Lets you authenticate users against an ActiveDirectory systems, also provides a test implementation so you don't need to have an LDAP server when developing. The goal here is to allow you to store your user information in your local database, but use the LDAP information for authentication and retrieving authorization information.
This will add an 'authenticate' method to your model which works as follows:
@user = User.authenticate("koz", "mypassword") # returns the user @user = User.authenticate("who knows", "not a password") # nil
In order to map from the ldap result to your database, you need to implement a find_from_ldap method on the user class. It will be passed an ldap user, which responds to a few key methods. username returns the account name that successfully authenticated. roles returns the list of configured group which the user is a member of. It also adds some simple predicate methods for each of the available roles. For example:
def self.find_from_ldap(ldap_user) returning find_or_create_by_login(ldap_user.username) do |user| user.permissions.clear if ldap_user.admin? user.admin = true end if ldap_user.printer_operator? user.permissions.create! :code=>"printer" end user.save! end end
There's obviously a risk that users who have been disabled in ldap could still have an active session in the rails application.
You need the net/ldap gem. You should add a line in your config/enviornment.rb file:
config.gem "ruby-net-ldap", :lib => "net/ldap", :source => "http://gems.github.com"
Optionally, you could unpack this gem into your vendor/gems directory with this command:
Rails 2.x Run command
script/plugin install firstname.lastname@example.org:rhulse/active_directory_auth.git
Rails 3.2 + Add gem to your Gemfile
gem "active_directory_auth", git: "https://github.com/josecoelho/active_directory_auth.git"
In production.rb you can write:
config.to_prepare do User.authenticates_with_active_directory do |config| config.host = "188.8.131.52" config.base_dn = "DC=radionz,DC=co,DC=nz" # Only needed if your ldap server doesn't support anonymous binding config.administrator_dn = "CN=administrator,OU=Sysadmins Group,OU=Systems" config.administrator_password = "admin_pw" config.roles :printer_operator => "CN=Printer Operators,CN=Groups", :backup_operator => "CN=Backup Operators,CN=Groups", :admin => "CN=AdminUsers,OU=Groups,OU=Corporate", :operators => "CN=OperatorsGroup,OU=Groups,OU=Corporate" end end
then in development.rb and test.rb you write:
User.stub_active_directory_authentication do |config| config.user "koz", "a password", :printer_operator, :backup_operator config.user "dhh", "anotherpassword", :admin end
Note: the config.to_prepare block is used, as Ruby is garbage collecting the User's config settings.
Copyright & Credits
This plugin was funded by Radio New Zealand Limited, and written by Michael Koziarski.
Copyright © 2009 Koziarski Software Ltd Copyright © 2009 Radio New Zealand Limited
Released under the MIT license