mirror/lldap
1
0
Fork 0
mirror of https://github.com/nitnelave/lldap.git synced 2023-04-12 14:25:13 +00:00
Code Issues Projects Releases Wiki Activity
026a2f7eb0
lldap/server/src/infra/ldap_handler.rs

860 lines
30 KiB
Rust
Raw Normal View History

ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
use crate::domain::handler::{
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
BackendHandler, BindRequest, Group, GroupIdAndName, LoginHandler, RequestFilter, User,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
};
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
use anyhow::{bail, Result};
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
use futures::stream::StreamExt;
use futures_util::TryStreamExt;
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
use ldap3_server::proto::{
LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedResponse, LdapFilter, LdapOp,
LdapPartialAttribute, LdapResult, LdapResultCode, LdapSearchRequest, LdapSearchResultEntry,
};
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
use log::*;
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
fn make_dn_pair<I>(mut iter: I) -> Result<(String, String)>
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
where
I: Iterator<Item = String>,
{
let pair = (
iter.next()
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
.ok_or_else(|| anyhow::Error::msg("Empty DN element"))?,
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
iter.next()
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
.ok_or_else(|| anyhow::Error::msg("Missing DN value"))?,
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
);
if let Some(e) = iter.next() {
bail!(
r#"Too many elements in distinguished name: "{:?}", "{:?}", "{:?}""#,
pair.0,
pair.1,
e
)
}
Ok(pair)
}
fn parse_distinguished_name(dn: &str) -> Result<Vec<(String, String)>> {
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
dn.split(',')
.map(|s| make_dn_pair(s.split('=').map(String::from)))
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
.collect()
}
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
fn get_group_id_from_distinguished_name(
dn: &str,
base_tree: &[(String, String)],
base_dn_str: &str,
) -> Result<String> {
let parts = parse_distinguished_name(dn)?;
if !is_subtree(&parts, base_tree) {
bail!("Not a subtree of the base tree");
}
if parts.len() == base_tree.len() + 2 {
if parts[1].0 != "ou" || parts[1].1 != "groups" || parts[0].0 != "cn" {
bail!(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
r#"Unexpected group DN format. Got "{}", expected: "cn=groupname,ou=groups,{}""#,
dn,
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
base_dn_str
);
}
Ok(parts[0].1.to_string())
} else {
bail!(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
r#"Unexpected group DN format. Got "{}", expected: "cn=groupname,ou=groups,{}""#,
dn,
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
base_dn_str
);
}
}
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
fn get_user_id_from_distinguished_name(
dn: &str,
base_tree: &[(String, String)],
base_dn_str: &str,
) -> Result<String> {
let parts = parse_distinguished_name(dn)?;
if !is_subtree(&parts, base_tree) {
bail!("Not a subtree of the base tree");
}
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
if parts.len() == base_tree.len() + 2 {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
if parts[1].0 != "ou" || parts[1].1 != "people" || parts[0].0 != "cn" {
bail!(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
r#"Unexpected user DN format. Got "{}", expected: "cn=username,ou=people,{}""#,
dn,
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
base_dn_str
);
}
Ok(parts[0].1.to_string())
} else {
bail!(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
r#"Unexpected user DN format. Got "{}", expected: "cn=username,ou=people,{}""#,
dn,
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
base_dn_str
);
}
}
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
fn get_user_attribute(user: &User, attribute: &str, dn: &str) -> Result<Vec<String>> {
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
match attribute {
"objectClass" => Ok(vec![
"inetOrgPerson".to_string(),
"posixAccount".to_string(),
"mailAccount".to_string(),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
"person".to_string(),
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
]),
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
"dn" => Ok(vec![dn.to_string()]),
Make display_name, first&last name optional
2021-05-26 06:42:05 +00:00
"uid" => Ok(vec![user.user_id.clone()]),
"mail" => Ok(vec![user.email.clone()]),
schema: make user fields non-nullable They can always be empty. This simplifies mutation, since graphql_client doesn't have an easy way to conditionally leave out fields (we could do that with `@include`, but that's one bool per field in addition to the field, a bit ugly).
