diff --git a/config/sample-config2.yaml b/config/sample-config2.yaml index 080b512..c6fde6e 100644 --- a/config/sample-config2.yaml +++ b/config/sample-config2.yaml @@ -25,6 +25,8 @@ ldap_users: name_attribute: sAMAccountName # lowercase name for use as PG role name lowercase_name: true + # Add lowercase name *and* original name for use as PG role names (useful for migrating between case types) + bothcase_name: false # Search parameters for LDAP groups which should be synchronized ldap_groups: diff --git a/config/schema.yaml b/config/schema.yaml index 29fc256..08abdb8 100644 --- a/config/schema.yaml +++ b/config/schema.yaml @@ -20,6 +20,9 @@ mapping: "lowercase_name": type: bool required: no + "bothcase_name": + type: bool + required: no "ldap_groups": type: map @@ -37,6 +40,9 @@ mapping: "lowercase_name": type: bool required: no + "bothcase_name": + type: bool + required: no "member_attribute": type: str required: yes diff --git a/lib/pg_ldap_sync/application.rb b/lib/pg_ldap_sync/application.rb index 61b4bd3..931ee59 100644 --- a/lib/pg_ldap_sync/application.rb +++ b/lib/pg_ldap_sync/application.rb @@ -61,11 +61,19 @@ class Application log.warn "user attribute #{ldap_user_conf[:name_attribute].inspect} not defined for #{entry.dn}" next end - name.downcase! if ldap_user_conf[:lowercase_name] - log.info "found user-dn: #{entry.dn}" - user = LdapRole.new name, entry.dn - users << user + + names = if ldap_user_conf[:bothcase_name] + [name, name.downcase].uniq + elsif ldap_user_conf[:lowercase_name] + [name.downcase] + else + [name] + end + + names.each do |n| + users << LdapRole.new(n, entry.dn) + end entry.each do |attribute, values| log.debug " #{attribute}:" values.each do |value| @@ -88,11 +96,19 @@ class Application log.warn "user attribute #{ldap_group_conf[:name_attribute].inspect} not defined for #{entry.dn}" next end - name.downcase! if ldap_group_conf[:lowercase_name] - log.info "found group-dn: #{entry.dn}" - group = LdapRole.new name, entry.dn, entry[ldap_group_conf[:member_attribute]] - groups << group + + names = if ldap_group_conf[:bothcase_name] + [name, name.downcase].uniq + elsif ldap_group_conf[:lowercase_name] + [name.downcase] + else + [name] + end + + names.each do |n| + groups << LdapRole.new(n, entry.dn, entry[ldap_group_conf[:member_attribute]]) + end entry.each do |attribute, values| log.debug " #{attribute}:" values.each do |value| diff --git a/test/fixtures/config-ldapdb-bothcase.yaml b/test/fixtures/config-ldapdb-bothcase.yaml new file mode 100644 index 0000000..49c1583 --- /dev/null +++ b/test/fixtures/config-ldapdb-bothcase.yaml @@ -0,0 +1,34 @@ +--- +ldap_connection: + host: localhost + port: 1389 + +ldap_users: + base: dc=example,dc=com + filter: (sAMAccountName=*) + name_attribute: sAMAccountName + bothcase_name: true + +ldap_groups: + base: dc=example,dc=com + filter: (member=*) + name_attribute: cn + bothcase_name: true + member_attribute: member + +pg_connection: + dbname: postgres + host: localhost + port: 54321 +# needed for postgres-pr: +# user: insert_your_username_here +# password: + +pg_users: + filter: rolcanlogin AND NOT rolsuper AND rolname!='double_user' + create_options: LOGIN + +pg_groups: + filter: NOT rolcanlogin + create_options: NOLOGIN + grant_options: diff --git a/test/fixtures/ldapdb.yaml b/test/fixtures/ldapdb.yaml index e0eb4c3..cac7e90 100644 --- a/test/fixtures/ldapdb.yaml +++ b/test/fixtures/ldapdb.yaml @@ -11,14 +11,14 @@ cn=Fred Flintstone,dc=example,dc=com: sn: - Flintstone sAMAccountName: - - fred + - Fred cn=Wilma Flintstone,dc=example,dc=com: cn: - Wilma Flintstone mail: - wilma@bedrock.org sAMAccountName: - - wilma + - Wilma cn=Flintstones,dc=example,dc=com: cn: - Flintstones diff --git a/test/test_pg_ldap_sync.rb b/test/test_pg_ldap_sync.rb index 0081ba7..ece5593 100644 --- a/test/test_pg_ldap_sync.rb +++ b/test/test_pg_ldap_sync.rb @@ -83,7 +83,7 @@ class TestPgLdapSync < Minitest::Test end def setup - @pgconn.exec "DROP ROLE IF EXISTS fred, wilma, \"Flintstones\", \"Wilmas\", \"All Users\", double_user" + @pgconn.exec "DROP ROLE IF EXISTS \"Fred\", fred, \"Wilma\", wilma, \"Flintstones\", \"flintstones\", \"Wilmas\", \"wilmas\", \"All Users\", double_user" end def assert_role(role_name, attrs, member_of=[]) @@ -130,12 +130,12 @@ class TestPgLdapSync < Minitest::Test sync_with_config(config) end - def sync_change - sync_to_fixture + def sync_change(fixture: "ldapdb", config: "config-ldapdb") + sync_to_fixture(fixture: fixture, config: config) yield(@directory) - sync_with_config + sync_with_config(config) exec_psql_du if $DEBUG end @@ -153,8 +153,8 @@ class TestPgLdapSync < Minitest::Test assert_role('All Users', 'Cannot login') assert_role('Flintstones', 'Cannot login') assert_role('Wilmas', 'Cannot login', ['All Users']) - assert_role('fred', '', ['All Users', 'Flintstones']) - assert_role('wilma', '', ['Flintstones', 'Wilmas']) + assert_role('Fred', '', ['All Users', 'Flintstones']) + assert_role('Wilma', '', ['Flintstones', 'Wilmas']) end def test_add_membership @@ -162,7 +162,15 @@ class TestPgLdapSync < Minitest::Test # add 'Fred' to 'Wilmas' @directory[0]['cn=Wilmas,dc=example,dc=com']['member'] << 'cn=Fred Flintstone,dc=example,dc=com' end - assert_role('fred', '', ['All Users', 'Flintstones', 'Wilmas']) + assert_role('Fred', '', ['All Users', 'Flintstones', 'Wilmas']) + end + + def test_add_membership_bothcase + sync_change(config: "config-ldapdb-bothcase") do |dir| + # add 'Fred' to 'Wilmas' + @directory[0]['cn=Wilmas,dc=example,dc=com']['member'] << 'cn=Fred Flintstone,dc=example,dc=com' + end + assert_role('fred', '', ['All Users', 'all users', 'Flintstones', 'flintstones', 'Wilmas', 'wilmas']) end def test_revoke_membership @@ -170,7 +178,7 @@ class TestPgLdapSync < Minitest::Test # revoke membership of 'wilma' to 'Flintstones' dir[0]['cn=Flintstones,dc=example,dc=com']['member'].pop end - assert_role('wilma', '', ['Wilmas']) + assert_role('Wilma', '', ['Wilmas']) end def test_rename_role @@ -179,6 +187,7 @@ class TestPgLdapSync < Minitest::Test dir[0]['cn=Wilma Flintstone,dc=example,dc=com']['sAMAccountName'] = ['Wilma Flintstone'] end refute_role('wilma') + refute_role('Wilma') assert_role('Wilma Flintstone', '', ['Flintstones', 'Wilmas']) end