Add ability to use bind_as with a service account

puppetlabs · Aug 21, 2023 · d138634 · d138634
1 parent 7813470
commit d138634
Show file tree

Hide file tree

Showing 5 changed files with 166 additions and 66 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -184,6 +184,7 @@ GEM
       rspec (~> 3)
 
 PLATFORMS
+  arm64-darwin-22
   universal-java-11
   x86_64-linux
 

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -246,6 +246,18 @@ This can be a string providing a single DN. For multiple DNs please specify the
 The LDAP object-type used to designate a user object.
 (optional)
 
+### LDAP\_SERVICE_ACCOUNT\_HASH
+
+A hash containing the following parameters for a service account to perform the
+initial bind. After the initial bind, then a search query is performed using the
+'base' and 'user_object', then re-binds as the returned user.
+
+- :user_dn: The full distinguished name (DN) of the service account used to bind.
+
+- :password: The password for the service account used to bind.
+
+(optional)
+
 ### SITE\_NAME
 
 The name of your deployment.

diff --git a/lib/vmpooler/api/helpers.rb b/lib/vmpooler/api/helpers.rb
@@ -68,7 +68,7 @@ def authorized?
         end
       end
 
-      def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str)
+      def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str, service_account_hash = nil)
         tracer.in_span(
           "Vmpooler::API::Helpers.#{__method__}",
           attributes: {
@@ -79,19 +79,35 @@ def authenticate_ldap(port, host, encryption_hash, user_object, base, username_s
           },
           kind: :client
         ) do
+          if service_account_hash
+            username = service_account_hash[:user_dn]
+            password = service_account_hash[:password]
+          else
+            username = "#{user_object}=#{username_str},#{base}"
+            password = password_str
+          end
+
           ldap = Net::LDAP.new(
             :host => host,
             :port => port,
             :encryption => encryption_hash,
             :base => base,
             :auth => {
               :method => :simple,
-              :username => "#{user_object}=#{username_str},#{base}",
-              :password => password_str
+              :username => username,
+              :password => password
             }
           )
 
-          return true if ldap.bind
+          if service_account_hash
+            return true if ldap.bind_as(
+              :base => base,
+              :filter => "(#{user_object}=#{username_str})",
+              :password => password_str
+            )
+          else
+            return true if ldap.bind
+          end
 
           return false
         end
@@ -116,6 +132,7 @@ def authenticate(auth, username_str, password_str)
               :method => :start_tls,
               :tls_options => { :ssl_version => 'TLSv1' }
             }
+            service_account_hash = auth[:ldap]['service_account_hash']
 
             unless ldap_base.is_a? Array
               ldap_base = ldap_base.split
@@ -134,7 +151,8 @@ def authenticate(auth, username_str, password_str)
                   search_user_obj,
                   search_base,
                   username_str,
-                  password_str
+                  password_str,
+                  service_account_hash
                 )
                 return true if result
               end