Class: JSS::LDAPServer

Inherits:

APIObject

• Object
• APIObject
• JSS::LDAPServer

Defined in:

lib/jss/api_object/ldap_server.rb,
lib/jss.rb

Overview

An LDAP server in the JSS.

This class doesn't curretly provide creation or updaing of LDAP server definitions in the JSS. Please use the JSS web UI.

However, it does provide methods for querying users and usergroups from LDAP servers, and checking group membership.

The class methods LDAPServer.user_in_ldap? and LDAPServer.group_in_ldap? can be used to check all defined LDAP servers for a user or group. They are used by Scopable::Scope when adding user and groups to scope limitations and exceptions.

Within an LDAPServer instance, the methods #find_user and #find_group will return all matches in the server for a given search term.

See Also:

• APIObject

Constant Summary

RSRC_BASE =

The base for REST resources of this class

'ldapservers'.freeze

RSRC_LIST_KEY =

the hash key used for the JSON list output of all objects in the JSS

:ldap_servers

RSRC_OBJECT_KEY =

The hash key used for the JSON object output. It's also used in various error messages

:ldap_server

DEFAULT_PORT =

the default LDAP port

389

SEARCH_SCOPES =

possible values for search scope

['All Subtrees', 'First Level Only'].freeze

AUTH_TYPES =

possible authentication types

{ 'none' => :anonymous, 'simple' => :simple, 'CRAM-MD5' => :cram_md5, 'DIGEST-MD5' => :digest_md5 }.freeze

REFERRAL_RESPONSES =

possible referral responses

['', nil, 'follow', 'ignore'].freeze

OBJECT_CLASS_MAPPING_OPTIONS =

possible objectclass mapping options

%w[any all].freeze

OBJECT_HISTORY_OBJECT_TYPE =

the object type for this object in the object history table. See APIObject#add_object_history_entry

80

Instance Attribute Summary

• #authentication_type ⇒ String readonly

  What authentication method should be used?.

• #hostanme ⇒ String readonly

  The hostname of the server.

• #lookup_dn ⇒ String readonly

  The Distinguished Name of the account used for connections/lookups?.

• #lookup_pw_sha256 ⇒ String readonly

  The password for the connection/lookup account, as a SHA256 digest.

• #open_close_timeout ⇒ Integer readonly

  Timeout, in seconds, for opening LDAP connections.

• #port ⇒ Integer readonly

  The port for ldap.

• #referral_response ⇒ String readonly

  The referral response from the server.

• #search_timeout ⇒ Integer readonly

  Timeout, in seconds, for search queries.

• #use_ssl ⇒ Boolean readonly

  Should the connection use ssl?.

• #use_wildcards ⇒ Boolean readonly

  Should searches use wildcards?.

• #user_group_mappings ⇒ Hash<Symbol=>String> readonly

  The LDAP attributes mapped to various user group data.

• #user_group_membership_mappings ⇒ Hash<Symbol=>String> readonly

  The LDAP attributes used to identify a user as a member of a group.

• #user_mappings ⇒ Hash<Symbol=>String> readonly

  The LDAP attributes mapped to various user data.

Class Method Summary

• .check_membership(ldap_server, user, group, api: JSS.api) ⇒ Boolean

  On a given server, does a given group contain a given user?.

• .group_in_ldap?(group, api: JSS.api) ⇒ Boolean

  For Backward Compatibility,.

• .server_for_group(group, api: JSS.api) ⇒ Integer^?

  Does a group exist in any ldap server?.

• .server_for_user(user, api: JSS.api) ⇒ Integer^?

  The id of the first LDAP server with the user, nil if not found.

• .user_in_ldap?(user, api: JSS.api) ⇒ Boolean

  For Backward Compatibility,.

Instance Method Summary

• #check_membership(user, group) ⇒ Boolean^?

  Is the user a member? Nil if unable to check.

