views:

173

answers:

2

My overall goal is to let users of my Rails app authenticate against our organization's ActiveDirectory server over LDAP. (Did I say that right?)

I'd like to try the Ruby ActiveLDAP gem.

The docs say it depends on either...

RubyLDAP

or...

ruby-net-ldap

Does it matter which one I use?

Am I heading in the right general direction by investigating Ruby ActiveLDAP? Is there something else that's better?

+1  A: 

I have an openldap server that I use for authentication with my rails apps.

I basically use authlogic and hack in support for ldap using the ruby-net-ldap gem to talk to the ldap server..

I use a pretty basic authlogic set up as detailed in the tutorial, but with a few changes:

class UserSession < Authlogic::Session::Base
  verify_password_method :valid_ldap_credentials?
end

class User < ActiveRecord::Base
  acts_as_authentic do |c|
    c.validate_password_field = false
    c.logged_in_timeout = 30.minutes
  end

  def valid_ldap_credentials?(password_plaintext)
    ldap = ldap_connect
    ldap.auth self.dn, password_plaintext
    ldap.bind # will return false if authentication is NOT successful
  end

  def ldap_connect(params = {})
    ldap_config = YAML.load_file("#{RAILS_ROOT}/config/ldap.yml")[RAILS_ENV]
    ldap_options = params.merge({:encryption => :simple_tls})
    ldap = Net::LDAP.new(ldap_options)
    ldap.host = ldap_config["host"]
    ldap.port = ldap_config["port"]
    ldap.base = ldap_config["base"]
    ldap.auth ldap_config["admin_user"], ldap_config["admin_password"] if params[:admin]

    return ldap
  end

end

There's an effort to make a plugin for ldap for authlogic, but I haven't seen any progress in a while.

The difficult thing I've found (and asked about) is testing. I basically had to set up production, development, and test instances of my LDAP server for testing.

Dan McNevin
+1  A: 

If you just want to use LDAP and roll your own authorization stuff, I can recommend ruby-net-ldap.

But be warned if you don't have the username for some reason (I only have the login) you need a separate user to query LDAP for it.

nasmorn