Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for ldapwhoami (RFC4532) (now with tests) #425

Merged
merged 6 commits into from
Nov 24, 2024
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion lib/net/ldap.rb
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@ class Net::LDAP

universal = {
constructed: {
107 => :array, #ExtendedResponse (PasswdModifyResponseValue)
107 => :string, # ExtendedResponse
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this change in place, the reply would cause an exception to be raised when it was being parsed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is fine if it doesn't break other queries

},
}

Expand All @@ -341,6 +341,7 @@ class Net::LDAP

StartTlsOid = '1.3.6.1.4.1.1466.20037'
PasswdModifyOid = '1.3.6.1.4.1.4203.1.11.1'
WhoamiOid = '1.3.6.1.4.1.4203.1.11.3'

# https://tools.ietf.org/html/rfc4511#section-4.1.9
# https://tools.ietf.org/html/rfc4511#appendix-A
Expand Down Expand Up @@ -1200,6 +1201,23 @@ def delete_tree(args)
end
end

# Return the authorization identity of the client that issues the
# ldapwhoami request. The method does not support any arguments.
#
# Returns True or False to indicate whether the request was successfull.
# The result is available in the extended status information when calling
# #get_operation_result.
#
# ldap.ldapwhoami
# puts ldap.get_operation_result.extended_response
def ldapwhoami(args = {})
instrument "ldapwhoami.net_ldap", args do |payload|
@result = use_connection(args, &:ldapwhoami)
@result.success? ? @result.extended_response : nil
end
end
alias_method :whoami, :ldapwhoami

# This method is experimental and subject to change. Return the rootDSE
# record from the LDAP server as a Net::LDAP::Entry, or an empty Entry if
# the server doesn't return the record.
Expand Down
16 changes: 16 additions & 0 deletions lib/net/ldap/connection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -703,6 +703,22 @@ def delete(args)
pdu
end

def ldapwhoami
ext_seq = [Net::LDAP::WhoamiOid.to_ber_contextspecific(0)]
request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)

message_id = next_msgid

write(request, nil, message_id)
pdu = queued_read(message_id)

if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
end

pdu
end

# Internal: Returns a Socket like object used internally to communicate with
# LDAP server.
#
Expand Down
4 changes: 2 additions & 2 deletions lib/net/ldap/pdu.rb
Original file line number Diff line number Diff line change
Expand Up @@ -194,13 +194,13 @@ def parse_ldap_result(sequence)
# requestValue [1] OCTET STRING OPTIONAL }

def parse_extended_response(sequence)
sequence.length >= 3 or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
sequence.length.between?(3, 5) or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
@ldap_result = {
:resultCode => sequence[0],
:matchedDN => sequence[1],
:errorMessage => sequence[2],
}
@extended_response = sequence[3]
@extended_response = sequence.last
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the idea here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an optional field that's included when the target is Active Directory that shifts the index. This accounts for both cases by accessing it as the last member.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, as long as it works with other LDAP directories

end
private :parse_extended_response

Expand Down
11 changes: 11 additions & 0 deletions test/test_ldap_connection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -574,4 +574,15 @@ def test_search_with_controls
# ensure no unread
assert unread.empty?, "should not have any leftover unread messages"
end

def test_ldapwhoami
ber = Net::BER::BerIdentifiedArray.new([Net::LDAP::ResultCodeSuccess, '', '', 0, 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'])
ber.ber_identifier = Net::LDAP::PDU::ExtendedResponse
response = [1, ber]

@tcp_socket.should_receive(:read_ber).and_return(response)

result = @connection.ldapwhoami
assert result.extended_response == 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'
end
end
Loading