diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb index 4ba27339..fda58d1b 100644 --- a/lib/net/ldap.rb +++ b/lib/net/ldap.rb @@ -30,9 +30,11 @@ class LDAP require 'net/ldap/auth_adapter' require 'net/ldap/auth_adapter/simple' require 'net/ldap/auth_adapter/sasl' +require 'net/ldap/auth_adapter/gss_spnego' Net::LDAP::AuthAdapter.register([:simple, :anon, :anonymous], Net::LDAP::AuthAdapter::Simple) Net::LDAP::AuthAdapter.register(:sasl, Net::LDAP::AuthAdapter::Sasl) +Net::LDAP::AuthAdapter.register(:gss_spnego, Net::LDAP::AuthAdapter::GssSpnego) # == Quick-start for the Impatient # === Quick Example of a user-authentication against an LDAP directory: diff --git a/lib/net/ldap/auth_adapter/gss_spnego.rb b/lib/net/ldap/auth_adapter/gss_spnego.rb index 9f773454..091dd42a 100644 --- a/lib/net/ldap/auth_adapter/gss_spnego.rb +++ b/lib/net/ldap/auth_adapter/gss_spnego.rb @@ -3,7 +3,7 @@ module Net class LDAP - module AuthAdapers + class AuthAdapter #-- # PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET. # Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to @@ -15,25 +15,25 @@ module AuthAdapers # GSS-SPNEGO authentication with the server, which is presumed to be a # Microsoft Active Directory. #++ - class GSS_SPNEGO < Net::LDAP::AuthAdapter + class GssSpnego < Net::LDAP::AuthAdapter def bind(auth) - require 'ntlm' - - user, psw = [auth[:username] || auth[:dn], auth[:password]] - raise Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) + user = auth[:username] || auth[:dn] + psw = auth[:password] + fail Net::LDAP::BindingInformationInvalidError, "Invalid binding information" unless (user && psw) nego = proc do |challenge| t2_msg = NTLM::Message.parse(challenge) t3_msg = t2_msg.response({ :user => user, :password => psw }, - { :ntlmv2 => true }) + :ntlmv2 => true) t3_msg.serialize end - Net::LDAP::AuthAdapter::Sasl.new(@connection).bind \ - :method => :sasl, - :mechanism => "GSS-SPNEGO", + Net::LDAP::AuthAdapter::Sasl.new(@connection).bind( + :method => :sasl, + :mechanism => "GSS-SPNEGO", :initial_credential => NTLM::Message::Type1.new.serialize, :challenge_response => nego + ) end end end diff --git a/lib/net/ldap/auth_adapter/sasl.rb b/lib/net/ldap/auth_adapter/sasl.rb index ebbe4e63..375b35a5 100644 --- a/lib/net/ldap/auth_adapter/sasl.rb +++ b/lib/net/ldap/auth_adapter/sasl.rb @@ -4,6 +4,8 @@ module Net class LDAP class AuthAdapter class Sasl < Net::LDAP::AuthAdapter + + MAX_SASL_CHALLENGES = 10 #-- # Required parameters: :mechanism, :initial_credential and # :challenge_response @@ -47,7 +49,7 @@ def bind(auth) end return pdu unless pdu.result_code == Net::LDAP::ResultCodeSaslBindInProgress - raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MaxSaslChallenges) + raise Net::LDAP::SASLChallengeOverflowError, "sasl-challenge overflow" if ((n += 1) > MAX_SASL_CHALLENGES) cred = chall.call(pdu.result_server_sasl_creds) end diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index f8ba0b61..bb81e60f 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -7,7 +7,6 @@ class Net::LDAP::Connection #:nodoc: DefaultConnectTimeout = 5 LdapVersion = 3 - MaxSaslChallenges = 10 # Initialize a connection to an LDAP server # diff --git a/net-ldap.gemspec b/net-ldap.gemspec index 66bd5c8a..ef91e6fe 100644 --- a/net-ldap.gemspec +++ b/net-ldap.gemspec @@ -29,6 +29,7 @@ the most recent LDAP RFCs (4510-4519, plutions of 4520-4532).} s.required_ruby_version = ">= 2.0.0" s.summary = %q{Net::LDAP for Ruby (also called net-ldap) implements client access for the Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for accessing distributed directory services} + s.add_runtime_dependency("rubyntlm") s.add_development_dependency("flexmock", "~> 1.3") s.add_development_dependency("rake", "~> 10.0") s.add_development_dependency("rubocop", "~> 0.28.0")