This patch implements an ldap-group acl type based off the code for the ldap-attr acl type. This patch works in our environment, but I am unable to test it in a more normal ldap setup. It functions in a manner very similar to the ldap-attr acl type.
This Patch should apply cleanly to the released 1.0 version of wallet. Ross Smith <[email protected]> ------------------------------------------------------------------------------------------------------------ diff --git a/perl/Wallet/ACL/LDAP/Group.pm b/perl/Wallet/ACL/LDAP/Group.pm new file mode 100644 index 0000000..97d74e6 --- /dev/null +++ b/perl/Wallet/ACL/LDAP/Group.pm @@ -0,0 +1,267 @@ +# Wallet::ACL::LDAP::Group -- Wallet LDAP Group ACL verifier. +# +# Written by Ross Smith <[email protected]> +# Russ Allbery <[email protected]> +# +# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::ACL::LDAP::Group; +require 5.006; + +use strict; +use vars qw(@ISA $VERSION); + +use Authen::SASL (); +use Net::LDAP qw(LDAP_COMPARE_TRUE); +use Wallet::ACL::Base; + +@ISA = qw(Wallet::ACL::Base); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Interface +############################################################################## + +# Create a new persistant verifier. Load the Net::LDAP module and open a +# persistant LDAP server connection that we'll use for later calls. +sub new { + my $type = shift; + my $host = $Wallet::Config::LDAP_HOST; + my $base = $Wallet::Config::LDAP_BASE; + unless ($host and defined ($base) and $Wallet::Config::LDAP_CACHE) { + die "LDAP attribute ACL support not configured\n"; + } + + # Ensure the required Perl modules are available and bind to the directory + # server. Catch any errors with a try/catch block. + my $ldap; + eval { + local $ENV{KRB5CCNAME} = $Wallet::Config::LDAP_CACHE; + my $sasl = Authen::SASL->new (mechanism => 'GSSAPI'); + $ldap = Net::LDAP->new ($host, onerror => 'die'); + my $mesg = eval { $ldap->bind (undef, sasl => $sasl) }; + }; + if ($@) { + my $error = $@; + chomp $error; + 1 while ($error =~ s/ at \S+ line \d+\.?\z//); + die "LDAP group ACL support not available: $error\n"; + } + + # We successfully bound, so create our object and return it. + my $self = { ldap => $ldap }; + bless ($self, $type); + return $self; +} + +# Check whether a given principal is a member of the given ldap group. We first +# map the principal to a DN by doing a search for that principal (and bailing +# if we get more than one entry). Then, we do a search to determine if that DN +# is a member of the given group the desired attribute and value. +# +# If the ldap_map_principal sub is defined in Wallet::Config, call it on the +# principal first to map it to the value for which we'll search. +# +# The connection is configured to die on any error, so we do all the work in a +# try/catch block to report errors. +sub check { + my ($self, $principal, $acl) = @_; + undef $self->{error}; + unless ($principal) { + $self->error ('no principal specified'); + return; + } + my ($group, $member); + if ($acl) { + ($member, $group) = split (':', $acl, 2); + } + #die "$principal $member:$group"; + unless (defined ($group) and defined ($member)) { + $self->error ('malformed ldap-group ACL'); + return; + } + my $ldap = $self->{ldap}; + + # Map the principal name to an attribute value for our search if we're + # doing a custom mapping. + if (defined &Wallet::Config::ldap_map_principal) { + eval { $principal = Wallet::Config::ldap_map_principal ($principal) }; + if ($@) { + $self->error ("mapping principal to LDAP failed: $@"); + return; + } + } + my $entry; + my $base; + my $search; + eval { + my $fattr = $Wallet::Config::LDAP_FILTER_ATTR || 'krb5PrincipalName'; + my $filter = "($fattr=$principal)"; + $base = $Wallet::Config::LDAP_BASE; + my @options = (base => $base, filter => $filter, attrs => [ 'dn' ]); + $search = $ldap->search (@options); + if ($search->count == 1) { + $entry = $search->pop_entry; + } elsif ($search->count > 1) { + die $search->count . " LDAP entries found for $principal"; + } + }; + if ($@) { + $self->error ("cannot search for $principal in LDAP: $@"); + return; + } + return 0 unless $entry; + + # We now can check if the member is part of the specified group + eval { + my $dn = $entry->dn; + my $filter = "(&($group)($member=$dn))"; + my @options = (base => $base, filter => $filter, attrs => [ '*' ]); + $search = $ldap->search (@options); + if ($search->count > 1) { + die $search->count . " LDAP entries found in $group for $principal"; + } + }; + if ($@) { + $self->error ("cannot search for $principal in LDAP group $group: $@"); + return ; + } + my $cnt = $search->count; + return ($search->count == 1) ? 