• #find_group(group, exact = false) ⇒ Array<Hash>

  The groupname and uid for all groups matching the query.

• #find_user(user, exact = false) ⇒ Array<Hash>

  Search for a user in this ldap server.

• #initialize(args = {}) ⇒ LDAPServer constructor

  See JSS::APIObject#initialize.

Constructor Details

#initialize(args = {}) ⇒ LDAPServer

See JSS::APIObject#initialize

# File 'lib/jss/api_object/ldap_server.rb', line 269

def initialize(args = {})
  super

  @hostname = @init_data[:connection][:hostname]
  @port = @init_data[:connection][:port]
  @use_ssl = @init_data[:connection][:use_ssl]
  @authentication_type = AUTH_TYPES[@init_data[:connection][:authentication_type]]
  @open_close_timeout = @init_data[:connection][:open_close_timeout]
  @search_timeout = @init_data[:connection][:search_timeout]
  @referral_response = @init_data[:connection][:referral_response]
  @use_wildcards = @init_data[:connection][:use_wildcards]

  @lookup_dn = @init_data[:connection][:account][:distinguished_username]
  @lookup_pw_sha256 = @init_data[:connection][:account][:password_sha256]

  @user_mappings = @init_data[:mappings_for_users][:user_mappings]
  @user_group_mappings = @init_data[:mappings_for_users][:user_group_mappings]
  @user_group_membership_mappings = @init_data[:mappings_for_users][:user_group_membership_mappings]

  @connection = nil
  @connected = false
end

Instance Attribute Details

#authentication_type ⇒ String (readonly)

Returns what authentication method should be used?.

Returns:

• (String) —

  what authentication method should be used?

# File 'lib/jss/api_object/ldap_server.rb', line 184

def authentication_type
  @authentication_type
end

#hostanme ⇒ String (readonly)

Returns the hostname of the server.

Returns:

• (String) —

  the hostname of the server

# File 'lib/jss/api_object/ldap_server.rb', line 175

def hostanme
  @hostanme
end

#lookup_dn ⇒ String (readonly)

Returns the Distinguished Name of the account used for connections/lookups?.

Returns:

• (String) —

  the Distinguished Name of the account used for connections/lookups?

# File 'lib/jss/api_object/ldap_server.rb', line 187

def lookup_dn
  @lookup_dn
end

#lookup_pw_sha256 ⇒ String (readonly)

Returns the password for the connection/lookup account, as a SHA256 digest.

Returns:

• (String) —

  the password for the connection/lookup account, as a SHA256 digest.

# File 'lib/jss/api_object/ldap_server.rb', line 190

def lookup_pw_sha256
  @lookup_pw_sha256
end

#open_close_timeout ⇒ Integer (readonly)

Returns timeout, in seconds, for opening LDAP connections.

Returns:

• (Integer) —

  timeout, in seconds, for opening LDAP connections

# File 'lib/jss/api_object/ldap_server.rb', line 193

def open_close_timeout
  @open_close_timeout
end

#port ⇒ Integer (readonly)

Returns the port for ldap.

Returns:

• (Integer) —

  the port for ldap

# File 'lib/jss/api_object/ldap_server.rb', line 178

def port
  @port
end

#referral_response ⇒ String (readonly)

Returns the referral response from the server.

Returns:

• (String) —

  the referral response from the server

# File 'lib/jss/api_object/ldap_server.rb', line 199

def referral_response
  @referral_response
end

#search_timeout ⇒ Integer (readonly)

Returns timeout, in seconds, for search queries.

Returns:

• (Integer) —

  timeout, in seconds, for search queries

# File 'lib/jss/api_object/ldap_server.rb', line 196

def search_timeout
  @search_timeout
end

#use_ssl ⇒ Boolean (readonly)

Returns should the connection use ssl?.

Returns:

• (Boolean) —

  should the connection use ssl?

# File 'lib/jss/api_object/ldap_server.rb', line 181

def use_ssl
  @use_ssl
end

#use_wildcards ⇒ Boolean (readonly)

Returns should searches use wildcards?.

