Active directory

Is there any ruby library that will let me authenticate against an
active directory server from a linux machine? I looked through the AD
gems but the documentation assumed that I knew what I was doing
already, and seemed to imply that I needed to be running this from a
windows box sitting in a windows domain.

I don’t need to run queries or anything like that - simply
authenticate a user and get a yes/no answer.

martin

On 9/24/07, Martin DeMello [email protected] wrote:

martin

Do you want to do an LDAP bind-authentication from Linux with a username
and
password? If so, look at Net::LDAP. If you’re trying to do a
Kerberos-style
authentication, there are several NTLM gems you can look at.

On 9/24/07, Francis C. [email protected] wrote:

Do you want to do an LDAP bind-authentication from Linux with a username and
password? If so, look at Net::LDAP. If you’re trying to do a Kerberos-style
authentication, there are several NTLM gems you can look at.

The former. Will check out Net::LDAP - is there anything different I
have to do, or do I simply treat AD as just another LDAP server?

martin

On 9/24/07, Francis C. [email protected] wrote:

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and #bind_as
methods.

thanks.

martin

On Sep 24, 2007, at 11:14 PM, Francis C. wrote:

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and
#bind_as
methods.

Well, I recently did it the nasty way (I just post to the relevant
Remote Web Workplace server for a specific domain).
Certainly not the proper-clean way to do it, but beats the hell out
of setting up the LDAP toolchain, in my book anyways.

On 9/24/07, julik [email protected] wrote:

of setting up the LDAP toolchain, in my book anyways.
I’m not sure how that would be any easier, or what you mean by setting
up an
LDAP “toolchain” - Net:::LDAP is a self-contained library in pure Ruby.
All
you have to do is install it like any other Ruby library. Calling
Net::LDAP#bind to authenticate against an LDAP directory or A/D is a
one-liner. (Two lines if you count require ‘net/ldap’)

On 9/24/07, Martin DeMello [email protected] wrote:

have to do, or do I simply treat AD as just another LDAP server?

martin

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and
#bind_as
methods.

On Tue, 2007-09-25 at 04:06 +0900, Martin DeMello wrote:

Is there any ruby library that will let me authenticate against an
active directory server from a linux machine? I looked through the AD
gems but the documentation assumed that I knew what I was doing
already, and seemed to imply that I needed to be running this from a
windows box sitting in a windows domain.

I recently had this problem.

class LDAPAuth
def initialize dn, host, port=389
@dn = dn
@c = LDAP::Conn.new host, port
@c.set_option LDAP::LDAP_OPT_PROTOCOL_VERSION, 3
@bound = false
end

    def bind user, pass
            @bound = [email protected](user, pass).nil?
    end

    def groups_of user, [email protected]
            raise Exception, "Not bound." unless @bound
            @c.search2(dn, LDAP::LDAP_SCOPE_SUBTREE,

“sAMAccountName=#{user}”, [‘memberOf’]).first[‘memberOf’].map { |
e| /CN=([^,]+?)[,$]/i.match(e).captures.first }
end

    def close
            @c.unbind unless @c.nil?
            @c = nil
    end

    def method_missing n, *a
            @c.send n, *a
    end

end

Check the line wrapping since it may catch you out. This is a tad quick
and dirty, but may do the trick. To authenticate like you’d wish:

l = LDAPAuth.new “OU=Accounts,DC=company,DC=com,DC=au”,
“pdc.company.com.au” # note that LDAP won’t let you search the root of a
DN, an OU must be specified
begin
l.bind “[email protected]”, “mypassword”

begin
    raise Exception, "unauthorized" unless

l.groups_of(“joe”).include? “Enterprise Admins”

rescue
# not in the right group!
end
rescue
# credentials are bad!

end

My example code is fairly ugly, but I hope you get it. Note that we’re
bound to AD with the user’s own credentials - there may be a case where
the user doesn’t even have permissions to check their own group
memberships. In this case, you’d need to authenticate by trying to bind
with user credentials, but then authorise by binding with some (system)
account privileged for the purpose of checking memberships like this.
It’s a bit iffy, yes, but there’s probably a better way.

Also note this implementation uses the sAMAccountName LDAP attribute for
looking up a user to determine group membership status; thus a
non-domain-qualified name is used with LDAPAuth#groups_of (“joe”, not
[email protected]”). Your schema may vary!

HTH

Arlen

On 9/26/07, Arlen Christian Mart C. [email protected] wrote:

I recently had this problem.

Some users have found Net::LDAP simpler because it doesn’t require the
installation of an outboard LDAP library. Here’s how the equivalent
solution
might look in Net::LDAP (as you said, “your schema may vary”):

require ‘rubygems’
require ‘net/ldap’

ldap = Net::LDAP.new
ldap.host = your_server_ip_address
ldap.port = your_server_port # typically 389 or 3268 for A/D
ldap.auth “CN=John S.,CN=Users,dc=yourcompany,dc=com”, “a-password”

ldap.search(
:filter=>“sAMAccountName=John S.”,
:attributes=>[:memberOf],
:base=>“cn=Users,dc=yourcompany,dc=com”,
) {|entry|
p entry[:memberof]
}

On 9/26/07, Arlen Christian Mart C. [email protected] wrote:

class LDAPAuth

Thanks a lot, Arlen, this looks extremely helpful!

martin

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs