Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(RE-15565) Add ability to use bind_as with a service account #617

Merged
merged 1 commit into from
Aug 21, 2023
Merged

(RE-15565) Add ability to use bind_as with a service account #617

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ GEM
rspec (~> 3)

PLATFORMS
arm64-darwin-22
universal-java-11
x86_64-linux

Expand Down
12 changes: 12 additions & 0 deletions docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,18 @@ This can be a string providing a single DN. For multiple DNs please specify the
The LDAP object-type used to designate a user object.
(optional)

### LDAP\_SERVICE_ACCOUNT\_HASH

A hash containing the following parameters for a service account to perform the
initial bind. After the initial bind, then a search query is performed using the
'base' and 'user_object', then re-binds as the returned user.

- :user_dn: The full distinguished name (DN) of the service account used to bind.

- :password: The password for the service account used to bind.

(optional)

### SITE\_NAME

The name of your deployment.
Expand Down
30 changes: 25 additions & 5 deletions lib/vmpooler/api/helpers.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ def authorized?
end
end

def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str)
def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str, service_account_hash = nil)
tracer.in_span(
"Vmpooler::API::Helpers.#{__method__}",
attributes: {
Expand All @@ -79,19 +79,37 @@ def authenticate_ldap(port, host, encryption_hash, user_object, base, username_s
},
kind: :client
) do
if service_account_hash
username = service_account_hash[:user_dn]
password = service_account_hash[:password]
else
username = "#{user_object}=#{username_str},#{base}"
password = password_str
end

ldap = Net::LDAP.new(
:host => host,
:port => port,
:encryption => encryption_hash,
:base => base,
:auth => {
:method => :simple,
:username => "#{user_object}=#{username_str},#{base}",
:password => password_str
:username => username,
:password => password
}
)

return true if ldap.bind
if service_account_hash
return true if ldap.bind_as(
:base => base,
:filter => "(#{user_object}=#{username_str})",
:password => password_str
)
elsif ldap.bind
return true
else
return false
end

return false
end
Expand All @@ -116,6 +134,7 @@ def authenticate(auth, username_str, password_str)
:method => :start_tls,
:tls_options => { :ssl_version => 'TLSv1' }
}
service_account_hash = auth[:ldap]['service_account_hash']

unless ldap_base.is_a? Array
ldap_base = ldap_base.split
Expand All @@ -134,7 +153,8 @@ def authenticate(auth, username_str, password_str)
search_user_obj,
search_base,
username_str,
password_str
password_str,
service_account_hash
)
return true if result
end
Expand Down
Loading