From 10d0f396943891cf1b29303b68d474c42126fd62 Mon Sep 17 00:00:00 2001
From: Lars Kanis <kanis@comcard.de>
Date: Fri, 3 Feb 2023 19:45:30 +0100
Subject: [PATCH] Add Kerberos and NTLM authentication support

Fixes #41
---
 config/sample-config.yaml       | 14 +++++++++++++-
 lib/pg_ldap_sync/application.rb | 20 +++++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/config/sample-config.yaml b/config/sample-config.yaml
index 2fdccb9..d0273dd 100644
--- a/config/sample-config.yaml
+++ b/config/sample-config.yaml
@@ -5,13 +5,25 @@
 # Connection parameters to LDAP server
 # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
 ldap_connection:
-  host: localhost
+  host: ldapserver
   port: 389
   auth:
     method: :simple
     username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
     password: secret
 
+  # or GSSAPI / Kerberos authentication:
+  auth:
+    method: :gssapi
+    hostname: ldapserver
+
+  # or GSS-SPNEGO / NTLM authentication
+  auth:
+    method: :gss_spnego
+    domain: 'company.de'
+    username: 'myuser'
+    password: 'secret'
+
 # Search parameters for LDAP users which should be synchronized
 ldap_users:
   base: OU=company,OU=company,DC=company,DC=de
diff --git a/lib/pg_ldap_sync/application.rb b/lib/pg_ldap_sync/application.rb
index dcd6280..2c6d9ae 100644
--- a/lib/pg_ldap_sync/application.rb
+++ b/lib/pg_ldap_sync/application.rb
@@ -361,8 +361,26 @@ class Application
   def start!
     read_config_file(@config_fname)
 
+    ldap_conf = @config[:ldap_connection]
+    auth_meth = ldap_conf.dig(:auth, :method).to_s
+    if auth_meth == "gssapi"
+      begin
+        require 'net/ldap/auth_adapter/gssapi'
+      rescue LoadError => err
+        raise "#{err}\nTo use GSSAPI authentication please run:\n  gem install net-ldap-auth_adapter-gssapi"
+      end
+    elsif auth_meth == "gss_spnego"
+      begin
+        require 'net-ldap-gss-spnego'
+        # This doesn't work since this file is defined in net-ldap as a placeholder:
+        #   require 'net/ldap/auth_adapter/gss_spnego'
+      rescue LoadError => err
+        raise "#{err}\nTo use GSSAPI authentication please run:\n  gem install net-ldap-gss-spnego"
+      end
+    end
+
     # gather LDAP users and groups
-    @ldap = Net::LDAP.new @config[:ldap_connection]
+    @ldap = Net::LDAP.new ldap_conf
     ldap_users = uniq_names search_ldap_users
     ldap_groups = uniq_names search_ldap_groups