%= scope.lookupvar("katello::params::ldap_server_type") %>
+service_user: <%= scope.lookupvar("katello::params::ldap_service_user") %>
+service_pass: <%= scope.lookupvar("katello::params::ldap_service_pass") %>
+anon_queries: <%= scope.lookupvar("katello::params::ldap_anon_queries") %>
+ad_domain: <%= scope.lookupvar("katello::params::ldap_ad_domain") %>

src/Gemfile

@@ -14,6 +14,7 @@ gem 'pg'
 gem 'rails_warden'
 gem 'net-ldap'
 gem 'oauth'
+gem 'ldap_fluff'
 
 gem 'delayed_job', '~> 2.1.4'
 gem 'daemons', '>= 1.1.4'

src/katello.spec

@@ -78,6 +78,7 @@ Requires:       rubygem(fssm)
 Requires:       rubygem(sass)
 Requires:       rubygem(chunky_png)
 Requires:       rubygem(tire)
+Requires:       rubygem(ldap_fluff)
 
 %if 0%{?rhel} == 6
 Requires:       redhat-logos >= 60.0.14

src/lib/ldap.rb

@@ -10,96 +10,22 @@
 # have received a copy of GPLv2 along with this software; if not, see
 # http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
 
-require 'net/ldap'
+require 'ldap_fluff'
 
 class Ldap
+
   def self.valid_ldap_authentication?(uid, password)
-    ldap = LdapConnection.new
+    ldap = LdapFluff.new
     ldap.bind? uid, password
   end
 
   def self.ldap_groups(uid)
-    ldap = LdapConnection.new
+    ldap = LdapFluff.new
     ldap.groups_for_uid(uid)
   end
 
   def self.is_in_groups(uid, grouplist)
-    ldap = LdapConnection.new
-    ldap.is_in_groups(uid, grouplist, true)
-  end
-end
-
-class LdapConnection
-  attr_reader :ldap, :host, :base, :group_base
-
-  def initialize(config={})
-    encryption = AppConfig.ldap.encryption
-    if encryption.respond_to? :to_sym 
-      @ldap = Net::LDAP.new(:encryption => encryption.to_sym)
-    else
-      @ldap = Net::LDAP.new()
-    end
-    @ldap.host = @host = AppConfig.ldap.host
-    @base = AppConfig.ldap.base
-    @group_base = AppConfig.ldap.group_base
-  end
-
-  def bind?(uid=nil, password=nil)
-    @ldap.auth "uid=#{uid},#{@base}", password
-    @ldap.bind
-  end
-
-  # returns a list of ldap groups to which a user belongs
-  # note : this method is not particularly fast for large ldap systems
-  def groups_for_uid(uid)
-    filter = Net::LDAP::Filter.eq("memberUid", uid)
-    # group base name must be preconfigured
-    treebase = @group_base
-    groups = []
-    # groups filtering will work w/ group common names 
-    @ldap.search(:base => treebase, :filter => filter) do |entry|
-      groups << entry[:cn][0]
-    end
-    groups
-  end
-
-  # returns whether a user is a member of ALL or ANY particular groups
-  # note: this method is much faster than groups_for_uid
-  # 
-  # gids should be an array of group common names
-  #
-  # returns true if owner is in ALL of the groups if all=true, otherwise
-  # returns true if owner is in ANY of the groups
-  def is_in_groups(uid, gids = [], all=false)
-    return true if gids.empty?
-    filter = Net::LDAP::Filter.eq("memberUid", uid)
-    treebase = @group_base
-    raise _("group_base was not set in katello.yml") if not treebase
-    group_filters = []
-    matches = 0
-    # we need a new filter for each group cn
-    gids.each do |group_cn|
-      group_filters << Net::LDAP::Filter.eq("cn", group_cn)
-    end
-    if group_filters.size >= 1
-      # OR the group filters together
-      group_filter = group_filters[0]
-      if group_filters.size > 1
-        group_filters[1..group_filters.size-1].each do |gfilter|
-          if all
-            group_filter = group_filter & gfilter
-          else 
-            group_filter = group_filter | gfilter
-          end
-        end
-      end
-      # AND the set of group filters w/ base filter
-      filter = filter & group_filter
-      @ldap.search(:base => treebase, :filter => filter) do |entry|
-        matches = matches + 1 
-      end
-    end
-
-    return matches > 0
+    ldap = LdapFluff.new
+    ldap.is_in_groups(uid, grouplist)
   end
 end