improved the SASL authentication method, and added a simple accessor for

MS/AD authentication via GSS-SPNEGO.
This commit is contained in:
blackhedd 2006-09-30 23:02:12 +00:00
parent de933da958
commit 7e32ba177c

View file

@ -1052,6 +1052,7 @@ module Net
class Connection # :nodoc:
LdapVersion = 3
MaxSaslChallenges = 10
#--
@ -1131,21 +1132,30 @@ module Net
# bind
#
def bind auth
meth = auth[:method]
user,psw = "",""
if meth == :simple
user,psw = [auth[:username] || auth[:dn], auth[:password]]
if [:simple, :anonymous, :anon].include?( meth )
bind_simple auth
elsif meth == :sasl
return bind_sasl( auth ) # Note the early return.
bind_sasl( auth )
elsif meth == :gss_spnego
bind_gss_spnego( auth )
else
raise LdapError.new( "unsupported auth method (#{meth})" )
end
end
#--
# bind_simple
# Implements a simple user/psw authentication.
# Accessed by calling #bind with a method of :simple or :anonymous.
#
def bind_simple auth
user,psw = if auth[:method] == :simple
[auth[:username] || auth[:dn], auth[:password]]
else
["",""]
end
#user,psw = if auth[:method] == :anonymous
# ["",""]
#when :simple
# [auth[:username] || auth[:dn], auth[:password]]
#end
raise LdapError.new( "invalid binding information" ) unless (user && psw)
msgid = next_msgid.to_ber
@ -1159,38 +1169,72 @@ module Net
#--
# bind_sasl
# PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET.
# Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to integrate it without
# introducing an external dependency.
# This is also wrong for another reason: we're assuming Microsoft GSSAPI negotiation.
# Wee need to introduce some extra parameters to select that mode.
# Required parameters: :mechanism, :initial_credential and :challenge_response
# Mechanism is a string value that will be passed in the SASL-packet's "mechanism" field.
# Initial credential is most likely a string. It's passed in the initial BindRequest
# that goes to the server. In some protocols, it may be empty.
# Challenge-response is a Ruby proc that takes a single parameter and returns an object
# that will typically be a string. The challenge-response block is called when the server
# returns a BindResponse with a result code of 14 (saslBindInProgress). The challenge-response
# block receives a parameter containing the data returned by the server in the saslServerCreds
# field of the LDAP BindResponse packet. The challenge-response block may be called multiple
# times during the course of a SASL authentication, and each time it must return a value
# that will be passed back to the server as the credential data in the next BindRequest packet.
#
def bind_sasl auth
require 'ntlm.rb'
user,psw = [auth[:username] || auth[:dn], auth[:password]]
raise LdapError.new( "invalid binding information" ) unless (user && psw)
mech,cred,chall = auth[:mechanism],auth[:initial_credential],auth[:challenge_response]
raise LdapError.new( "invalid binding information" ) unless (mech && cred && chall)
n = 0
loop {
msgid = next_msgid.to_ber
sasl = ["GSS-SPNEGO".to_ber, NTLM::Message::Type1.new.serialize.to_ber].to_ber_contextspecific(3)
sasl = [mech.to_ber, cred.to_ber].to_ber_contextspecific(3)
request = [LdapVersion.to_ber, "".to_ber, sasl].to_ber_appsequence(0)
request_pkt = [msgid, request].to_ber_sequence
@conn.write request_pkt
(be = @conn.read_ber(AsnSyntax) and pdu = Net::LdapPdu.new( be )) or raise LdapError.new( "no bind result" )
return pdu.result_code unless pdu.result_code == 14 # saslBindInProgress
raise LdapError.new("sasl-challenge overflow") if ((n += 1) > MaxSaslChallenges)
t2 = NTLM::Message.parse( pdu.result_server_sasl_creds ) # WARNING, can Kajimoto's code throw nasty errors?
t3 = t2.response( {:user => user, :password => psw}, {:ntlmv2 => true} )
cred = chall.call( pdu.result_server_sasl_creds )
}
msgid = next_msgid.to_ber
sasl = ["GSS-SPNEGO".to_ber, t3.serialize.to_ber].to_ber_contextspecific(3)
request = [LdapVersion.to_ber, "".to_ber, sasl].to_ber_appsequence(0)
request_pkt = [msgid, request].to_ber_sequence
@conn.write request_pkt
(be = @conn.read_ber(AsnSyntax) and pdu = Net::LdapPdu.new( be )) or raise LdapError.new( "no bind result" )
pdu.result_code
raise LdapError.new( "why are we here?")
end
private :bind_sasl
#--
# bind_gss_spnego
# PROVISIONAL, only for testing SASL implementations. DON'T USE THIS YET.
# Uses Kohei Kajimoto's Ruby/NTLM. We have to find a clean way to integrate it without
# introducing an external dependency.
# This authentication method is accessed by calling #bind with a :method parameter of
# :gss_spnego. It requires :username and :password attributes, just like the :simple
# authentication method. It performs a GSS-SPNEGO authentication with the server, which
# is presumed to be a Microsoft Active Directory.
#
def bind_gss_spnego auth
require 'ntlm.rb'
user,psw = [auth[:username] || auth[:dn], auth[:password]]
raise LdapError.new( "invalid binding information" ) unless (user && psw)
nego = proc {|challenge|
t2_msg = NTLM::Message.parse( challenge )
t3_msg = t2_msg.response( {:user => user, :password => psw}, {:ntlmv2 => true} )
t3_msg.serialize
}
bind_sasl( {
:method => :sasl,
:mechanism => "GSS-SPNEGO",
:initial_credential => NTLM::Message::Type1.new.serialize,
:challenge_response => nego
})
end
private :bind_gss_spnego
#--
# search
# Alternate implementation, this yields each search entry to the caller