Synchronize using memberOf filter

pull/6827/head
Oliver Günther 7 years ago
parent a50029f639
commit 0f3dce7415
No known key found for this signature in database
GPG Key ID: 88872239EB414F99
  1. 17
      lib/open_project/ldap_groups/synchronization.rb
  2. 2
      lib/tasks/ldap_groups.rake
  3. 2
      spec/controllers/synchronized_groups_controller_spec.rb
  4. 4
      spec/features/administration_spec.rb
  5. 112
      spec/fixtures/users.ldif
  6. 2
      spec/lib/synchronization_spec.rb
  7. 15
      spec/spec_helper.rb

@ -50,14 +50,19 @@ module OpenProject::LdapGroups
##
# Get the current members from the ldap group
def get_members(ldap_con, group)
group_filter = Net::LDAP::Filter.eq(::OpenProject::LdapGroups.group_key, group.escaped_entry)
object_filter = Net::LDAP::Filter.eq('objectClass', '*')
# Get user login attribute and base dn which are private
attr_login = ldap.send :attr_login
base_dn = ldap.send :base_dn
# memberOf filter to identifiy member entries of the group
memberof_filter = Net::LDAP::Filter.eq('memberOf', group.dn)
logins = []
ldap_con.search(base: ::OpenProject::LdapGroups.group_base,
filter: object_filter & group_filter,
attributes: [:member]) do |entry|
logins = entry[:member].map { |dn| dn.match(/\A\w+\=([^,]+)/)[1] }
ldap_con.search(base: base_dn,
filter: memberof_filter,
attributes: [attr_login]) do |entry|
logins << ::LdapAuthSource.get_attr(entry, attr_login)
end
logins

@ -32,6 +32,7 @@ namespace :ldap_groups do
'Will only synchronize for those users already present in the application.'
task synchronize: :environment do
return unless EnterpriseToken.allows_to?(:ldap_groups)
begin
LdapAuthSource.find_each do |ldap|
puts ("-" * 20)
@ -66,6 +67,7 @@ namespace :ldap_groups do
First name: givenName
Last name: sn
Email: mail
memberOf: (Hard-coded, not virtual)
--------------------------------------------------------

@ -1,6 +1,6 @@
require_relative '../spec_helper'
describe ::LdapGroups::SynchronizedGroupsController, with_groups_ee: true, type: :controller do
describe ::LdapGroups::SynchronizedGroupsController, with_ee: %i[ldap_groups], type: :controller do
let(:user) { FactoryGirl.create :user }
let(:admin) { FactoryGirl.create :admin }

@ -8,13 +8,13 @@ describe 'LDAP group sync administration spec', type: :feature, js: true do
visit ldap_groups_synchronized_groups_path
end
context 'without EE', with_group_ee: false do
context 'without EE' do
it 'shows upsale' do
expect(page).to have_selector('.upsale-notification')
end
end
context 'with EE', with_group_ee: true do
context 'with EE', with_ee: %i[ldap_groups] do
let!(:group) { FactoryGirl.create :group, lastname: 'foo' }
let!(:auth_source) { FactoryGirl.create :ldap_auth_source, name: 'ldap' }

@ -10,6 +10,57 @@ objectClass: organizationalUnit
objectClass: top
ou: people
#########################################################
# MICROSOFT SCHEMA for sAMAccountName and memberOf
# these two attributes are not defined in Apache Directory Server
#########################################################
dn: cn=microsoft, ou=schema
objectclass: metaSchema
objectclass: top
cn: microsoft
dn: ou=attributetypes, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: attributetypes
dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.221
m-name: sAMAccountName
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: TRUE
dn: m-oid=1.2.840.113556.1.4.222, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.222
m-name: memberOf
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: FALSE
dn: ou=objectclasses, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: objectClasses
dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.5.6
m-name: simulatedMicrosoftSecurityPrincipal
m-supObjectClass: top
m-typeObjectClass: AUXILIARY
m-must: sAMAccountName
m-may: memberOf
dn: cn=foo,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
@ -24,8 +75,26 @@ member: uid=aa729,ou=people,dc=example,dc=com
member: uid=bb459,ou=people,dc=example,dc=com
member: uid=cc414,ou=people,dc=example,dc=com
dn: uid=aa729,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: simulatedMicrosoftSecurityPrincipal
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Alexandra Adams
sn: Adams
givenName: Alexandra
mail: alexandra@example.org
uid: aa729
samAccountName: aa729
memberOf: cn=bar,ou=groups,dc=example,dc=com
memberOf: cn=foo,ou=groups,dc=example,dc=com
# Password is "smada"
userpassword:: e1NIQX1wR2xtWlgxVk9FZEhIYjMwSFplemVWTkZ4R009
dn: uid=bb459,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: simulatedMicrosoftSecurityPrincipal
objectClass: organizationalPerson
objectClass: person
objectClass: top
@ -34,23 +103,14 @@ sn: Baldwin
givenName: Belle
mail: belle@example.org
uid: bb459
samAccountName: bb459
memberOf: cn=bar,ou=groups,dc=example,dc=com
# Password is "niwdlab"
userpassword:: e1NIQX1MUmlmMk4rNVREU2FPL3Jka0gySEhGOGZGNzQ9
dn: uid=dd945,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Dorothy Dawson
sn: Dawson
givenName: Dorothy
mail: dorothy@example.org
uid: dd945
userpassword:: e1NIQX1EMFVsY1RmYkNkZEZMd2loMDRpZzRERWlsQWM9
dn: uid=cc414,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: simulatedMicrosoftSecurityPrincipal
objectClass: organizationalPerson
objectClass: person
objectClass: top
@ -59,8 +119,23 @@ sn: Carpenter
givenName: Claire
mail: claire@example.org
uid: cc414
samAccountName: cc414
memberOf: cn=bar,ou=groups,dc=example,dc=com
userpassword:: e1NIQX1VTC9pUysyUjdHaHdiaFhPV29USGQ0L3FvTUE9
dn: uid=dd945,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Dorothy Dawson
sn: Dawson
givenName: Dorothy
mail: dorothy@example.org
uid: dd945
userpassword:: e1NIQX1EMFVsY1RmYkNkZEZMd2loMDRpZzRERWlsQWM9
dn: uid=xx396,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
@ -73,16 +148,3 @@ mail: xara@example.org
uid: xx396
userpassword:: e1NIQX1ZYzJFbjJSL3NiZGpsRU9pdGtMbGt3WTRqQVk9
dn: uid=aa729,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Alexandra Adams
sn: Adams
givenName: Alexandra
mail: alexandra@example.org
uid: aa729
# Password is "smada"
userpassword:: e1NIQX1wR2xtWlgxVk9FZEhIYjMwSFplemVWTkZ4R009

@ -1,7 +1,7 @@
require File.dirname(__FILE__) + '/../spec_helper'
require 'ladle'
describe OpenProject::LdapGroups::Synchronization, with_groups_ee: true do
describe OpenProject::LdapGroups::Synchronization, with_ee: %i[ldap_groups] do
let(:plugin_settings) do
{ group_base: 'ou=groups,dc=example,dc=com', group_key: 'cn' }
end

@ -1,17 +1,2 @@
# -- load spec_helper from OpenProject core
require "spec_helper"
RSpec.configure do |config|
config.before(:each) do |example|
next unless example.metadata[:with_group_ee]
allow(EnterpriseToken)
.to receive(:allows_to?)
.and_call_original
allow(EnterpriseToken)
.to receive(:allows_to?)
.with(:ldap_groups)
.and_return true
end
end
Loading…
Cancel
Save