forked from trustedsec/SHIPS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
identldap.rb
79 lines (73 loc) · 2.83 KB
/
identldap.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
require 'usa'
require 'net/ldap'
require_relative '../lib/ldaphelpers'
require_relative 'directoryldap'
class IdentLDAP < WEBrick::USA::User::Identity
include LDAP_Helpers
self.directory = DirectoryLDAP
def initialize(optional={})
super optional
@ldap = Net::LDAP.new
@ldap.host = @optional[:identLDAP_host]
@ldap.port = @optional[:identLDAP_port].to_i
@ldap.encryption @optional[:identLDAP_encryption].to_sym if optional[:identLDAP_encryption]
@ldap.base = @optional[:identLDAP_user_base]
@ldap.auth @optional[:identLDAP_username], @optional[:identLDAP_password]
end
def login(form_data)
return false unless name_valid? form_data['username']
return false if form_data['password'].to_s.empty?
filter = Net::LDAP::Filter.eq(@optional[:identLDAP_name_attribute], form_data['username'])
if @optional[:identLDAP_group_required]
filter2 = Net::LDAP::Filter.eq(@optional[:identLDAP_group_attribute], @optional[:identLDAP_group_required])
filter = Net::LDAP::Filter.join(filter, filter2)
end
scope = Net::LDAP::SearchScope_WholeSubtree
attributes = [@optional[:identLDAP_name_attribute], @optional[:identLDAP_token_attribute]]
if rs = @ldap.bind_as({:filter => filter,
:scope => scope,
:password => form_data['password'],
:attributes => attributes})
r = rs.first #first item in the record set, bind_as returns an array.
if @optional[:identLDAP_token_attribute] == 'objectSid' #special treatment for AD
@usertoken = get_sid_string(r[@optional[:identLDAP_token_attribute]].first)
else
@usertoken = r[@optional[:identLDAP_token_attribute]].first.to_s
end
@username = r[@optional[:identLDAP_name_attribute]].first.to_s
else
return false
end
self
rescue StandardError => ex
@usertoken = nil
@username = nil
false
end
def self.form_inner_html
<<WWWFORM
<table><tbody>
<tr>
<td>User Name:</td>
<td><input class="PlainTextIn" maxlength=50 name="username" type="text"></td>
</tr>
<tr>
<td>Password:</td>
<td><input class="PasswordIn" maxlength=255 name="password" type="password" autocomplete="off"></td>
</tr>
</tbody></table>
WWWFORM
end
private
def name_valid?(v)
# This is a reasonable thing to do for AD it might not be technically true for other LDAP environments
# still seems like a reasonable limitation on user names.
return false unless v
return false unless v.length > 0
return false unless v.length < 21 #20 chars is max user name length on winders
char_cnt = 0
['/', '[', ']', "\"", ':', ';', '|', '<', '>', '+', '=', ',', '?', '*', ' ', '_', '&', "\0"].each { |c| char_cnt += v.count(c) }
return false if char_cnt > 0
true
end
end