Provides multiple implementations of LDAP queries for various backends
Supports Active Directory, FreeIPA and posix-style LDAP
Now available in the rubygems.org repo, rubygems.org/gems/ldap_fluff
$ gem install ldap_fluff
You’ll have to configure the gem a little bit to get it hooked into your LDAP server.
It exposes these methods:
authenticate?(username, password) returns true if the username & password combo bind correctly group_list(uid) returns the set of ldap groups a user belongs to in a string list is_in_groups?(uid, grouplist) returns true if the user provided is in all of the groups listed in grouplist valid_user?(uid) returns true if the user provided exists valid_group?(uid) returns true if the group provided exists
These methods are handy for using LDAP for both authentication and authorization.
This gem integrates with warden/devise quite nicely.
Your global configuration must provide information about your LDAP host to function properly.
host: ## ip address or hostname port: ## port encryption: ## blank or :start_tls base_dn: ## baseDN for ldap auth, eg dc=redhat,dc=com group_base: ##baseDN for your ldap groups, eg ou=Groups,dc=redhat,dc=com server_type: ## type of server. default == posix. :active_directory, :posix, :free_ipa ad_domain: ## domain for your users if using active directory, eg redhat.com service_user: ## service account for authenticating ldap calls in active directory or freeipa. required unless you enable anon service_pass: ## service password for authenticating ldap calls in active directory or freeipa. required unless you enable anon anon_queries: ## false by default, true if you don't want to use the service user
ldap_fluff fully supports start_tls encryption, but most likely you’ll need to add your server’s CAs to the local bundle. on a red hat style system, it’s probably something like this:
$ cat ldap_server_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
ldap_fluff does not support searching/binding global catalogs
ad_domain, service_user and service_pass OR anon_queries are required for AD support
ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to include this in your base_dn string