2021-09-01 07:59:01 +00:00
"givenName" => Ok(vec![user.first_name.clone()]),
"sn" => Ok(vec![user.last_name.clone()]),
"cn" => Ok(vec![user.display_name.clone()]),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
"displayName" => Ok(vec![user.display_name.clone()]),
"supportedExtension" => Ok(vec![]),
_ => bail!("Unsupported user attribute: {}", attribute),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
}
}
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
fn make_ldap_search_user_result_entry(
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
user: User,
base_dn_str: &str,
attributes: &[String],
) -> Result<LdapSearchResultEntry> {
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
let dn = format!("cn={},ou=people,{}", user.user_id, base_dn_str);
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
Ok(LdapSearchResultEntry {
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
dn: dn.clone(),
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
attributes: attributes
.iter()
.map(|a| {
Ok(LdapPartialAttribute {
atype: a.to_string(),
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
vals: get_user_attribute(&user, a, &dn)?,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
})
})
.collect::<Result<Vec<LdapPartialAttribute>>>()?,
})
}
fn get_group_attribute(group: &Group, base_dn_str: &str, attribute: &str) -> Result<Vec<String>> {
match attribute {
"objectClass" => Ok(vec!["groupOfUniqueNames".to_string()]),
"cn" => Ok(vec![group.display_name.clone()]),
"uniqueMember" => Ok(group
.users
.iter()
.map(|u| format!("cn={},ou=people,{}", u, base_dn_str))
.collect()),
"supportedExtension" => Ok(vec![]),
_ => bail!("Unsupported group attribute: {}", attribute),
}
}
fn make_ldap_search_group_result_entry(
group: Group,
base_dn_str: &str,
attributes: &[String],
) -> Result<LdapSearchResultEntry> {
Ok(LdapSearchResultEntry {
dn: format!("cn={},ou=groups,{}", group.display_name, base_dn_str),
attributes: attributes
.iter()
.map(|a| {
Ok(LdapPartialAttribute {
atype: a.to_string(),
vals: get_group_attribute(&group, base_dn_str, a)?,
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
})
})
.collect::<Result<Vec<LdapPartialAttribute>>>()?,
})
}
fn is_subtree(subtree: &[(String, String)], base_tree: &[(String, String)]) -> bool {
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
if subtree.len() < base_tree.len() {
return false;
}
let size_diff = subtree.len() - base_tree.len();
for i in 0..base_tree.len() {
if subtree[size_diff + i] != base_tree[i] {
return false;
}
}
true
}
Map ldap fields to internal fields
2021-04-14 19:22:08 +00:00
fn map_field(field: &str) -> Result<String> {
Ok(if field == "uid" {
"user_id".to_string()
} else if field == "mail" {
"email".to_string()
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
} else if field == "cn" || field == "displayName" {
Map ldap fields to internal fields
2021-04-14 19:22:08 +00:00
"display_name".to_string()
} else if field == "givenName" {
"first_name".to_string()
} else if field == "sn" {
"last_name".to_string()
} else if field == "avatar" {
"avatar".to_string()
} else if field == "creationDate" {
"creation_date".to_string()
} else {
bail!("Unknown field: {}", field);
})
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
fn make_search_success() -> LdapOp {
make_search_error(LdapResultCode::Success, "".to_string())
}
fn make_search_error(code: LdapResultCode, message: String) -> LdapOp {
LdapOp::SearchResultDone(LdapResult {
code,
matcheddn: "".to_string(),
message,
referral: vec![],
})
}
Add a handler for OPAQUE messages
2021-06-16 20:04:11 +00:00
pub struct LdapHandler<Backend: BackendHandler + LoginHandler> {
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
dn: String,
backend_handler: Backend,
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
pub base_dn: Vec<(String, String)>,
base_dn_str: String,
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
ldap_user_dn: String,
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
Add a handler for OPAQUE messages
2021-06-16 20:04:11 +00:00
impl<Backend: BackendHandler + LoginHandler> LdapHandler<Backend> {
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
pub fn new(backend_handler: Backend, ldap_base_dn: String, ldap_user_dn: String) -> Self {
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
Self {
dn: "Unauthenticated".to_string(),
backend_handler,
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
base_dn: parse_distinguished_name(&ldap_base_dn).unwrap_or_else(|_| {
panic!(
"Invalid value for ldap_base_dn in configuration: {}",
ldap_base_dn
)
}),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
ldap_user_dn: format!("cn={},ou=people,{}", ldap_user_dn, &ldap_base_dn),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
