theforeman / ldap_fluff Goto Github PK

Please relax the ActiveSupport dependency, which is currently limited to AS 3.2.x. I built the recent version for Fedora and the test suite is passing against AS 4.1.x just fine:

[1] https://kojipkgs.fedoraproject.org//packages/rubygem-ldap_fluff/0.2.5/1.fc21/data/logs/noarch/build.log

A user might not be able to connect to their ldap server for a variety of reasons. It could be simply misconfigured, or there could be a networking issue.

ldap_fluff needs a way to validate the configuration and let the user know if they have a valid connection to their server

Unless the name was intention I think it should be called ldap_fluff.gemspec

Hi,
would it be possible to include the LICENSE file in gem on rubygems for next releases? I'm currently packaging ldap_fluff for fedora and we like to keep these things explicit.

Thanks a lot.

My DN is cn=Jennings\, Jared,ou=Foo,ou=Bar,ou=Baz,dc=example,dc=org. That is, my common name is Jennings, Jared. I'm in an Active Directory. ldap_fluff 0.3.2-1.el7 can't tell that I exist, and throws an error if you ask it for a user list of any group I'm in.

It appears that the root cause is that LdapFluff::GenericMemberService#find_by_dn splits the DN on commas, takes the first comma-delimited piece, and assumes it's the whole CN (or uid, or some attribute). So entry ends up being cn=Jennings\, and base ends up being Jared,ou=Foo,ou=Bar,ou=Baz,dc=example,dc=org. That value for base is not a syntactically valid DN, besides there being no users with CN Jennings\.

The msds-memberOfTransitive attribute was added in Windows Server 2012 R2, which provides a much more efficient way to get the full list of group memberships without needing to do recursive lookups.

The attribute requires the search base be set to the DN of the object you are querying, but will compute the full list of groups on the domain controller, which saves a lot of client-side work and subsequent connections.

It would be great if the library attempted this method of group membership lookup first, and then failing that it would revert to the recursive lookup method. For any 2012 R2 server and up, this should result in much faster lookup times.

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx

Currently, net-ldap won't follow the sort of "redirect" returned by the global catalog queries to lookup member data on a specific server.

It seems that our IT admins have created a cyclic group membership (where Group A has Group B as a member but Group B also has Group A as a member). While I doubt this type of configuration advised, it seems it is legal so I think _walk_group_ancestry() should have some sort of cycle detection otherwise it eventually blows up the stack and raises an exception. I propose that the function should be made tail-recursive by rather than returning a list, it should take a last and use that to accumulate data. Then I think we can check to see if the current group we are processing already exists inside our accumulated list of groups and if it does we know that we are starting to cycle and we can break out.

Add methods to validate the existence of users / groups with a simple boolean response

ldap_fluff does not currently handle password expiration notification. Although ldap_fluff will never allow you to change your password, it could be extended to send a notification on a bind request that the user's password has expired

in etc/ldap_fluff.yml, "port: ## ip address or hostname" should be "port: ## LDAP server port number"

I was hoping to add the option of enabling login support via the mail field in addition to the login_attr field. To do this without hard coding the attribute the config class would need to also expose the mail field from the foreman ldap configuration.

Use Case:
If a directory service uses serial numbers for employee uid and groupOfUniqueNames mappings, but users use an email for logins I believe it is current impossible to configure ldap with both group support and the ability to login with the user preferred attribute.

I think a conditional could be added to the member_service.find_user method to translate the email address supplied by the user to their login_attr if an @ is contained in the uid string.

An exception should be risen instead of exiting the process on lines: https://github.com/jsomara/ldap_fluff/blob/master/lib/ldap_fluff/config.rb#L42-48. exit can cause unexpected termination of the process like:

• exiting minitest run before finishing, hiding errors
• terminating web server even if it can work without ldap_fluff configured

Been testing installing and configuring on Centos 6.5 and I can't seem to get start_tls working the way it should. It could very well just be a stupid user issue (me being the user) but at the risk of looking like an idiot I figured I'd post a bug.

Here is the configure command I use:

katello-configure [email protected] --org-name=Example --ldap-server=freeipa.example.com --ldap-encryption=start_tls --ldap-users-basedn="cn=users,cn=accounts,dc=example,dc=com" --ldap-anon-queries=false --ldap-groups-basedn="cn=groups,cn=accounts,dc=example,dc=com" --ldap-server-type=:free_ipa --ldap-service-user="uid=katello,cn=sysaccounts,cn=etc,dc=example,dc=com" --ldap-service-pass=SuperSecret --job-workers=4 --auth-method=ldap --ssl-ca-country=CA --ssl-ca-state=SSL_CA_STATE=ON --ssl-ca-city=Toronto --ssl-ca-org="Example Company" --ssl-ca-org-unit="Example Unit" [email protected] --ssl-cert-expiration=3650 --user-name=super_admin --reset-data=YES --validate-ldap=YES --ldap-roles=TRUE -b

Meanwhile ldapsearch with the -ZZ option works fine from the same box using the same username/password.

ldap_fluff seems to use the net/ldap library and from what I can see the net/ldap library does not really support start_tls but rather supports simple_tls which is ldaps (usually done on port 636)

http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption

Am I correct in assuming that start_tls isn't supported but in theory simple_tls should be supported and can be passed as a parameter to Katello?

