Forum: Ruby LDAP authentication in Windows 2003 AD

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Be07c8d0d6867fd9a0d525f7d17600e2?d=identicon&s=25 Damjan Rems (ther)
on 2008-10-24 12:31
I am trying to authenticate user against Windows 2003 AD. This is what I
have found so far, but what ever I do I get error:
#<LDAP::ResultError: Invalid credentials>

This is my source code, which I picked sowhere on net:
-------------------------------------
require "ldap"
# Provides access to authenticate user from LDAP using the user provided
# user name and password
class MyLDAP < LDAP::Conn
  BASE_DN = "dc=mydomain,dc=com"
  PEOPLE_DN = "ou=users,dc=mydomain,dc=com"
  LDAP_HOST = "mydc"
  LDAP_PORT = 389
  PROTOCOL_VERSION = 3
  # sets up connection to LDAP server
  def initialize (host = LDAP_HOST, version = PROTOCOL_VERSION)
    super( host, LDAP_PORT )
    set_option( LDAP::LDAP_OPT_PROTOCOL_VERSION, version )
    return self
  end
  # Bind with the user supplied information
  def bind(mydn, pass)
    dn = "uid=" + mydn + "," + PEOPLE_DN
    super( dn, pass )
  end
end

#** user.rb **
  # Takes user login name and password and connects to LDAP
  def login(login, password)
    if password == ''
      return false
    end
    begin
      conn = MyLDAP.new.bind(login, password)
    rescue => e
      puts e.inspect
      return false
    end
    return conn.bound?
    conn.unbind
  end


  puts login('myusr','mypwd')
---------------------------------

Is there anything that needs to bo be set on Windows server?

Help please.

by
TheR
753dcb78b3a3651127665da4bed3c782?d=identicon&s=25 Brian Candler (candlerb)
on 2008-10-24 13:04
Suggestion: first eliminate Ruby from the equation, by getting an
"ldapsearch" command line to bind successfully to your Windows LDAP
server.

If you have problems here, you will be able to go to a
Windows/AD-specific forum, who will know about LDAP but not about Ruby.

Once you have this working, it should be straightforward to port the
ldapsearch command line to the corresponding Ruby API calls.
Be07c8d0d6867fd9a0d525f7d17600e2?d=identicon&s=25 Damjan Rems (ther)
on 2008-10-24 13:53
Brian Candler wrote:
> Suggestion: first eliminate Ruby from the equation, by getting an
> "ldapsearch" command line to bind successfully to your Windows LDAP
> server.

Could you post some simple quick query how to do it. Net is full of very
complicated examples.

by
TheR
B57c5af36f5c1f33243dd8b2dd9043b1?d=identicon&s=25 F. Senault (Guest)
on 2008-10-24 14:18
(Received via mailing list)
Le 24 octobre à 13:53, Damjan Rems a écrit :

> Brian Candler wrote:
>> Suggestion: first eliminate Ruby from the equation, by getting an
>> "ldapsearch" command line to bind successfully to your Windows LDAP
>> server.
>
> Could you post some simple quick query how to do it. Net is full of very
> complicated examples.

Well, it's not always simple.  With an OpenLDAP setup :

ldapsearch -x                                          # simple bind
           -W                                          # ask for pwd
           -P3                                         # LDAPv3
           -H'ldap://vodka/'                           # ldap url
           -b'dc=mims,dc=be'                           # root
           -D'cn=fred,ou=users,ou=liege,dc=mims,dc=be' # bind user
           -s'subtree'                                 # scope
           cn=fred                                     # search string
           cn                                          # attributes

You may have to tweak the authentification options, though.

(I believe you can install OpenLDAP ldapsearch on windows boxen,
probably with cygwin.)

Fred
9d4960f8319664f0f7896230eebace73?d=identicon&s=25 Glen Holcomb (Guest)
on 2008-10-24 15:27
(Received via mailing list)
On Fri, Oct 24, 2008 at 6:15 AM, F. Senault <fred@lacave.net> wrote:

> Well, it's not always simple.  With an OpenLDAP setup :
>
>                                     (Shmuel (Seymour J.) Metz in NANAE)
>
>
I was having trouble authenticating against 2003 in the past.  I fixed
it by
submitting the full email address for the account as the login.  I
believe
it has to be in the form of username@full.dc.list

--
"Hey brother Christian with your high and mighty errand, Your actions
speak
so loud, I can't hear a word you're saying."

-Greg Graffin (Bad Religion)
E0c987f680cd640c14912ebfbf0f0f07?d=identicon&s=25 unknown (Guest)
on 2008-10-24 16:26
(Received via mailing list)
On Fri, Oct 24, 2008 at 9:26 AM, Glen Holcomb <damnbigman@gmail.com>
wrote:
> I was having trouble authenticating against 2003 in the past.  I fixed it by
> submitting the full email address for the account as the login.  I believe
> it has to be in the form of username@full.dc.list

(Technically not email address, but UPN; which is generally what I use
instead of DN when working in AD-land.)  I don't have the net-ldap
code I am currently using handy, but here was an older example with
ruby-ldap:

http://www.nabble.com/Re:-Rails-and-Windows-Active...

In that code, it was expected that the username was the user's AD UPN.
Be07c8d0d6867fd9a0d525f7d17600e2?d=identicon&s=25 Damjan Rems (ther)
on 2008-10-28 14:44
And then in a desperate attempt (when I was searching for something
completly different) I stumbelt upon this:

------------------------------------------
gem install ruby-net-ldap


require 'rubygems'
require 'net/ldap'

ldap = Net::LDAP.new
ldap.host = 'mydc'
ldap.port = 389
ldap.auth "usr@domain.com", "pwd"
if ldap.bind
  p  'authentication succeeded'
else
  p ' authentication failed'
end
-------------------------------------------

and it works.


by
TheR
9d4960f8319664f0f7896230eebace73?d=identicon&s=25 Glen Holcomb (Guest)
on 2008-10-28 14:57
(Received via mailing list)
Sorry Damjan, I didn't read your first message closely enough.  Had I
noticed you weren't using net-ldap I would have suggested you do so.  It
works great for me with all things AD and LDAP (all things I've done
anyway).

On Tue, Oct 28, 2008 at 7:43 AM, Damjan Rems <d_rems@yahoo.com> wrote:

>
>
> and it works.
>
>
> by
> TheR
> --
> Posted via http://www.ruby-forum.com/.
>
>


--
"Hey brother Christian with your high and mighty errand, Your actions
speak
so loud, I can't hear a word you're saying."

-Greg Graffin (Bad Religion)
This topic is locked and can not be replied to.