Support querying Active Directory Global Catalog #94
Conversation
davesims
force-pushed
the
use_global_catalog_for_auth
branch
from
b75644e to
a00750f
Compare
| def active_directory_capability? | ||
| capabilities[:supportedcapabilities].include?(ACTIVE_DIRECTORY_V51_OID) | ||
| end | ||
| private :active_directory_capability? |
There was a problem hiding this comment.
Made this public since Domain now needs to pivot on whether the server is an AD or not.
davesims
changed the title
davesims
force-pushed
the
use_global_catalog_for_auth
branch
from
5b54b07 to
3af0a88
Compare
|
|
||
| group :test, :development do | ||
| gem "byebug", :platforms => [:mri_20, :mri_21] | ||
| gem "mocha" |
There was a problem hiding this comment.
What's the use case for adding mocha in development?
There was a problem hiding this comment.
Mainly as a convenience for cases like this.
There was a problem hiding this comment.
Oh, you mean split the group block. 
👍
|
|
||
| group :test do | ||
| gem "mocha" | ||
| end |
test/user_search/default_test.rb
Outdated
| base: "CN=HI,CN=McDunnough", | ||
| filter: kind_of(Net::LDAP::Filter) | ||
| )) | ||
| results = @default_user_search.perform("","CN=HI,CN=McDunnough","",{}) |
|
No critical blockers, this is super close! |
| # When doing a global search for a user's DN, set the search base to blank | ||
| def options | ||
| super.merge(base: "") | ||
| end |
|
|
||
| # Keep a reference to these as default auth for a Global Catalog if needed | ||
| @admin_user = options[:admin_user] | ||
| @admin_password = options[:admin_password] |
There was a problem hiding this comment.
Not a blocker but it might be worth passing these into configure_user_search_strategy (by passing through the options hash) to let that method decide if it needs these, so we don't have Global Catalog concerns leaking out unnecessarily.
|
@davesims wouldn't consider anything ☝️ above as blocking feedback. |
|
Just noticing that builds were't enabled. Would like to kick off a build to verify these changes. |
|
This was shadowed by merging #95 first. Closing. |
For Active Directory deployments, in some cases, like authentication or simple entry searches, it will make sense to search the Global Catalog rather than the default configured Domain Controller. This PR will initialize a Global Catalog connection object when requested, and provides an interface to directly query the catalog.
GitHub::Ldap::Domainwill now use the Global Catalog foruser?, if the server is an Active Directory, and the configured Domain Controller is a Global Catalog, or if the user has provided global catalog settings in the initializer options.TODO:
GitHub::Ldap::Domain#user?use the catalog if server is AD & catalog is presentThis begins an alternative approach to #91. To fully replace that, we'll have to also implement referral chasing to be able to search for groups that aren't configured to be Active Directory "universal" groups. I'll do that in a separate PR.
/cc @mtodd @jch @sbryant @lildude @timmjd
/cc @github/ldap