base_dn_str: ldap_base_dn,
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
pub async fn do_bind(&mut self, request: &LdapBindRequest) -> (LdapResultCode, String) {
info!(r#"Received bind request for "{}""#, &request.dn);
let user_id = match get_user_id_from_distinguished_name(
&request.dn,
&self.base_dn,
&self.base_dn_str,
) {
Ok(s) => s,
Err(e) => return (LdapResultCode::NamingViolation, e.to_string()),
};
let LdapBindCred::Simple(password) = &request.cred;
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
match self
.backend_handler
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.bind(BindRequest {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
name: user_id,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
password: password.clone(),
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
})
.await
{
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
Ok(()) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
self.dn = request.dn.clone();
(LdapResultCode::Success, "".to_string())
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
Err(_) => (LdapResultCode::InvalidCredentials, "".to_string()),
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
pub async fn do_search(&mut self, request: &LdapSearchRequest) -> Vec<LdapOp> {
info!(
"Received search request with filters: {:?}",
&request.filter
);
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
if self.dn != self.ldap_user_dn {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
LdapResultCode::InsufficentAccessRights,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
format!(
r#"Current user `{}` is not allowed to query LDAP, expected {}"#,
&self.dn, &self.ldap_user_dn
),
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
)];
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let dn_parts = if request.base.is_empty() {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
self.base_dn.clone()
} else {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
match parse_distinguished_name(&request.base) {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
Ok(dn) => dn,
Err(_) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapResultCode::OperationsError,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
format!(r#"Could not parse base DN: "{}""#, request.base),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
)]
}
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
}
};
if !is_subtree(&dn_parts, &self.base_dn) {
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
// Search path is not in our tree, just return an empty success.
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_success()];
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
}
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
let mut results = Vec::new();
if dn_parts.len() == self.base_dn.len()
|| (dn_parts.len() == self.base_dn.len() + 1
&& dn_parts[0] == ("ou".to_string(), "people".to_string()))
{
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
results.extend(self.get_user_list(request).await);
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
}
if dn_parts.len() == self.base_dn.len() + 1
&& dn_parts[0] == ("ou".to_string(), "groups".to_string())
{
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
results.extend(self.get_groups_list(request).await);
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
}
results
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
async fn get_user_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> {
let filters = match self.convert_user_filter(&request.filter) {
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
Ok(f) => Some(f),
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
LdapResultCode::UnwillingToPerform,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
format!("Unsupported user filter: {}", e),
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
)]
}
};
api: inline the ListUsersRequest
2021-08-30 08:18:59 +00:00
let users = match self.backend_handler.list_users(filters).await {
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
Ok(users) => users,
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
LdapResultCode::Other,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
format!(r#"Error during searching user "{}": {}"#, request.base, e),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
)]
}
};
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
users
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
.into_iter()
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.map(|u| make_ldap_search_user_result_entry(u, &self.base_dn_str, &request.attrs))
.map(|entry| Ok(LdapOp::SearchResultEntry(entry?)))
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
// If the processing succeeds, add a success message at the end.