Error log from Puppet:
Error: /usr/bin/ruby193-rake seed_with_logging --trace --verbose > /var/log/katello/katello-configure/db_seed.log 2>&1 && touch /var/lib/katello/db_seed_done returned 1 instead of one of [0]
Error: /Stage[main]/Katello::Config/Exec[katello_seed_db]/returns: change from notrun to 0 failed: /usr/bin/ruby193-rake seed_with_logging --trace --verbose > /var/log/katello/katello-configure/db_seed.log 2>&1 && touch /var/lib/katello/db_seed_done returned 1 instead of one of [0]

Error log from Logfile:

WARNING: Nokogiri was built against LibXML version 2.9.0, but has dynamically loaded 2.7.6
** Invoke seed_with_logging (first_time)
** Invoke db:seed (first_time)
** Execute db:seed
** Invoke db:abort_if_pending_migrations (first_time)
** Invoke environment (first_time)
** Execute environment
** Invoke db:load_config (first_time)
** Execute db:load_config
** Execute db:abort_if_pending_migrations
rake aborted!
Could not bind to FreeIPA Query User
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.2.2/lib/ldap_fluff/freeipa.rb:40:in `service_bind'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.2.2/lib/ldap_fluff/freeipa.rb:63:in `user_exists?'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.2.2/lib/ldap_fluff/ldap_fluff.rb:48:in `valid_user?'
/usr/share/katello/app/lib/ldap.rb:34:in `valid_user?'
/usr/share/katello/app/lib/validators/ldap_username_validator.rb:17:in `validate_each'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validator.rb:153:in `block in validate'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validator.rb:150:in `each'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validator.rb:150:in `validate'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in `_callback_before_1451'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:550:in `_run__3140527049433364790__validate__2524904621185869818__callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in `__run_callback'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in `_run_validate_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in `run_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validations.rb:227:in `run_validations!'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validations/callbacks.rb:53:in `block in run_validations!'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:425:in `_run__3140527049433364790__validation__2524904621185869818__callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in `__run_callback'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in `_run_validation_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in `run_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validations/callbacks.rb:53:in `run_validations!'
/opt/rh/ruby193/root/usr/share/gems/gems/activemodel-3.2.8/lib/active_model/validations.rb:194:in `valid?'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/validations.rb:69:in `valid?'
/usr/share/katello/app/models/glue.rb:83:in `valid?'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/validations.rb:77:in `perform_validations'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/validations.rb:56:in `save!'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/attribute_methods/dirty.rb:33:in `save!'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in `block in save!'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/transactions.rb:295:in `block in with_transaction_returning_status'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/database_statements.rb:192:in `transaction'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/transactions.rb:208:in `transaction'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/transactions.rb:293:in `with_transaction_returning_status'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in `save!'
/usr/share/katello/app/lib/lazy_accessor.rb:111:in `save!'
/usr/share/katello/db/seeds.rb:40:in `'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/dependencies.rb:245:in `load'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/dependencies.rb:245:in `block in load'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/dependencies.rb:236:in `load_dependency'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/dependencies.rb:245:in `load'
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/engine.rb:520:in `load_seed'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/railties/databases.rake:309:in `block (2 levels) in '
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:205:in `call'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:205:in `block in execute'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:200:in `each'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:200:in `execute'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:158:in `block in invoke_with_call_chain'
/opt/rh/ruby193/root/usr/share/ruby/monitor.rb:211:in `mon_synchronize'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:151:in `invoke_with_call_chain'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:176:in `block in invoke_prerequisites'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:174:in `each'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:174:in `invoke_prerequisites'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:157:in `block in invoke_with_call_chain'
/opt/rh/ruby193/root/usr/share/ruby/monitor.rb:211:in `mon_synchronize'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:151:in `invoke_with_call_chain'
/opt/rh/ruby193/root/usr/share/ruby/rake/task.rb:144:in `invoke'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:116:in `invoke_task'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:94:in `block (2 levels) in top_level'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:94:in `each'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:94:in `block in top_level'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:133:in `standard_exception_handling'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:88:in `top_level'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:66:in `block in run'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:133:in `standard_exception_handling'
/opt/rh/ruby193/root/usr/share/ruby/rake/application.rb:63:in `run'
/opt/rh/ruby193/root/usr/bin/rake:32:in `'
Tasks: TOP => seed_with_logging => db:seed

Please make https://github.com/jsomara/ldap_fluff/blob/master/lib/ldap_fluff/config.rb#L8 configurable. Config file can be anywhere in development/test setup. I would:

DEFAULT_CONFIG_PATH = '/etc/ldap_fluff.yml'
def initialize(config_path = DEAFAULT_CONFIG_PATH)
      begin
        config = YAML.load_file(config_path)
        # ...

described here: https://www.netiq.com/products/edirectory/

requested by @rackergs