Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support Active Directory Forest searches #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 26 commits into from
Closed

Support Active Directory Forest searches #91

wants to merge 26 commits into from

Conversation

davesims
Copy link
Contributor

@davesims davesims commented Jul 8, 2016
edited
Loading

Creating a new PR to continue the work started by @timmjd on #89. We can move forward on this with an internal branch instead of an external fork.

TODO:

  • Unit tests
  • Test with a regular single-DC environment.
  • Test against an internal AD forest environment
  • Test against OpenLDAP
  • Add configuration flag in github/github to enable feature https://github.com/github/github/pull/58154
  • Integration tests if possible (working on Vagrant + PowerShell script to build AD forest)

/cc @gnawhleinad @mtodd @jch
/cc @jatoben @lildude for thoughts as well since you were involved in the original discussion

@davesims davesims mentioned this pull request Jul 8, 2016
Closed
davesims
davesims reviewed Jul 8, 2016
View reviewed changes
lib/github/ldap.rb
:ignore_server_caps => true,
:base => "",
:scope => Net::LDAP::SearchScope_BaseObject)
(rs and rs.first) || Net::LDAP::Entry.new
Copy link
Contributor Author

@davesims davesims Jul 8, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return an empty Entry if rs doesn't contain any.

@davesims davesims force-pushed the feature/multi_domain branch from 3dfdea2 to efcf915 Compare July 8, 2016 18:53
davesims
davesims reviewed Jul 9, 2016
View reviewed changes
test/forest_search_test.rb
@forest_search = GitHub::Ldap::ForestSearch.new(@connection, "naming")
end

def test_search
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚧 WIP 🚧

@davesims davesims changed the title Support Active Directory Forest searches [WIP] Support Active Directory Forest searches Jul 9, 2016
Dave Sims added 14 commits July 11, 2016 09:34
davesims
davesims reviewed Jul 11, 2016
View reviewed changes
lib/github/ldap/forest_search.rb
domains.each_with_object({}) do |server, result|
if server[:ncname].any? && server[:dnsroot].any?
result[server[:ncname].first] = Net::LDAP.new({
host: server[:dnsroot].first,
Copy link
Contributor Author

@davesims davesims Jul 11, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that since all of the forest domain controllers' connections are being initialized with server[:dnsroot] (which will be something like "ad.ghe.com") this assumes the GHE instance can resolve the DNS for each domain controller in the forest. DNS will likely be owned by internal ActiveDirectory DNS in this case.

ForestSearch won't work if the GHE is set up with a static IP for the AD instance, and doesn't have the shared DNS nameserver in its resolve.conf.

https://help.github.com/enterprise/2.0/admin/articles/configuring-dns-ssl-and-subdomain-settings/#setting-dns-nameservers

@davesims davesims changed the title [WIP] Support Active Directory Forest searches Support Active Directory Forest searches Jul 11, 2016
@davesims
Copy link
Contributor Author

@gnawhleinad @jch @mtodd My apologies if this has been addressed elsewhere, but wouldn't referrals would be the preferred way of handling this, rather than iterating through domain controllers?

https://technet.microsoft.com/en-us/library/cc978014.aspx

And if so, is there a reason we're not working to implement this PR instead?:

#87

/cc https://github.com/github/customer-feedback/issues/519
/cc https://github.com/github/customer-feedback/issues/91

davesims
davesims reviewed Jul 12, 2016
View reviewed changes
lib/github/ldap/forest_search.rb
#
def search(options, &block)
instrument "forest_search.github_ldap" do
if forest.empty?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conditional & block should probably be removed. I don't think forest.empty? can ever be true, since every Active Directory has a forest as the top-level container by definition, even if it only has one Domain Controller. This has been the case in local testing with our AD vagrant instance with a single domain. If the forest is empty, something else has gone wrong.

@davesims davesims mentioned this pull request Jul 25, 2016
Closed
4 tasks
@davesims
Copy link
Contributor Author

This in on hold, and will likely be replaced by #94.

@davesims davesims mentioned this pull request Aug 1, 2016
Merged
@davesims
Copy link
Contributor Author

davesims commented Aug 5, 2016

Closing in favor of #94 and #95

@davesims davesims closed this Aug 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davesims @timmjd