Returns:

• (Boolean) —

  should searches use wildcards?

# File 'lib/jss/api_object/ldap_server.rb', line 202

def use_wildcards
  @use_wildcards
end

#user_group_mappings ⇒ Hash<Symbol=>String> (readonly)

The LDAP attributes mapped to various user group data

The hash keys are:

• :search_base =>

• :search_scope =>

• :object_classes =>

• :map_object_class_to_any_or_all =>

• :map_group_id =>

• :map_group_name =>

• :map_group_uuid =>

Returns:

• (Hash<Symbol=>String>)

# File 'lib/jss/api_object/ldap_server.rb', line 240

def user_group_mappings
  @user_group_mappings
end

#user_group_membership_mappings ⇒ Hash<Symbol=>String> (readonly)

The LDAP attributes used to identify a user as a member of a group

The hash keys are:

• :user_group_membership_stored_in =>

• :map_user_membership_use_dn =>

• :map_group_membership_to_user_field =>

• :group_id =>

• :map_object_class_to_any_or_all =>

• :append_to_username =>

• :username =>

• :object_classes =>

• :use_dn =>

• :search_base =>

• :recursive_lookups =>

• :search_scope =>

• :map_user_membership_to_group_field =>

Returns:

• (Hash<Symbol=>String>)

# File 'lib/jss/api_object/ldap_server.rb', line 261

def user_group_membership_mappings
  @user_group_membership_mappings
end

#user_mappings ⇒ Hash<Symbol=>String> (readonly)

The LDAP attributes mapped to various user data

The hash keys are:

• :search_base =>

• :search_scope =>

• :object_classes =>

• :map_object_class_to_any_or_all =>

• :map_username =>

• :map_user_id =>

• :map_department =>

• :map_building =>

• :map_room =>

• :map_realname =>

• :map_phone =>

• :map_email_address =>

• :map_position =>

• :map_user_uuid =>

• :append_to_email_results =>

Returns:

• (Hash<Symbol=>String>)

# File 'lib/jss/api_object/ldap_server.rb', line 225

def user_mappings
  @user_mappings
end

Class Method Details

.check_membership(ldap_server, user, group, api: JSS.api) ⇒ Boolean

On a given server, does a given group contain a given user?

This class method allows the check to happen without instanting the LDAPServer.

Parameters:

• server (String, Integer) —

  The name or id of the LDAP server to use

• user (String) —

  the username to check for memebership in the group

• group (String) —

  the group name to see if the user is a member

• api (JSS::APIConnection) (defaults to: JSS.api) —

  the API connection to use for the search

Returns:

• (Boolean) —

  is the user a member of the group?

Raises:

• (JSS::NoSuchItemError)

# File 'lib/jss/api_object/ldap_server.rb', line 159

def self.check_membership(ldap_server, user, group, api: JSS.api)
  ldap_server_id = valid_id ldap_server
  raise JSS::NoSuchItemError, "No LDAPServer matching #{ldap_server}" unless ldap_server_id
  rsrc = "#{RSRC_BASE}/id/#{ldap_server_id}/group/#{CGI.escape group.to_s}/user/#{CGI.escape user.to_s}"
  member_check = api.get_rsrc rsrc
  return false if member_check[:ldap_users].empty?
  true
end

.group_in_ldap?(group, api: JSS.api) ⇒ Boolean

For Backward Compatibility,

Parameters:

• user (String) —

  a group name to search for in all LDAP servers

• api (JSS::APIConnection) (defaults to: JSS.api) —

  the API connection to use for the search

Returns:

• (Boolean) —

  Does the group exist in any LDAP server?

# File 'lib/jss/api_object/ldap_server.rb', line 140

def self.group_in_ldap?(group, api: JSS.api)
  server_for_group(group, api: api) ? true : false
end

.server_for_group(group, api: JSS.api) ⇒ Integer^?

