Lets you authenticate users against an ActiveDirectory systems, also provides a test implementation so you don’t need to have an LDAP server when developing. The goal here is to allow you to store your user information in your local database, but use the LDAP information for authentication and retrieving authorization information.

This will add an ‘authenticate’ method to your model which works as follows:

@user = User.authenticate("koz", "mypassword") # returns the user
@user = User.authenticate("who knows", "not a password") # nil

In order to map from the ldap result to your database, you need to implement a find_from_ldap method on the user class. It will be passed an ldap user, which responds to a few key methods. username returns the account name that successfully authenticated. roles returns the list of configured group which the user is a member of. It also adds some simple predicate methods for each of the available roles. For example:

def self.find_from_ldap(ldap_user)
  returning find_or_create_by_login(ldap_user.username) do |user|
    user.permissions.clear
    if ldap_user.admin?
      user.admin = true
    end
    if ldap_user.printer_operator?
      user.permissions.create! :code=>"printer"
    end
    user.save!
  end
end

There’s obviously a risk that users who have been disabled in ldap could still have an active session in the rails application.

You need the net/ldap gem. You should add a line in your config/enviornment.rb file:

config.gem "ruby-net-ldap", :lib => "net/ldap", :source => "http://gems.github.com"

Optionally, you could unpack this gem into your vendor/gems directory with this command:

rake gems:unpack

In production.rb you can write:

config.to_prepare do
  User.authenticates_with_active_directory do |config|
    config.host    = "1.2.3.4"
    config.base_dn = "DC=radionz,DC=co,DC=nz"

    # Only needed if your ldap server doesn't support anonymous binding
    config.administrator_dn = "CN=administrator,OU=Sysadmins Group,OU=Systems"
    config.administrator_password = "admin_pw"

    config.roles :printer_operator => "CN=Printer Operators,CN=Groups",
                 :backup_operator  => "CN=Backup Operators,CN=Groups",
                 :admin            => "CN=AdminUsers,OU=Groups,OU=Corporate",
                 :operators        => "CN=OperatorsGroup,OU=Groups,OU=Corporate"
  end
end

then in development.rb and test.rb you write:

User.stub_active_directory_authentication do |config|
  config.user "koz", "a password", :printer_operator, :backup_operator
  config.user "dhh", "anotherpassword", :admin
end

Note: the config.to_prepare block is used, as Ruby is garbage collecting the User’s config settings.

This plugin was funded by Radio New Zealand Limited, and written by Michael Koziarski.

Copyright © 2009 Koziarski Software Ltd Copyright © 2009 Radio New Zealand Limited

Released under the MIT license