Best IT Recipes

LDAP through Ruby or Rails

I am trying to connect a Rails application prior to ActiveDirectory. I will synchronize user data between AD and the database, currently MySQL (but may turn into SQL Server or PostgreSQL).

I checked activedirectory-ruby and it really looks like a bug (for version 1.0 !?). It wraps Net :: LDAP, so I tried to use it instead, but it really comes close to the actual LDAP syntax, and I liked the ActiveDirectory-Ruby abstraction due to syntax like ActiveRecord.

Is there an elegant ORM tool for a directory server? Even better, if for LDAP (CRUD for users, groups, organizational units, etc.) there is some kind of tool for forests. Then I could quickly integrate this with my existing authentication code, although Authlogic, and keep all the data in sync.

+42
ruby ruby-on-rails active-directory ldap
Dec 02 '08 at 16:17
source share
6 answers

Here is an example of the code that I use with net-ldap to verify user accounts on an ActiveDirectory server while working:

require 'net/ldap' # gem install net-ldap def name_for_login( email, password ) email = email[/\A\w+/].downcase # Throw out the domain, if it was there email << "@mycompany.com" # I only check people in my company ldap = Net::LDAP.new( host: 'ldap.mycompany.com', # Thankfully this is a standard name auth: { method: :simple, email: email, password:password } ) if ldap.bind # Yay, the login credentials were valid! # Get the user full name and return it ldap.search( base: "OU=Users,OU=Accounts,DC=mycompany,DC=com", filter: Net::LDAP::Filter.eq( "mail", email ), attributes: %w[ displayName ], return_result:true ).first.displayName.first end end

The code first.displayName.first at the end looks a little dumb, and so some explanation may come out:

  • Net::LDAP#search always returns an array of results, even if you finish matching only one entry. The first call to first finds the first (and supposedly only) entry that matches the email address.

  • Net::LDAP::Entry returned by the search allows you to access attributes through the method name, so some_entry.displayName same as some_entry['displayName'] .

  • Each attribute in Net::LDAP::Entry always represents an array of values, even if only one value is present. Although it would be foolish to have a user with multiple displayName values, the general nature of LDAP means that this is possible. The final call to first turns an array from one row into a string for the full username only.

+38
Apr 16 2018-11-11T00:
source share

This is more anecdotal than the real answer ...

I had similar experience using Samba and OpenLDAP server. I could not find a library to really do what I wanted, so I turned my own helper classes upside down.

I used ldapbrowser to see which fields Samba filled in when I created the user β€œofficial” method and basically duplicated this.

The only complex / non-standard version of LDAP was crazy password encryption:

UserPass:

 "{MD5}" + Base64.encode64(Digest::MD5.digest(pass))

sambaNTPassword:

 OpenSSL::Digest::MD4.hexdigest(Iconv.iconv("UCS-2", "UTF-8", pass).join).upcase

For the def authenticate(user, pass) function def authenticate(user, pass) I am trying to get LDAP to bind to the domain using my credentials, if I catch an exception, then the login will fail, otherwise enable them.

+4
Dec 22 '08 at 20:43
source share

I started using ruby-activedirectory and even expanded it / fixed a few things by posting Judy-activedirectory on Github.

Performing the following iteration, I found that ActiveLdap has a much better code base, and I am seriously thinking about switching it. Does anyone have personal experience with this?

+2
Feb 04 '09 at 21:16
source share

Sorry, I can’t comment ... maybe someone can move it accordingly.

@Phrogz's solution works well, but bind_simple (inside bind) throws a Net :: LDAP :: LdapError exception because auth [: username] is not set, as shown here:

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb

Corrected:

 auth: { method: :simple, email: email, password:password }

from:

 auth: { method: :simple, username: email, password:password }
+2
Jan 20 '12 at 19:09
source share

Have you checked ldap-activerecord-gateway? It may be something for you ...

http://github.com/thoughtbot/ldap-activerecord-gateway/tree/master

+1
Dec 02 '08 at 21:20
source share


More articles:


All Articles