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.chain(std::iter::once(Ok(make_search_success())))
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
.collect::<Result<Vec<_>>>()
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.unwrap_or_else(|e| {
vec![make_search_error(
LdapResultCode::NoSuchAttribute,
e.to_string(),
)]
})
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
async fn get_groups_list(&self, request: &LdapSearchRequest) -> Vec<LdapOp> {
let for_user = match self.get_group_filter(&request.filter) {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
Ok(u) => u,
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapResultCode::UnwillingToPerform,
format!("Unsupported group filter: {}", e),
)]
}
};
async fn get_users_for_group<Backend: BackendHandler>(
backend_handler: &Backend,
g: &GroupIdAndName,
) -> Result<Group> {
let users = backend_handler
.list_users(Some(RequestFilter::MemberOfId(g.0)))
.await?;
Ok(Group {
id: g.0,
display_name: g.1.clone(),
users: users.into_iter().map(|u| u.user_id).collect(),
})
}
let groups: Vec<Group> = if let Some(user) = for_user {
let groups_without_users = match self.backend_handler.get_user_groups(&user).await {
Ok(groups) => groups,
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapResultCode::Other,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
format!(
r#"Error while listing user groups: "{}": {}"#,
request.base, e
),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
)]
}
};
match tokio_stream::iter(groups_without_users.iter())
.then(|g| async move { get_users_for_group::<Backend>(&self.backend_handler, g).await })
.try_collect::<Vec<Group>>()
.await
{
Ok(groups) => groups,
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapResultCode::Other,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
format!(r#"Error while listing user groups: "{}": {}"#, request.base, e),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
)]
}
}
} else {
match self.backend_handler.list_groups().await {
Ok(groups) => groups,
Err(e) => {
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
return vec![make_search_error(
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapResultCode::Other,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
format!(r#"Error while listing groups "{}": {}"#, request.base, e),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
)]
}
}
};
groups
.into_iter()
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.map(|u| make_ldap_search_group_result_entry(u, &self.base_dn_str, &request.attrs))
.map(|entry| Ok(LdapOp::SearchResultEntry(entry?)))
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
// If the processing succeeds, add a success message at the end.
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.chain(std::iter::once(Ok(make_search_success())))
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
.collect::<Result<Vec<_>>>()
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
.unwrap_or_else(|e| {
vec![make_search_error(
LdapResultCode::NoSuchAttribute,
e.to_string(),
)]
})
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
pub async fn handle_ldap_message(&mut self, ldap_op: LdapOp) -> Option<Vec<LdapOp>> {
Some(match ldap_op {
LdapOp::BindRequest(request) => {
let (code, message) = self.do_bind(&request).await;
vec![LdapOp::BindResponse(LdapBindResponse {
res: LdapResult {
code,
matcheddn: "".to_string(),
message,
referral: vec![],
},
saslcreds: None,
})]
}
LdapOp::SearchRequest(request) => self.do_search(&request).await,
LdapOp::UnbindRequest => {
self.dn = "Unauthenticated".to_string();
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
// No need to notify on unbind (per rfc4511)
return None;
}
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
op => vec![LdapOp::ExtendedResponse(LdapExtendedResponse {
res: LdapResult {
code: LdapResultCode::UnwillingToPerform,
matcheddn: "".to_string(),
message: format!("Unsupported operation: {:#?}", op),
referral: vec![],
},
name: None,
value: None,
})],
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
})
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
fn get_group_filter(&self, filter: &LdapFilter) -> Result<Option<String>> {
match filter {
LdapFilter::Equality(field, value) => {
if field == "member" || field == "uniqueMember" {
let user_name = get_user_id_from_distinguished_name(
value,
&self.base_dn,
&self.base_dn_str,
)?;
Ok(Some(user_name))
} else if field == "objectClass" && value == "groupOfUniqueNames" {
Ok(None)
} else {
bail!("Unsupported group filter: {:?}", filter)
}
}
_ => bail!("Unsupported group filter: {:?}", filter),
}
}
fn convert_user_filter(&self, filter: &LdapFilter) -> Result<RequestFilter> {
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
match filter {
LdapFilter::And(filters) => Ok(RequestFilter::And(
filters
.iter()
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
.map(|f| self.convert_user_filter(f))
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
.collect::<Result<_>>()?,
)),
LdapFilter::Or(filters) => Ok(RequestFilter::Or(
filters
.iter()
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
.map(|f| self.convert_user_filter(f))
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
.collect::<Result<_>>()?,
)),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
LdapFilter::Not(filter) => Ok(RequestFilter::Not(Box::new(
self.convert_user_filter(&*filter)?,
))),
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
LdapFilter::Equality(field, value) => {
if field == "memberOf" {
let group_name = get_group_id_from_distinguished_name(
value,
&self.base_dn,
&self.base_dn_str,
)?;
Ok(RequestFilter::MemberOf(group_name))
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
} else if field == "objectClass" {
if value == "person"
|| value == "inetOrgPerson"
|| value == "posixAccount"
|| value == "mailAccount"
{
Ok(RequestFilter::And(vec![]))
} else {
Ok(RequestFilter::Not(Box::new(RequestFilter::And(vec![]))))
}
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
} else {
Ok(RequestFilter::Equality(map_field(field)?, value.clone()))
}
}
LdapFilter::Present(field) => {
// Check that it's a field we support.
