akkounts/lib/tasks/ldap.rake

namespace :ldap do
  desc "Reset the LDAP directory and set up base entries and default org"
  task setup: [:environment, :add_custom_attributes] do |t, args|
    ldap = LdapService.new

    ldap.delete_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", true

    # Delete all existing entries and re-add base entries
    ldap.reset_directory!

    ldap.add_organization "kosmos.org", "Kosmos", true

    # add admin role
    ldap.add_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", {
      objectClass: %w{top LDAPsubentry nsRoleDefinition nsComplexRoleDefinition nsFilteredRoleDefinition},
      cn: "admin_role",
      nsRoleFilter: "(&(objectclass=person)(admin=true))",
      description: "filtered role for admins"
    }, true
  end

  # TODO
  desc "Add application account to directory"
  task add_application_account: :environment do |t, args|
    # Add uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org with userPassword
  end

  # TODO
  desc "Add application ACI/permissions for OU, i.e. read/search users"
  task add_application_account: :environment do |t, args|
    # (target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
  end

  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
    %w[ admin service_enabled nostr_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
  end

  desc "Delete custom attributes from schema"
  task delete_custom_attributes: :environment do |t, args|
    %w[ admin service_enabled nostr_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
  end

  desc "Modify LDAP schema"
  task :modify_ldap_schema, [:name, :operation] => [:environment] do |t, args|
    puts "Modify schema: #{args[:operation]} #{args[:name]}"

    filename = "#{Rails.root}/schemas/ldap/#{args[:name]}.ldif"
    ldif = YAML.safe_load(File.read(filename))
    dn = ldif["dn"]
    attribute = ldif["add"]
    value = ldif[attribute]
    operation = [ args[:operation].to_sym, attribute.to_sym, value ]

    ldap = LdapService.new
    res = ldap.modify dn, [ operation ]

    if res != 0
      puts "Result code: #{res}"
      exit 1
    end
  end

  desc "List user domains/organizations"
  task list_organizations: :environment do |t, args|
    ldap = LdapService.new
    orgs = ldap.fetch_organizations
    puts orgs.inspect
  end
end