Hello everyone,
I need to create a rails app where authentication and permissions for
certain application actions will be provided by LDAP server. There is
a problem with LDAP connection management, as every user login will
spawn new connection object instance it may dangerously increase
application memory usage (tbh i dont know what will happen, nothing
good for sure) - LDAP server can close connection remotly after some
idle time, but some connection resources will remain in memory non the
less.
I’ve made some google research what may be best course of action to
manage this issue and i think creating connection pool sounds good.
I’ve commited few average sized rails projects but nothing i’ve
experienced so far is giving me any clues how to implement this
solution.
I’ll be happy to hear how You would do it.
Marcin,
On Mar 6, 2012, at 12:54 PM, Marcin S wrote:
I’ve made some google research what may be best course of action to
manage this issue and i think creating connection pool sounds good.
I’ve commited few average sized rails projects but nothing i’ve
experienced so far is giving me any clues how to implement this
solution.
I’ll be happy to hear how You would do it.
No - only 1 connection to LDAP server using a special account for the
purpose with sufficient privileges for the task.
It’s easy enough to create ‘local’ users who authenticate via LDAP and
then you can manage their privileges/permissions via Rights/Roles if you
want.
simple ruby app using net-ldap
#!/usr/local/bin/ruby
require ‘rubygems’
require ‘net/ldap’
$person = “cwhite”
$passwd = “won’t_work”
ldap = Net::LDAP.new :encryption => :simple_tls,
:host => ‘ldap.server’,
:port => 636, # use 389 for non-ssl
:auth => {
:method => :simple,
:username => “uid=” + $person + “, ou=people, dc=example, dc=com”,
:password => $passwd
}
if ldap.bind
p “LDAP authentication succeeded”
else
p “LDAP authentication failed”
end
Should give you enough of a concept for implementing in Rails
Craig
2012/3/6 Craig W. [email protected]:
good for sure) - LDAP server can close connection remotly after some
No - only 1 connection to LDAP server using a special account for the purpose
with sufficient privileges for the task.
$person = “cwhite”
if ldap.bind
p “LDAP authentication succeeded”
else
p “LDAP authentication failed”
end
Should give you enough of a concept for implementing in Rails
Craig
Yeah i have login covered already, in simmilar way, but what with
application permissions?
I can read it at login time, save it somewhere and never user LDAP
again until next login - but when i give that user a cookie, and then
authenticate him with it any permissions changes on ldap wont have any
effect (untile next login)
How would You solve that?
Marcin
On Mar 6, 2012, at 11:10 PM, Marcin S wrote:
application memory usage (tbh i dont know what will happen, nothing
}
Yeah i have login covered already, in simmilar way, but what with
application permissions?
I can read it at login time, save it somewhere and never user LDAP
again until next login - but when i give that user a cookie, and then
authenticate him with it any permissions changes on ldap wont have any
effect (untile next login)
How would You solve that?
as best as I understand your question, this is what I do.
I have an SQL User class which shares the ‘name’ with the uid of the
LDAP user and the user_id and the user_name are inserted into session
variables which tie it together.
Then I have all the controllers & methods of my application subject to
Right/Roles permissions model so those can be changed at will since a
‘before_filter’ requires that a particular user has permissions to
access. Thus while LDAP does authentication (user/password), I use my
own hand rolled authorization scheme to allow/deny access to any/all
methods & controllers. I don’t store any Rails permissions on LDAP
whatsoever.
Craig