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
if field == "objectClass" || map_field(field).is_ok() {
Ok(RequestFilter::And(vec![]))
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
} else {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
Ok(RequestFilter::Not(Box::new(RequestFilter::And(vec![]))))
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
}
}
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
_ => bail!("Unsupported user filter: {:?}", filter),
ldap: Add support for memberOf and wildcards
2021-09-24 20:27:07 +00:00
}
}
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
#[cfg(test)]
mod tests {
use super::*;
graphql: Add a filter by group
2021-09-24 20:35:31 +00:00
use crate::domain::handler::{BindRequest, MockTestBackendHandler};
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
use ldap3_server::proto::{LdapDerefAliases, LdapSearchScope};
Misc cleanup
2021-03-12 08:33:43 +00:00
use mockall::predicate::eq;
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
use tokio;
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
fn make_search_request<S: Into<String>>(
filter: LdapFilter,
attrs: Vec<S>,
) -> LdapSearchRequest {
LdapSearchRequest {
base: "ou=people,dc=example,dc=com".to_string(),
scope: LdapSearchScope::Base,
aliases: LdapDerefAliases::Never,
sizelimit: 0,
timelimit: 0,
typesonly: false,
filter,
attrs: attrs.into_iter().map(Into::into).collect(),
}
}
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
async fn setup_bound_handler(
mut mock: MockTestBackendHandler,
) -> LdapHandler<MockTestBackendHandler> {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
mock.expect_bind()
.with(eq(BindRequest {
name: "test".to_string(),
password: "pass".to_string(),
}))
.return_once(|_| Ok(()));
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), "test".to_string());
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
dn: "cn=test,ou=people,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
};
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
assert_eq!(
ldap_handler.do_bind(&request).await.0,
LdapResultCode::Success
);
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
ldap_handler
}
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
#[tokio::test]
async fn test_bind() {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
let mut mock = MockTestBackendHandler::new();
mock.expect_bind()
.with(eq(crate::domain::handler::BindRequest {
name: "bob".to_string(),
password: "pass".to_string(),
}))
.times(1)
.return_once(|_| Ok(()));
let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), "test".to_string());
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
dn: "cn=bob,ou=people,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
};
assert_eq!(
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
ldap_handler.do_bind(&request).await.0,
LdapResultCode::Success
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
);
}
#[tokio::test]
async fn test_admin_bind() {
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
let mut mock = MockTestBackendHandler::new();
mock.expect_bind()
.with(eq(crate::domain::handler::BindRequest {
name: "test".to_string(),
password: "pass".to_string(),
}))
.times(1)
.return_once(|_| Ok(()));
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), "test".to_string());
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
dn: "cn=test,ou=people,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
};
assert_eq!(
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
ldap_handler.do_bind(&request).await.0,
LdapResultCode::Success
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
);
}
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
#[tokio::test]
async fn test_bind_invalid_credentials() {
let mut mock = MockTestBackendHandler::new();
mock.expect_bind()
.with(eq(crate::domain::handler::BindRequest {
name: "test".to_string(),
password: "pass".to_string(),
}))
.times(1)
.return_once(|_| Ok(()));
let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), "admin".to_string());
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
dn: "cn=test,ou=people,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
};
assert_eq!(
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
