class LdapFluff::FreeIPA

Attributes

ldap[RW]
member_service[RW]

Public Class Methods

new(config = {}) click to toggle source
# File lib/ldap_fluff/freeipa.rb, line 5
def initialize(config = {})
  @ldap       = Net::LDAP.new(:host       => config.host,
                              :base       => config.base_dn,
                              :port       => config.port,
                              :encryption => config.encryption)
  @group_base = config.group_base || config.base_dn
  @base       = config.base_dn
  @bind_user  = config.service_user
  @bind_pass  = config.service_pass
  @anon       = config.anon_queries

  @member_service = MemberService.new(@ldap, @group_base)
end

Public Instance Methods

bind?(uid = nil, password = nil) click to toggle source
# File lib/ldap_fluff/freeipa.rb, line 19
def bind?(uid = nil, password = nil)
  @ldap.auth("uid=#{uid},cn=users,cn=accounts,#{@base}", password)
  @ldap.bind
end
group_exists?(gid) click to toggle source
# File lib/ldap_fluff/freeipa.rb, line 70
def group_exists?(gid)
  begin
    service_bind
    @member_service.find_group(gid)
  rescue MemberService::GIDNotFoundException
    return false
  end
  return true
end
groups_for_uid(uid) click to toggle source
# File lib/ldap_fluff/freeipa.rb, line 24
def groups_for_uid(uid)
  service_bind
  begin
    @member_service.find_user_groups(uid)
  rescue MemberService::UIDNotFoundException
    return []
  rescue MemberService::InsufficientQueryPrivilegesException
    raise UnauthenticatedFreeIPAException, "Insufficient Privileges to query groups data"
  end
end
is_in_groups(uid, gids = [], all = true) click to toggle source

In freeipa, a simple user query returns a full set of nested groups! yipee

gids should be an array of group common names

returns true if owner is in ALL of the groups if all=true, otherwise returns true if owner is in ANY of the groups

# File lib/ldap_fluff/freeipa.rb, line 50
def is_in_groups(uid, gids = [], all = true)
  service_bind
  groups = @member_service.find_user_groups(uid)
  if all
    return groups & gids == gids
  else
    return groups & gids != []
  end
end
service_bind() click to toggle source

AD generally does not support un-authenticated searching Typically AD admins configure a public user for searching

# File lib/ldap_fluff/freeipa.rb, line 37
def service_bind
  unless @anon || bind?(@bind_user, @bind_pass)
    raise UnauthenticatedFreeIPAException, "Could not bind to FreeIPA Query User"
  end
end
user_exists?(uid) click to toggle source
# File lib/ldap_fluff/freeipa.rb, line 60
def user_exists?(uid)
  begin
    service_bind
    @member_service.find_user(uid)
  rescue MemberService::UIDNotFoundException
    return false
  end
  return true
end