1 : 0; +} + +1; + +__END__ +############################################################################## +# Documentation +############################################################################## + +=for stopwords +ACL Allbery + +=head1 NAME + +Wallet::ACL::LDAP::Group - Wallet ACL verifier for LDAP group membership + +=head1 SYNOPSIS + + my $verifier = Wallet::ACL::LDAP::Group->new; + my $status = $verifier->check ($principal, "$group:$member"); + if (not defined $status) { + die "Something failed: ", $verifier->error, "\n"; + } elsif ($status) { + print "Access granted\n"; + } else { + print "Access denied\n"; + } + +=head1 DESCRIPTION + +Wallet::ACL::LDAP::Group checks whether the LDAP record for the entry +corresponding to a principal is the member of a specificed ldap Group. +It is used to verify ACL lines of type C<ldap-group>. The value of +such an ACL is a full dn for a ldap group followed by an equals sign +and the attribute that contains the group membership, and the ACL +grants access to a given principal if and only if the LDAP entry for +that principal is a member of the specified group. + +To use this object, several configuration parameters must be set. See +L<Wallet::Config> for details on those configuration parameters and +information about how to set wallet configuration. + +=head1 METHODS + +=item new() + +Creates a new ACL verifier. Opens and binds the connection to the LDAP +server. + +=item check(PRINCIPAL, ACL) + +Returns true if PRINCIPAL is granted access according to ACL, false if +not, and undef on an error (see L<"DIAGNOSTICS"> below). ACL must be a +group dn and a membership attribute separated by a colon (with no +whitespace). PRINCIPAL will be granted access if its LDAP entry contains +that attribute with that value. + +=item error() + +Returns the error if check() returned undef. + +=back + +=head1 DIAGNOSTICS + +The new() method may fail with one of the following exceptions: + +=item LDAP attribute ACL support not available: %s + +Attempting to connect or bind to the LDAP server failed. + +=item LDAP attribute ACL support not configured + +The required configuration parameters were not set. See Wallet::Config(3) +for the required configuration parameters and how to set them. + +=back + +Verifying an LDAP attribute ACL may fail with the following errors +(returned by the error() method): + +=over 4 + +=item cannot search for %s in LDAP group %s: %s" + +The LDAP search for the principle in the group failed. The +group dn or member attribute may have been misspelled, or there may +be LDAP directory permission issues. This error indicates that +PRINCIPAL's entry was located in LDAP, but the check failed during +the search to verify group membership + +=item cannot search for %s in LDAP: %s + +Searching for PRINCIPAL (possibly after ldap_map_principal() mapping) +failed. This is often due to LDAP directory permissions issues. This +indicates a failure during the mapping of PRINCIPAL to an LDAP DN. + +=item malformed ldap-group ACL + +The ACL parameter to check() was malformed. Usually this means that +either the attribute or the value were empty or the required C<:> +separating them was missing. + +=item mapping principal to LDAP failed: %s + +There was an ldap_map_principal() function defined in the wallet +configuration, but calling it for the PRINCIPAL argument failed. + +=item no principal specified + +The PRINCIPAL parameter to check() was undefined or the empty string. + +=back + +=head1 SEE ALSO + +Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L<http://www.eyrie.org/~eagle/software/wallet/>. + +=head1 AUTHOR + +Ross Smith <[email protected]> +Russ Allbery <[email protected]> + +=cut diff --git a/perl/Wallet/Schema.pm b/perl/Wallet/Schema.pm index 9a7fe44..00743c0 100644 --- a/perl/Wallet/Schema.pm +++ b/perl/Wallet/Schema.pm @@ -18,7 +18,7 @@ use base 'DBIx::Class::Schema'; # This version should be increased on any code change to this module. Always # use two digits for the minor version with a leading zero if necessary so # that it will sort properly. -our $VERSION = '0.08'; +our $VERSION = '0.09'; __PACKAGE__->load_namespaces; __PACKAGE__->load_components (qw/Schema::Versioned/); ############################################################################## # Data manipulation @@ -279,6 +279,8 @@ Holds the supported ACL schemes and their corresponding Perl classes: insert into acl_schemes (as_name, as_class) values ('ldap-attr', 'Wallet::ACL::LDAP::Attribute'); insert into acl_schemes (as_name, as_class) + values ('ldap-group', 'Wallet::ACL::LDAP::Group'); + insert into acl_schemes (as_name, as_class) values ('netdb', 'Wallet::ACL::NetDB'); insert into acl_schemes (as_name, as_class) values ('netdb-root', 'Wallet::ACL::NetDB::Root'); ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