ldap_handler.do_bind(&request).await.0,
LdapResultCode::Success
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
);
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = make_search_request::<String>(LdapFilter::And(vec![]), vec![]);
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
assert_eq!(
ldap_handler.do_search(&request).await,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
vec![make_search_error(
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
LdapResultCode::InsufficentAccessRights,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
r#"Current user `cn=test,ou=people,dc=example,dc=com` is not allowed to query LDAP, expected cn=admin,ou=people,dc=example,dc=com"#.to_string()
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
)]
);
}
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
#[tokio::test]
async fn test_bind_invalid_dn() {
let mock = MockTestBackendHandler::new();
let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), "admin".to_string());
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
dn: "cn=bob,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
};
assert_eq!(
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
ldap_handler.do_bind(&request).await.0,
LdapResultCode::NamingViolation,
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
);
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = LdapBindRequest {
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
dn: "cn=bob,ou=groups,dc=example,dc=com".to_string(),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
cred: LdapBindCred::Simple("pass".to_string()),
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
};
assert_eq!(
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
ldap_handler.do_bind(&request).await.0,
LdapResultCode::NamingViolation,
Translate the LDAP DN into user IDs
2021-05-13 17:31:37 +00:00
);
}
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
#[test]
fn test_is_subtree() {
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
let subtree1 = &[
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
("ou".to_string(), "people".to_string()),
("dc".to_string(), "example".to_string()),
("dc".to_string(), "com".to_string()),
];
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
let root = &[
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
("dc".to_string(), "example".to_string()),
("dc".to_string(), "com".to_string()),
];
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
assert!(is_subtree(subtree1, root));
assert!(!is_subtree(&[], root));
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
}
#[test]
fn test_parse_distinguished_name() {
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
let parsed_dn = &[
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
("ou".to_string(), "people".to_string()),
("dc".to_string(), "example".to_string()),
("dc".to_string(), "com".to_string()),
];
assert_eq!(
parse_distinguished_name("ou=people,dc=example,dc=com").expect("parsing failed"),
parsed_dn
);
}
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
#[tokio::test]
async fn test_search() {
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
let mut mock = MockTestBackendHandler::new();
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
mock.expect_list_users().times(1).return_once(|_| {
Ok(vec![
User {
user_id: "bob_1".to_string(),
email: "bob@bobmail.bob".to_string(),
schema: make user fields non-nullable They can always be empty. This simplifies mutation, since graphql_client doesn't have an easy way to conditionally leave out fields (we could do that with `@include`, but that's one bool per field in addition to the field, a bit ugly).
2021-09-01 07:59:01 +00:00
display_name: "Bôb Böbberson".to_string(),
first_name: "Bôb".to_string(),
last_name: "Böbberson".to_string(),
Migrate datetimes to UTC
2021-08-30 06:48:06 +00:00
..Default::default()
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
},
User {
user_id: "jim".to_string(),
email: "jim@cricket.jim".to_string(),
schema: make user fields non-nullable They can always be empty. This simplifies mutation, since graphql_client doesn't have an easy way to conditionally leave out fields (we could do that with `@include`, but that's one bool per field in addition to the field, a bit ugly).
