[PATCH] Wallet: implement ldap-group acl type
Ross Smith
rjsm at umich.edu
Mon Apr 1 15:01:15 EDT 2013
This patch implements an ldap-group acl type based off the code for
the ldap-attr acl type. This patch works in our environment, but I am
unable to test it in a more normal ldap setup. It functions in a
manner very similar to the ldap-attr acl type.
This Patch should apply cleanly to the released 1.0 version of wallet.
Ross Smith <rjsm at umich.edu>
------------------------------------------------------------------------------------------------------------
diff --git a/perl/Wallet/ACL/LDAP/Group.pm b/perl/Wallet/ACL/LDAP/Group.pm
new file mode 100644
index 0000000..97d74e6
--- /dev/null
+++ b/perl/Wallet/ACL/LDAP/Group.pm
@@ -0,0 +1,267 @@
+# Wallet::ACL::LDAP::Group -- Wallet LDAP Group ACL verifier.
+#
+# Written by Ross Smith <rjsm at umich.edu>
+# Russ Allbery <rra at stanford.edu>
+#
+# Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+#
+# See LICENSE for licensing terms.
+
+##############################################################################
+# Modules and declarations
+##############################################################################
+
+package Wallet::ACL::LDAP::Group;
+require 5.006;
+
+use strict;
+use vars qw(@ISA $VERSION);
+
+use Authen::SASL ();
+use Net::LDAP qw(LDAP_COMPARE_TRUE);
+use Wallet::ACL::Base;
+
+ at ISA = qw(Wallet::ACL::Base);
+
+# This version should be increased on any code change to this module. Always
+# use two digits for the minor version with a leading zero if necessary so
+# that it will sort properly.
+$VERSION = '0.01';
+
+##############################################################################
+# Interface
+##############################################################################
+
+# Create a new persistant verifier. Load the Net::LDAP module and open a
+# persistant LDAP server connection that we'll use for later calls.
+sub new {
+ my $type = shift;
+ my $host = $Wallet::Config::LDAP_HOST;
+ my $base = $Wallet::Config::LDAP_BASE;
+ unless ($host and defined ($base) and $Wallet::Config::LDAP_CACHE) {
+ die "LDAP attribute ACL support not configured\n";
+ }
+
+ # Ensure the required Perl modules are available and bind to the directory
+ # server. Catch any errors with a try/catch block.
+ my $ldap;
+ eval {
+ local $ENV{KRB5CCNAME} = $Wallet::Config::LDAP_CACHE;
+ my $sasl = Authen::SASL->new (mechanism => 'GSSAPI');
+ $ldap = Net::LDAP->new ($host, onerror => 'die');
+ my $mesg = eval { $ldap->bind (undef, sasl => $sasl) };
+ };
+ if ($@) {
+ my $error = $@;
+ chomp $error;
+ 1 while ($error =~ s/ at \S+ line \d+\.?\z//);
+ die "LDAP group ACL support not available: $error\n";
+ }
+
+ # We successfully bound, so create our object and return it.
+ my $self = { ldap => $ldap };
+ bless ($self, $type);
+ return $self;
+}
+
+# Check whether a given principal is a member of the given ldap
group. We first
+# map the principal to a DN by doing a search for that principal (and bailing
+# if we get more than one entry). Then, we do a search to determine if that DN
+# is a member of the given group the desired attribute and value.
+#
+# If the ldap_map_principal sub is defined in Wallet::Config, call it on the
+# principal first to map it to the value for which we'll search.
+#
+# The connection is configured to die on any error, so we do all the work in a
+# try/catch block to report errors.
+sub check {
+ my ($self, $principal, $acl) = @_;
+ undef $self->{error};
+ unless ($principal) {
+ $self->error ('no principal specified');
+ return;
+ }
+ my ($group, $member);
+ if ($acl) {
+ ($member, $group) = split (':', $acl, 2);
+ }
+ #die "$principal $member:$group";
+ unless (defined ($group) and defined ($member)) {
+ $self->error ('malformed ldap-group ACL');
+ return;
+ }
+ my $ldap = $self->{ldap};
+
+ # Map the principal name to an attribute value for our search if we're
+ # doing a custom mapping.
+ if (defined &Wallet::Config::ldap_map_principal) {
+ eval { $principal = Wallet::Config::ldap_map_principal ($principal) };
+ if ($@) {
+ $self->error ("mapping principal to LDAP failed: $@");
+ return;
+ }
+ }
+ my $entry;
+ my $base;
+ my $search;
+ eval {
+ my $fattr = $Wallet::Config::LDAP_FILTER_ATTR || 'krb5PrincipalName';
+ my $filter = "($fattr=$principal)";
+ $base = $Wallet::Config::LDAP_BASE;
+ my @options = (base => $base, filter => $filter, attrs => [ 'dn' ]);
+ $search = $ldap->search (@options);
+ if ($search->count == 1) {
+ $entry = $search->pop_entry;
+ } elsif ($search->count > 1) {
+ die $search->count . " LDAP entries found for $principal";
+ }
+ };
+ if ($@) {
+ $self->error ("cannot search for $principal in LDAP: $@");
+ return;
+ }
+ return 0 unless $entry;
+
+ # We now can check if the member is part of the specified group
+ eval {
+ my $dn = $entry->dn;
+ my $filter = "(&($group)($member=$dn))";
+ my @options = (base => $base, filter => $filter, attrs => [ '*' ]);
+ $search = $ldap->search (@options);
+ if ($search->count > 1) {
+ die $search->count . " LDAP entries found in $group for
$principal";
+ }
+ };
+ if ($@) {
+ $self->error ("cannot search for $principal in LDAP group $group: $@");
+ return ;
+ }
+ my $cnt = $search->count;
+ return ($search->count == 1) ? 1 : 0;
+}
+
+1;
+
+__END__
+##############################################################################
+# Documentation
+##############################################################################
+
+=for stopwords
+ACL Allbery
+
+=head1 NAME
+
+Wallet::ACL::LDAP::Group - Wallet ACL verifier for LDAP group membership
+
+=head1 SYNOPSIS
+
+ my $verifier = Wallet::ACL::LDAP::Group->new;
+ my $status = $verifier->check ($principal, "$group:$member");
+ if (not defined $status) {
+ die "Something failed: ", $verifier->error, "\n";
+ } elsif ($status) {
+ print "Access granted\n";
+ } else {
+ print "Access denied\n";
+ }
+
+=head1 DESCRIPTION
+
+Wallet::ACL::LDAP::Group checks whether the LDAP record for the entry
+corresponding to a principal is the member of a specificed ldap Group.
