Move foreman LDAP functionality to ldap_fluff

[dLobatog]

Most logic comes from here: https://github.com/theforeman/foreman/blob/develop/app/models/auth_sources/auth_source_ldap.rb

and theforeman/foreman#529 , which this PR is meant to facilitate.

[pitr-ch]

this will definitely be 0.3 :)

[pitr-ch]

this could be simplified to:

def user_exists?(uid)
  @member_service.find_user(uid)
  true
rescue self.class::MemberService::UIDNotFoundException
  false
end

please look also for other usages.

[pitr-ch]

I like creation of the Generic classes 👍 Thanks.

[pitr-ch]

the gem should not pollute global space!

[dLobatog]

Thanks for the comments 😄, I've fixed them and tested it with ActiveDirectory which gave me a couple of hints:

• I removed ad domains, they are unnecessary and incompatible with old Windows Server versions. Users can include the "@whatever.com" in their logins and it'll work just fine. Keeping it makes ldap_fluff incompatible with Windows Server 2008+ as the logins will just be of the format "CORP\Administrator" (just an example). This way it works for all versions, the old way it only works for Windows 2000/2003, and 2008 in compatibility mode.

I also fixed get_logins to make sure we don't miss any possible login in a group, and fixed your concerns with UnauthenticatedExceptions.

I need the & in get_groups and get_logins, to keep the block both as a lambda and a block and therefore and able to receive arguments (|g|).

[pitr-ch]

I am not sure what you mean.

grouplist.map(&:downcase).collect(&(proc { |g| g.sub(/.*?cn=(.*?),.*/, '\1') } ))
#equals
grouplist.map(&:downcase).collect { |g| g.sub(/.*?cn=(.*?),.*/, '\1') }

[pitr-ch]

Thanks for the updates, exceptions are looking much better now 👍 I noticed one more thing, could you create a common LdapFluff::Error ancestor for all the errors for a developer to be able to catch all LdapFluff errors easily?

[domcleal]

This method is giving me problems I think when testing against OpenLDAP, as it's returning the user's CN rather than their groups.

[dLobatog]

@domcleal It still doesn't recurse to bring the nested users, ideally I think Foreman should try to return all users directly in the specified GID (users_for_gid takes care of that), and after that, it should check for nested user groups, and create a external user group in Foreman for each of these nested groups found in it. Does this make sense to you?

Say we have a group: "foremaners", with a direct member "dcleal", a subgroup "katellers", with a member "bk".

The flow would work like this:

• Add external user group "foremaners" to user group "test" in Foreman
• Refresh external user group
• Refreshing adds "dcleal" to the list of users directly
• Refreshing adds "katellers" to the list of external user groups
• Auto-refresh "katellers", this will add "bk" to the list of users
• Done

[domcleal]

Sounds a little clunky and more work than using the LDAP server's memberOf determination to me, but if that's what you want to do, do it.

[pitr-ch]

This PR resolves #27 (this should auto close 27 when this PR is merged)

[dLobatog]

@pitr-ch @domcleal I've pushed changes needed to recursive search groups for all 3 implementations and the Generic. Summing up:

• ActiveDirectory
  List of members include users, and groups. We check the objectclass of each of the members of the group in question and act accordingly, recursing if its a group, and returning the login if its an user.
• POSIX
  Nested groups have no special attributes in the RFC, so basically anything under the dn of the parent group could be considered a nested group. I query using cn=foremaners,ou=groups,dc=example,dc=com as the base_dn, which would return stuff like cn=katellers,cn=foremaners,ou=groups,dc=example,dc=com, and we can get the logins of all nested groups.
• FreeIPA
  MemberUID returns just the 'uid' or 'gid' of the users and nested groups. Since FreeIPA users 'cn=users' and 'cn=groups' to distinguish between them, I just check that part of the cn and return the userid or recurse searching for users in the nested group.

Tests will follow soon, but I thought it'd be helpful to put this out early if you want to test.
Also, Travis is trying to pick up activesupport 4.1.1 in 1.8.7, that's why the build is failing, any solutions?

[dLobatog]

@pitr-ch I've just updated this with some tests for the nested usergroups and an easy refactor of some methods used in tests. After this PR is merged I think a rewrite of the test suite should follow at some point.

[pitr-ch]

@elobato could you fix travis tests?

[pitr-ch]

Thanks for updating. ACK Ruby wise, I would defer to @domcleal to ack the LDAP part.

[domcleal]

@pitr-ch sorry, I can't, I'm not at all familiar with this project

[pitr-ch]

@elobato based on discussion with @domcleal later on irc, he'll look at the foreman integration and ack.

[domcleal]

I've tested it successfully with OpenLDAP, I'm happy. Please feel free to merge & release 0.3.0. 👍

[dLobatog]

I have to say @vintagepenguin 's comment on #28 worries me a bit, although I could not reproduce it.

[pitr-ch]

@elobato what are the possible objects returned by #authenticate?? I tried to find it but I was unsuccessful.

[dLobatog]

@pitr-ch

true if authentication was successful
false if username/password werent provided
an OpenStruct with the information about the error (invalid credentials, unreachable host, etc..) if authentication was unsuccessful

[dLobatog]

@domcleal @pitr-ch .authenticate? now returns true or false always. For more information about the authentication the user can query get_operation_result as it's done here dLobatog/foreman@2f63b5b#diff-3658b1e0f80d953e1d2be7093a1a9e30R52

[pitr-ch]

@elobato thanks true or false is much better 👍