Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ldapwhoami (RFC4532) (now with tests) #425

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add support for ldapwhoami (RFC4532) (now with tests) #425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1a27513
Add support for ldapwhoami (RFC4532)
Jun 11, 2021
0e38c4a
Do not break Net::LDAP#modify_password
Jun 13, 2021
1d38606
Return the extended response data
zeroSteiner Feb 23, 2024
d5e82fa
Add test for connection.ldapwhoami
zeroSteiner Feb 23, 2024
c3320a0
Merge branch 'master' into rfc4532
HarlemSquirrel Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion lib/net/ldap.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@ class Net::LDAP

universal = {
constructed: {
107 => :array, #ExtendedResponse (PasswdModifyResponseValue)
107 => :string, # ExtendedResponse
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this change in place, the reply would cause an exception to be raised when it was being parsed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is fine if it doesn't break other queries

},
}

Expand All @@ -341,6 +341,7 @@ class Net::LDAP

StartTlsOid = '1.3.6.1.4.1.1466.20037'
PasswdModifyOid = '1.3.6.1.4.1.4203.1.11.1'
WhoamiOid = '1.3.6.1.4.1.4203.1.11.3'

# https://tools.ietf.org/html/rfc4511#section-4.1.9
# https://tools.ietf.org/html/rfc4511#appendix-A
Expand Down Expand Up @@ -1200,6 +1201,23 @@ def delete_tree(args)
end
end

# Return the authorization identity of the client that issues the
# ldapwhoami request. The method does not support any arguments.
#
# Returns True or False to indicate whether the request was successfull.
# The result is available in the extended status information when calling
# #get_operation_result.
#
# ldap.ldapwhoami
# puts ldap.get_operation_result.extended_response
def ldapwhoami(args = {})
instrument "ldapwhoami.net_ldap", args do |payload|
@result = use_connection(args, &:ldapwhoami)
@result.success? ? @result.extended_response : nil
end
end
alias_method :whoami, :ldapwhoami

# This method is experimental and subject to change. Return the rootDSE
# record from the LDAP server as a Net::LDAP::Entry, or an empty Entry if
# the server doesn't return the record.
Expand Down
16 changes: 16 additions & 0 deletions lib/net/ldap/connection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -703,6 +703,22 @@ def delete(args)
pdu
end

def ldapwhoami
ext_seq = [Net::LDAP::WhoamiOid.to_ber_contextspecific(0)]
request = ext_seq.to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)

message_id = next_msgid

write(request, nil, message_id)
pdu = queued_read(message_id)

if !pdu || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
raise Net::LDAP::ResponseMissingOrInvalidError, "response missing or invalid"
end

pdu
end

# Internal: Returns a Socket like object used internally to communicate with
# LDAP server.
#
Expand Down
4 changes: 2 additions & 2 deletions lib/net/ldap/pdu.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,13 +194,13 @@ def parse_ldap_result(sequence)
# requestValue [1] OCTET STRING OPTIONAL }

def parse_extended_response(sequence)
sequence.length >= 3 or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
sequence.length.between?(3, 5) or raise Net::LDAP::PDU::Error, "Invalid LDAP result length."
@ldap_result = {
:resultCode => sequence[0],
:matchedDN => sequence[1],
:errorMessage => sequence[2],
}
@extended_response = sequence[3]
@extended_response = sequence.last
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the idea here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an optional field that's included when the target is Active Directory that shifts the index. This accounts for both cases by accessing it as the last member.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, as long as it works with other LDAP directories

end
private :parse_extended_response

Expand Down
11 changes: 11 additions & 0 deletions test/test_ldap_connection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,4 +574,15 @@ def test_search_with_controls
# ensure no unread
assert unread.empty?, "should not have any leftover unread messages"
end

def test_ldapwhoami
ber = Net::BER::BerIdentifiedArray.new([Net::LDAP::ResultCodeSuccess, '', '', 0, 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'])
ber.ber_identifier = Net::LDAP::PDU::ExtendedResponse
response = [1, ber]

@tcp_socket.should_receive(:read_ber).and_return(response)

result = @connection.ldapwhoami
assert result.extended_response == 'dn:uid=zerosteiner,ou=users,dc=example,dc=org'
end
end
Loading