+It is used to verify ACL lines of type C<ldap-group>. The value of
+such an ACL is a full dn for a ldap group followed by an equals sign
+and the attribute that contains the group membership, and the ACL
+grants access to a given principal if and only if the LDAP entry for
+that principal is a member of the specified group.
+
+To use this object, several configuration parameters must be set. See
+L<Wallet::Config> for details on those configuration parameters and
+information about how to set wallet configuration.
+
+=head1 METHODS
+
+=item new()
+
+Creates a new ACL verifier. Opens and binds the connection to the LDAP
+server.
+
+=item check(PRINCIPAL, ACL)
+
+Returns true if PRINCIPAL is granted access according to ACL, false if
+not, and undef on an error (see L<"DIAGNOSTICS"> below). ACL must be a
+group dn and a membership attribute separated by a colon (with no
+whitespace). PRINCIPAL will be granted access if its LDAP entry contains
+that attribute with that value.
+
+=item error()
+
+Returns the error if check() returned undef.
+
+=back
+
+=head1 DIAGNOSTICS
+
+The new() method may fail with one of the following exceptions:
+
+=item LDAP attribute ACL support not available: %s
+
+Attempting to connect or bind to the LDAP server failed.
+
+=item LDAP attribute ACL support not configured
+
+The required configuration parameters were not set. See Wallet::Config(3)
+for the required configuration parameters and how to set them.
+
+=back
+
+Verifying an LDAP attribute ACL may fail with the following errors
+(returned by the error() method):
+
+=over 4
+
+=item cannot search for %s in LDAP group %s: %s"
+
+The LDAP search for the principle in the group failed. The
+group dn or member attribute may have been misspelled, or there may
+be LDAP directory permission issues. This error indicates that
+PRINCIPAL's entry was located in LDAP, but the check failed during
+the search to verify group membership
+
+=item cannot search for %s in LDAP: %s
+
+Searching for PRINCIPAL (possibly after ldap_map_principal() mapping)
+failed. This is often due to LDAP directory permissions issues. This
+indicates a failure during the mapping of PRINCIPAL to an LDAP DN.
+
+=item malformed ldap-group ACL
+
+The ACL parameter to check() was malformed. Usually this means that
+either the attribute or the value were empty or the required C<:>
+separating them was missing.
+
+=item mapping principal to LDAP failed: %s
+
+There was an ldap_map_principal() function defined in the wallet
+configuration, but calling it for the PRINCIPAL argument failed.
+
+=item no principal specified
+
+The PRINCIPAL parameter to check() was undefined or the empty string.
+
+=back
+
+=head1 SEE ALSO
+
+Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8)
+
+This module is part of the wallet system. The current version is
+available from L<http://www.eyrie.org/~eagle/software/wallet/>.
+
+=head1 AUTHOR
+
+Ross Smith <rjsm at umich.edu>
+Russ Allbery <rra at stanford.edu>
+
+=cut
diff --git a/perl/Wallet/Schema.pm b/perl/Wallet/Schema.pm
index 9a7fe44..00743c0 100644
--- a/perl/Wallet/Schema.pm
+++ b/perl/Wallet/Schema.pm
@@ -18,7 +18,7 @@ use base 'DBIx::Class::Schema';
# This version should be increased on any code change to this module. Always
# use two digits for the minor version with a leading zero if necessary so
# that it will sort properly.
-our $VERSION = '0.08';
+our $VERSION = '0.09';
__PACKAGE__->load_namespaces;
__PACKAGE__->load_components (qw/Schema::Versioned/);
##############################################################################
# Data manipulation
@@ -279,6 +279,8 @@ Holds the supported ACL schemes and their
corresponding Perl classes:
insert into acl_schemes (as_name, as_class)
values ('ldap-attr', 'Wallet::ACL::LDAP::Attribute');
insert into acl_schemes (as_name, as_class)
+ values ('ldap-group', 'Wallet::ACL::LDAP::Group');
+ insert into acl_schemes (as_name, as_class)
values ('netdb', 'Wallet::ACL::NetDB');
insert into acl_schemes (as_name, as_class)
values ('netdb-root', 'Wallet::ACL::NetDB::Root');
More information about the Kerberos
mailing list