Hello,
I’m implementing LDAP user authentication as in Enterprise Recipes With
Ruby and Rails
(http://pragprog.com/titles/msenr/enterprise-recipes-with-ruby-and-rails)
and, according to the book, it is pretty simple, just as follows:
require ‘net/ldap’
class User
BASE = ‘dc=enterpriserecipes,dc=com’
LDAP_USER = ‘cn=root,dc=enterpriserecipes,dc=com’
LDAP_PASSWORD = ‘t0p$ecret’
def self.authenticate(email, password)
email_filter = Net::LDAP::Filter.eq(‘mail’, email)
ldap_con = connect(LDAP_USER, LDAP_PASSWORD)
dn = ‘’
ldap_con.search(:base => BASE, :filter => email_filter) do |entry|
dn = entry.dn
end
!dn.empty? and connect(dn, password).bind
end
private
def self.connect(dn, password)
Net::LDAP.new(
:host => ‘localhost’,
:port => 389,
:auth => {
:method => :simple,
:username => dn,
:password => password
}
)
end
end
Therefore, this is not secure, since I can see the user password in
authenticate method. Does anyone know a way to hide the password from
the developer, encrypting it or something?
Thanks for your time.