Skip to content

Commit

Permalink
Allow for custom ldap attributes
Browse files Browse the repository at this point in the history
  • Loading branch information
@jrouzierinverse
jrouzierinverse committed Jun 14, 2023
1 parent c05b06e commit 52977e9
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 3 deletions.
9 changes: 8 additions & 1 deletion lib/pf/Authentication/Source/LDAPSource.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ has 'client_key_file' => ( isa => 'Maybe[Str]', is => 'rw', default => "");
has 'ca_file' => (isa => 'Maybe[Str]', is => 'rw', default => '');
has 'verify' => ( isa => 'Str', is => 'rw', default => 'none');
has 'use_connector' => (isa => 'Bool', is => 'rw', default => 1);
has '_ldap_attributes' => ( isa => 'ArrayRef', is => 'rw', default => sub { [] });

our $logger = get_logger();

Expand Down Expand Up @@ -125,7 +126,13 @@ get the ldap attributes

sub ldap_attributes {
my ($self) = @_;
return map { { value => $_, type => $Conditions::LDAP_ATTRIBUTE } } @{$Config{advanced}->{ldap_attributes}};
my @ldap_attributes = (
(map { { value => $_, type => $Conditions::LDAP_ATTRIBUTE } } @{$Config{advanced}->{ldap_attributes}}),
@{$self->_ldap_attributes},
);

my %seen;
return grep { !$seen{$_->{value}}++ } @ldap_attributes;
}

=head2 common_attributes
Expand Down
16 changes: 16 additions & 0 deletions lib/pfconfig/namespaces/config/Authentication.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ use pf::Authentication::Condition;
use pf::Authentication::Rule;
use pf::Authentication::utils;
use Sort::Naturally qw(nsort);
use List::MoreUtils qw(uniq);
use pf::constants::authentication;

use base 'pfconfig::namespaces::config';
Expand Down Expand Up @@ -77,6 +78,7 @@ sub build_child {

# Instantiate the source object
my $current_source = $self->newAuthenticationSource( $type, $source_id, $cfg{$source_id} );
my @ldap_attributes;

# Parse rules
foreach my $rule_id ( $self->GroupMembers($source_id) ) {
Expand All @@ -103,6 +105,9 @@ sub build_child {
if ($attribute =~ /^(.*?):(.*)$/) {
$type = $1;
$attribute = $2;
if ( $type eq 'ldap' ) {
push @ldap_attributes, $attribute;
}
}

$current_rule->add_condition(
Expand Down Expand Up @@ -139,6 +144,17 @@ sub build_child {
}
}

if ($current_source->isa("pf::Authentication::Source::LDAPSource")) {
my $usernameattribute = $current_source->usernameattribute;
if ($usernameattribute) {
push @ldap_attributes, $usernameattribute;
}

my %seen;
@ldap_attributes = map { { value => $_, type => $Conditions::LDAP_ATTRIBUTE } } sort {$a cmp $b} uniq @ldap_attributes;
$current_source->_ldap_attributes(\@ldap_attributes);
}

$current_rule->cache_key($cache_key);
$current_rule_config{cache_key} = $cache_key;
$current_source->add_rule($current_rule);
Expand Down
2 changes: 1 addition & 1 deletion t/data/authentication.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ cache_match=1
description=Full Access
class=authentication
match=any
condition0=ldap:memberOf,equals,CN=NOC Users,DC=ldap,DC=inverse,DC=ca
condition0=ldap:memberOf2,equals,CN=NOC Users,DC=ldap,DC=inverse,DC=ca
action0=set_role=default
action1=set_unreg_date=2037-12-31

Expand Down
109 changes: 108 additions & 1 deletion t/unittest/authentication.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ BEGIN {

use Date::Parse;

use Test::More tests => 59; # last test to print
use Test::More tests => 60; # last test to print

use Test::NoWarnings;

Expand Down Expand Up @@ -453,6 +453,113 @@ is_deeply(
);
}

{
my $source = pf::authentication::getAuthenticationSource("LDAP0");
my @ldap_attributes = $source->ldap_attributes;
is_deeply(
\@ldap_attributes,
[
{
'value' => 'uid',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'cn'
},
{
'value' => 'sAMAccountName',
'type' => 'ldapattribute'
},
{
'value' => 'servicePrincipalName',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'UserPrincipalName'
},
{
'value' => 'department',
'type' => 'ldapattribute'
},
{
'value' => 'displayName',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'distinguishedName'
},
{
'type' => 'ldapattribute',
'value' => 'givenName'
},
{
'type' => 'ldapattribute',
'value' => 'memberOf'
},
{
'value' => 'sn',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'eduPersonPrimaryAffiliation'
},
{
'type' => 'ldapattribute',
'value' => 'mail'
},
{
'type' => 'ldapattribute',
'value' => 'postOfficeBox'
},
{
'type' => 'ldapattribute',
'value' => 'description'
},
{
'value' => 'groupMembership',
'type' => 'ldapattribute'
},
{
'value' => 'basedn',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'dNSHostName'
},
{
'value' => 'memberOf2',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'user'
},
{
'value' => 'sAMAccountName',
'type' => 'ldapattribute'
},
{
'type' => 'ldapattribute',
'value' => 'sAMAccountType'
},
{
'type' => 'ldapattribute',
'value' => 'userAccountControl'
},
{
'value' => 'memberOf:1.2.840.113556.1.4.1941:',
'type' => 'ldapattribute'
}
],
"ldap_attributes"
);
}

=head1 AUTHOR
Inverse inc. <info@inverse.ca>
Expand Down

0 comments on commit 52977e9

Please sign in to comment.