feature #1916: Allow configuration of ldap group member field

Patch by Jean-Philippe Garcia Ballester
2024-12-25 23:21:29 +03:00 · 2013-04-26 17:17:11 +02:00 · 2013-04-26 17:17:11 +02:00 · 2205548990
commit 2205548990
parent 583eef9867
4 changed files with 17 additions and 9 deletions
--- a/src/authm_mad/remotes/ldap/authenticate
+++ b/src/authm_mad/remotes/ldap/authenticate
@ -68,7 +68,7 @@ order.each do |server_name|
 begin
    ldap=OpenNebula::LdapAuth.new(server_conf)

-    user_name=ldap.find_user(user)
+    user_name,user_group_name=ldap.find_user(user)

    if !user_name
        STDERR.puts "User #{user} not found"
@ -76,7 +76,7 @@ begin
    end

    if server_conf[:group]
-        if !ldap.is_in_group?(user_name, server_conf[:group])
+        if !ldap.is_in_group?(user_group_name, server_conf[:group])
            STDERR.puts "User #{user} is not in group #{server_conf[:group]}"
            next
        end
--- a/src/authm_mad/remotes/ldap/ldap_auth.conf
+++ b/src/authm_mad/remotes/ldap/ldap_auth.conf
@ -46,6 +46,9 @@ server 1:
    # field name for group membership, by default it is 'member'
    #:group_field: 'member'

+    # user field that that is in in the group group_field, if not set 'dn' will be used
+    #:user_group_field: 'dn'
+
 # this example server wont be called as it is not in the :order list
 server 2:
    :auth_method: :simple
--- a/src/authm_mad/remotes/ldap/ldap_auth.rb
+++ b/src/authm_mad/remotes/ldap/ldap_auth.rb
@ -29,6 +29,7 @@ class OpenNebula::LdapAuth
            :base => nil,
            :auth_method => :simple,
            :user_field => 'cn',
+            :user_group_field => 'dn',
            :group_field => 'member'
        }.merge(options)

@ -56,18 +57,18 @@ class OpenNebula::LdapAuth
                :filter => "#{@options[:user_field]}=#{name}")

            if result && result.first
-                result.first.dn
+                [result.first.dn, result.first[@options[:user_group_field]]]
            else
                result=@ldap.search(:base => name)

                if result && result.first
-                    name
+                    [name, result.first[@options[:user_group_field]]]
                else
-                    nil
+                    [nil, nil]
                end
            end
        rescue
-            nil
+            [nil, nil]
        end
    end

--- a/src/authm_mad/remotes/ldap/test/ldap_auth_spec.rb
+++ b/src/authm_mad/remotes/ldap/test/ldap_auth_spec.rb
@ -29,17 +29,21 @@ describe LdapAuth do
    end

    it 'should find user dn' do
-        name=@ldap.find_user('user01')
+        name,group_name=@ldap.find_user('user01')
        name.should=='cn=user01,dc=localdomain'
+        group_name.should=='cn=user01,dc=localdomain'

-        name=@ldap.find_user('user02')
+        name,group_name=@ldap.find_user('user02')
        name.should=='cn=user02,dc=localdomain'
+        group_name.should=='cn=user02,dc=localdomain'

-        name=@ldap.find_user('user03')
+        name,group_name=@ldap.find_user('user03')
        name.should==nil
+        group_name.should==nil

        name=@ldap.find_user('cn=user01,dc=localdomain')
        name.should=='cn=user01,dc=localdomain'
+        group_name.should=='cn=user01,dc=localdomain'
    end

    it 'should tell if a user is in a group' do