(POOLER-113) Add support for multiple LDAP search bases

This commit updates vmpooler to support setting an array of search bases in addition to a single base provided as a string. Without this change it is not possible to specify multiple search bases to use with the LDAP authentication provider. Additionally, test coverage is added to the authentication helper method.
2026-01-26 01:58:41 -05:00 · 2018-06-25 13:56:55 -07:00 · 2018-06-25 13:56:55 -07:00 · 9fa27af8e5
commit 9fa27af8e5
parent de813943e9
7 changed files with 218 additions and 71 deletions
--- a/lib/vmpooler/api/helpers.rb
+++ b/lib/vmpooler/api/helpers.rb
@ -54,35 +54,63 @@ module Vmpooler
        return false
      end

+      def authenticate_ldap(port, host, user_object, base, username_str, password_str)
+        require 'rubygems'
+        require 'net/ldap'
+
+        ldap = Net::LDAP.new(
+          :host => host,
+          :port => port,
+          :encryption => {
+            :method => :start_tls,
+            :tls_options => { :ssl_version => 'TLSv1' }
+          },
+          :base => base,
+          :auth => {
+            :method => :simple,
+            :username => "#{user_object}=#{username_str},#{base}",
+            :password => password_str
+          }
+        )
+
+        return true if ldap.bind
+        return false
+      end
+
      def authenticate(auth, username_str, password_str)
        case auth['provider']
          when 'dummy'
            return (username_str != password_str)
          when 'ldap'
-            require 'rubygems'
-            require 'net/ldap'
+            ldap_base = auth[:ldap]['base']
+            ldap_port = auth[:ldap]['port'] || 389

-            ldap = Net::LDAP.new(
-              :host => auth[:ldap]['host'],
-              :port => auth[:ldap]['port'] || 389,
-              :encryption => {
-                :method => :start_tls,
-                :tls_options => { :ssl_version => 'TLSv1' }
-              },
-              :base => auth[:ldap]['base'],
-              :auth => {
-                :method => :simple,
-                :username => "#{auth[:ldap]['user_object']}=#{username_str},#{auth[:ldap]['base']}",
-                :password => password_str
-              }
-            )
-
-            if ldap.bind
-              return true
+            if ldap_base.is_a? Array
+              ldap_base.each do |search_base|
+                result = authenticate_ldap(
+                  ldap_port,
+                  auth[:ldap]['host'],
+                  auth[:ldap]['user_object'],
+                  search_base,
+                  username_str,
+                  password_str,
+                )
+                return true if result == true
+              end
+            else
+              result = authenticate_ldap(
+                ldap_port,
+                auth[:ldap]['host'],
+                auth[:ldap]['user_object'],
+                ldap_base,
+                username_str,
+                password_str,
+              )
+              return result
            end
-        end

-        return false
+            return false
+          end
      end

      def export_tags(backend, hostname, tags)