From 8efa68ad919894a3b1c2769035729f38817edad1 Mon Sep 17 00:00:00 2001 From: Javi Fontan Date: Wed, 9 May 2012 19:05:12 +0200 Subject: [PATCH] feature #1100: add support for multiple ldap servers --- src/authm_mad/remotes/ldap/authenticate | 64 +++++++++++++++++------ src/authm_mad/remotes/ldap/ldap_auth.conf | 49 ++++++++++++----- 2 files changed, 84 insertions(+), 29 deletions(-) diff --git a/src/authm_mad/remotes/ldap/authenticate b/src/authm_mad/remotes/ldap/authenticate index 01291ca302..4ca1a6f5e8 100755 --- a/src/authm_mad/remotes/ldap/authenticate +++ b/src/authm_mad/remotes/ldap/authenticate @@ -1,4 +1,4 @@ -#!/usr/bin/ruby +#!/usr/bin/env ruby # ---------------------------------------------------------------------------- # # Copyright 2010-2012, C12G Labs S.L # @@ -37,27 +37,61 @@ secret=ARGV[2] options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf')) -ldap=LdapAuth.new(options) +order=options[:order] -user_name=ldap.find_user(user) - -if !user_name - STDERR.puts "User #{user} not found" +if !order + STDERR.puts ":order value not found, the configuration file could be malformed" + order=options.keys +elsif order.class != Array + STDERR.puts ":order value malformed, must be an Array" exit(-1) end -if options[:group] - if !ldap.is_in_group?(user_name, options[:group]) - STDERR.puts "User #{user} is not in group #{options[:group]}" - exit(-1) +authenticated=false + +order.each do |server_name| + STDERR.puts "Trying server #{server_name}" + + server_conf=options[server_name] + if !server_conf + STDERR.puts "Configuration for server not found" + break end + +begin + ldap=LdapAuth.new(server_conf) + + user_name=ldap.find_user(user) + + if !user_name + STDERR.puts "User #{user} not found" + next + end + + if server_conf[:group] + if !ldap.is_in_group?(user_name, server_conf[:group]) + STDERR.puts "User #{user} is not in group #{server_conf[:group]}" + next + end + end + + if ldap.authenticate(user_name, secret) + puts "ldap #{user} #{user_name}" + authenticated=true + break + else + STDERR.puts "Bad user/password" + end + +rescue Exception => e + STDERR.puts "Exception raised authenticating to LDAP" + STDERR.puts e.inspect + STDERR.puts e.backtrace.join("\n") +end # rescue end -if ldap.authenticate(user_name, secret) - puts "ldap #{user} #{user_name}" - exit(0) -else - STDERR.puts "Bad user/password" +if !authenticated + STDERR.puts "Could not authenticate user #{user}" exit(-1) end diff --git a/src/authm_mad/remotes/ldap/ldap_auth.conf b/src/authm_mad/remotes/ldap/ldap_auth.conf index e7d7e8c9ce..af016f554e 100644 --- a/src/authm_mad/remotes/ldap/ldap_auth.conf +++ b/src/authm_mad/remotes/ldap/ldap_auth.conf @@ -14,22 +14,43 @@ # limitations under the License. # # ---------------------------------------------------------------------------- # -# Ldap user able to query, if not set connects as anonymous -#:user: 'admin' -#:password: 'password' +server 1: + # Ldap user able to query, if not set connects as anonymous. For + # Active Directory append the domain name. Example: + # Administrator@my.domain.com + #:user: 'admin' + #:password: 'password' -# Ldap authentication method -:auth_method: :simple + # Ldap authentication method + :auth_method: :simple -# Ldap server -:host: localhost -:port: 389 + # Ldap server + :host: localhost + :port: 389 -# base hierarchy where to search for users and groups -:base: 'dc=domain' + # base hierarchy where to search for users and groups + :base: 'dc=domain' -# group the users need to belong to. If not set any user will do -:group: 'cn=cloud,ou=groups,dc=domain' + # group the users need to belong to. If not set any user will do + #:group: 'cn=cloud,ou=groups,dc=domain' -# field that holds the user name, if not set 'cn' will be used -:user_field: 'cn' + # field that holds the user name, if not set 'cn' will be used + :user_field: 'cn' + + # for Active Directory use this user_field instead + #:user_field: 'sAMAccountName' + +# this example server wont be called as it is not in the :order list +server 2: + :auth_method: :simple + :host: localhost + :port: 389 + :base: 'dc=domain' + #:group: 'cn=cloud,ou=groups,dc=domain' + :user_field: 'cn' + + +# List the order the servers are queried +:order: + - server 1 + #- server 2