2021-09-01 07:59:01 +00:00
display_name: "Jimminy Cricket".to_string(),
first_name: "Jim".to_string(),
last_name: "Cricket".to_string(),
Migrate datetimes to UTC
2021-08-30 06:48:06 +00:00
..Default::default()
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
},
])
});
let mut ldap_handler = setup_bound_handler(mock).await;
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = make_search_request(
LdapFilter::And(vec![]),
vec!["objectClass", "dn", "uid", "mail", "givenName", "sn", "cn"],
);
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
assert_eq!(
Add support for non-admin bind
2021-04-07 18:14:21 +00:00
ldap_handler.do_search(&request).await,
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
vec![
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
LdapOp::SearchResultEntry(LdapSearchResultEntry {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
dn: "cn=bob_1,ou=people,dc=example,dc=com".to_string(),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
attributes: vec![
LdapPartialAttribute {
atype: "objectClass".to_string(),
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
vals: vec![
"inetOrgPerson".to_string(),
"posixAccount".to_string(),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
"mailAccount".to_string(),
"person".to_string()
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
]
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
},
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
LdapPartialAttribute {
atype: "dn".to_string(),
vals: vec!["cn=bob_1,ou=people,dc=example,dc=com".to_string()]
},
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
LdapPartialAttribute {
atype: "uid".to_string(),
vals: vec!["bob_1".to_string()]
},
LdapPartialAttribute {
atype: "mail".to_string(),
vals: vec!["bob@bobmail.bob".to_string()]
},
LdapPartialAttribute {
atype: "givenName".to_string(),
vals: vec!["Bôb".to_string()]
},
LdapPartialAttribute {
atype: "sn".to_string(),
vals: vec!["Böbberson".to_string()]
},
LdapPartialAttribute {
atype: "cn".to_string(),
vals: vec!["Bôb Böbberson".to_string()]
}
],
}),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
LdapOp::SearchResultEntry(LdapSearchResultEntry {
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
dn: "cn=jim,ou=people,dc=example,dc=com".to_string(),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
attributes: vec![
LdapPartialAttribute {
atype: "objectClass".to_string(),
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
vals: vec![
"inetOrgPerson".to_string(),
"posixAccount".to_string(),
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
"mailAccount".to_string(),
"person".to_string()
Add attribute list handling Also, fix various clippy warnings
2021-03-22 08:59:58 +00:00
]
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
},
ldap: Add support for "dn" attribute
2021-10-28 14:24:01 +00:00
LdapPartialAttribute {
atype: "dn".to_string(),
vals: vec!["cn=jim,ou=people,dc=example,dc=com".to_string()]
},
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
LdapPartialAttribute {
atype: "uid".to_string(),
vals: vec!["jim".to_string()]
},
LdapPartialAttribute {
atype: "mail".to_string(),
vals: vec!["jim@cricket.jim".to_string()]
},
LdapPartialAttribute {
atype: "givenName".to_string(),
vals: vec!["Jim".to_string()]
},
LdapPartialAttribute {
atype: "sn".to_string(),
vals: vec!["Cricket".to_string()]
},
LdapPartialAttribute {
atype: "cn".to_string(),
vals: vec!["Jimminy Cricket".to_string()]
}
],
}),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
make_search_success(),
Add ability to list users with an LDAP search request
2021-03-16 17:27:31 +00:00
]
);
}
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
#[tokio::test]
async fn test_search_filters() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users()
api: inline the ListUsersRequest
2021-08-30 08:18:59 +00:00
.with(eq(Some(RequestFilter::And(vec![RequestFilter::Or(vec![
RequestFilter::Not(Box::new(RequestFilter::Equality(
"user_id".to_string(),
"bob".to_string(),
))),
])]))))
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
.times(1)
.return_once(|_| Ok(vec![]));
let mut ldap_handler = setup_bound_handler(mock).await;
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = make_search_request(
LdapFilter::And(vec![LdapFilter::Or(vec![LdapFilter::Not(Box::new(
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
LdapFilter::Equality("uid".to_string(), "bob".to_string()),
))])]),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
vec!["objectClass"],
);
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
assert_eq!(
ldap_handler.do_search(&request).await,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
vec![make_search_success()]
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
);
}
#[tokio::test]
async fn test_search_unsupported_filters() {
Create SQL tables with a query builder
2021-04-09 08:47:26 +00:00
let mut ldap_handler = setup_bound_handler(MockTestBackendHandler::new()).await;
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
let request = make_search_request(
LdapFilter::Substring(
graphql: Add a filter by group
2021-09-24 20:35:31 +00:00
"uid".to_string(),
ldap3_server::proto::LdapSubstringFilter::default(),
),
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
vec!["objectClass"],
);
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
assert_eq!(
ldap_handler.do_search(&request).await,
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp.
2021-10-24 09:03:09 +00:00
vec![make_search_error(
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
LdapResultCode::UnwillingToPerform,
ldap: Implement group listing, fix various bugs
2021-10-23 16:01:35 +00:00
"Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: None, any: [], final_: None })".to_string()
Add support for basic ldap filters
2021-04-07 18:55:23 +00:00
)]
);
}
Separate ldap_handler, add tests
2021-03-11 09:50:15 +00:00
}
Reference in New Issue Copy Permalink