A plugin to allow rails apps to authenticate to Active Directory
Ruby HTML JavaScript CSS
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.



Lets you authenticate users against an ActiveDirectory systems, also provides a test implementation so you don't need to have an LDAP server when developing. The goal here is to allow you to store your user information in your local database, but use the LDAP information for authentication and retrieving authorization information.

This will add an 'authenticate' method to your model which works as follows:

@user = User.authenticate("koz", "mypassword") # returns the user
@user = User.authenticate("who knows", "not a password") # nil

In order to map from the ldap result to your database, you need to implement a find_from_ldap method on the user class. It will be passed an ldap user, which responds to a few key methods. username returns the account name that successfully authenticated. roles returns the list of configured group which the user is a member of. It also adds some simple predicate methods for each of the available roles. For example:

def self.find_from_ldap(ldap_user)
  returning find_or_create_by_login(ldap_user.username) do |user|
    if ldap_user.admin?
      user.admin = true
    if ldap_user.printer_operator?
      user.permissions.create! :code=>"printer"

There's obviously a risk that users who have been disabled in ldap could still have an active session in the rails application.


You need the net/ldap gem. You should add a line in your config/enviornment.rb file:

config.gem "ruby-net-ldap", :lib => "net/ldap", :source => "http://gems.github.com"

Optionally, you could unpack this gem into your vendor/gems directory with this command:

rake gems:unpack


Rails 2.x Run command

script/plugin install git@github.com:rhulse/active_directory_auth.git

Rails 3.2 + Add gem to your Gemfile

gem "active_directory_auth", git: "https://github.com/josecoelho/active_directory_auth.git"


In production.rb you can write:

config.to_prepare do
  User.authenticates_with_active_directory do |config|
    config.host    = ""
    config.base_dn = "DC=radionz,DC=co,DC=nz"

    # Only needed if your ldap server doesn't support anonymous binding
    config.administrator_dn = "CN=administrator,OU=Sysadmins Group,OU=Systems"
    config.administrator_password = "admin_pw"

    config.roles :printer_operator => "CN=Printer Operators,CN=Groups",
                 :backup_operator  => "CN=Backup Operators,CN=Groups",
                 :admin            => "CN=AdminUsers,OU=Groups,OU=Corporate",
                 :operators        => "CN=OperatorsGroup,OU=Groups,OU=Corporate"

then in development.rb and test.rb you write:

User.stub_active_directory_authentication do |config|
  config.user "koz", "a password", :printer_operator, :backup_operator
  config.user "dhh", "anotherpassword", :admin

Note: the config.to_prepare block is used, as Ruby is garbage collecting the User's config settings.

Copyright & Credits

This plugin was funded by Radio New Zealand Limited, and written by Michael Koziarski.

Copyright © 2009 Koziarski Software Ltd Copyright © 2009 Radio New Zealand Limited

Released under the MIT license