Does a group exist in any ldap server?

Parameters:

• group (String) —

  a group to search for in all LDAP servers

• api (JSS::APIConnection) (defaults to: JSS.api) —

  the API connection to use for the search

Returns:

• (Integer, nil) —

  the id of the first LDAP server with the group, nil if not found

# File 'lib/jss/api_object/ldap_server.rb', line 124

def self.server_for_group(group, api: JSS.api)
  all_objects(:refresh, api: api).each do |ldap|
    next if ldap.find_group(group, :exact).empty?
    return ldap.id
  end
  nil
end

.server_for_user(user, api: JSS.api) ⇒ Integer^?

Returns the id of the first LDAP server with the user, nil if not found.

Returns:

• (Integer, nil) —

  the id of the first LDAP server with the user, nil if not found

# File 'lib/jss/api_object/ldap_server.rb', line 95

def self.server_for_user(user, api: JSS.api)
  all_objects(:refresh, api: api).each do |ldap|
    next if ldap.find_user(user, :exact).empty?
    return ldap.id
  end
  nil
end

.user_in_ldap?(user, api: JSS.api) ⇒ Boolean

For Backward Compatibility,

Parameters:

• user (String) —

  a username to search for in all LDAP servers

• api (JSS::APIConnection) (defaults to: JSS.api) —

  the API connection to use for the search

Returns:

• (Boolean) —

  Does the user exist in any LDAP server?

# File 'lib/jss/api_object/ldap_server.rb', line 111

def self.user_in_ldap?(user, api: JSS.api)
  server_for_user(user, api: api) ? true : false
end

Instance Method Details

#check_membership(user, group) ⇒ Boolean^?

Returns is the user a member? Nil if unable to check.

Parameters:

• user (String) —

  the username to check for memebership in the group

• group (String) —

  the group name to see if the user is a member

Returns:

• (Boolean, nil) —

  is the user a member? Nil if unable to check

Raises:

• (JSS::NoSuchItemError)

# File 'lib/jss/api_object/ldap_server.rb', line 327

def check_membership(user, group)
  raise JSS::NoSuchItemError, 'LDAPServer not yet saved in the JSS' unless @in_jss
  self.class.check_membership @id, user, group, api: @api
end

#find_group(group, exact = false) ⇒ Array<Hash>

Returns The groupname and uid for all groups matching the query.

Parameters:

• group (String) —

  the group name to search for

• exact (Boolean) (defaults to: false) —

  if true, force an exact match, otherwuse use wildcards

Returns:

• (Array<Hash>) —

  The groupname and uid for all groups matching the query

Raises:

• (JSS::NoSuchItemError)

# File 'lib/jss/api_object/ldap_server.rb', line 315

def find_group(group, exact = false)
  raise JSS::NoSuchItemError, 'LDAPServer not yet saved in the JSS' unless @in_jss
  raw = api.get_rsrc("#{RSRC_BASE}/id/#{@id}/group/#{CGI.escape group.to_s}")[:ldap_groups]
  exact ? raw.select { |u| u[:groupname] == group } : raw
end

#find_user(user, exact = false) ⇒ Array<Hash>

Search for a user in this ldap server

Parameters:

• user (String) —

  the username to search for

• exact (Boolean) (defaults to: false) —

  if true, force an exact match, otherwise use wildcards

Returns:

• (Array<Hash>) —

  The mapped LDAP data for all usernames matching the query

Raises:

• (JSS::NoSuchItemError)

# File 'lib/jss/api_object/ldap_server.rb', line 303

def find_user(user, exact = false)
  raise JSS::NoSuchItemError, 'LDAPServer not yet saved in the JSS' unless @in_jss
  raw = api.get_rsrc("#{RSRC_BASE}/id/#{@id}/user/#{CGI.escape user.to_s}")[:ldap_users]
  exact ? raw.select { |u| u[:username] == user } : raw
end