Active directory

ruby-talk
1

Is there any ruby library that will let me authenticate against an
active directory server from a linux machine? I looked through the AD
gems but the documentation assumed that I knew what I was doing
already, and *seemed* to imply that I needed to be running this from a
windows box sitting in a windows domain.

I don't need to run queries or anything like that - simply
authenticate a user and get a yes/no answer.

martin

2

Do you want to do an LDAP bind-authentication from Linux with a username and
password? If so, look at Net::LDAP. If you're trying to do a Kerberos-style
authentication, there are several NTLM gems you can look at.

···

On 9/24/07, Martin DeMello <martindemello@gmail.com> wrote:

Is there any ruby library that will let me authenticate against an
active directory server from a linux machine? I looked through the AD
gems but the documentation assumed that I knew what I was doing
already, and *seemed* to imply that I needed to be running this from a
windows box sitting in a windows domain.

I don't need to run queries or anything like that - simply
authenticate a user and get a yes/no answer.

martin

3

I recently had this problem.

class LDAPAuth
        def initialize dn, host, port=389
                @dn = dn
                @c = LDAP::Conn.new host, port
                @c.set_option LDAP::LDAP_OPT_PROTOCOL_VERSION, 3
                @bound = false
        end

        def bind user, pass
                @bound = !@c.bind(user, pass).nil?
        end

        def groups_of user, dn=@dn
                raise Exception, "Not bound." unless @bound
                @c.search2(dn, LDAP::LDAP_SCOPE_SUBTREE,
"sAMAccountName=#{user}", ['memberOf']).first['memberOf'].map { |
e> /CN=([^,]+?)[,$]/i.match(e).captures.first }
        end

        def close
                @c.unbind unless @c.nil?
                @c = nil
        end

        def method_missing n, *a
                @c.send n, *a
        end
end

Check the line wrapping since it may catch you out. This is a tad quick
and dirty, but may do the trick. To authenticate like you'd wish:

l = LDAPAuth.new "OU=Accounts,DC=company,DC=com,DC=au",
"pdc.company.com.au" # note that LDAP won't let you search the root of a
DN, an OU must be specified
begin
    l.bind "joe@company.com.au", "mypassword"

    begin
        raise Exception, "unauthorized" unless
l.groups_of("joe").include? "Enterprise Admins"
        ...
    rescue
        # not in the right group!
    end
rescue
    # credentials are bad!
    ...
end

My example code is fairly ugly, but I hope you get it. Note that we're
bound to AD with the user's own credentials - there may be a case where
the user doesn't even have permissions to check their own group
memberships. In this case, you'd need to authenticate by trying to bind
with user credentials, but then authorise by binding with some (system)
account privileged for the purpose of checking memberships like this.
It's a bit iffy, yes, but there's probably a better way.

Also note this implementation uses the sAMAccountName LDAP attribute for
looking up a user to determine group membership status; thus a
non-domain-qualified name is used with LDAPAuth#groups_of ("joe", not
"joe@company.com.au"). Your schema may vary!

HTH

Arlen

···

On Tue, 2007-09-25 at 04:06 +0900, Martin DeMello wrote:

Is there any ruby library that will let me authenticate against an
active directory server from a linux machine? I looked through the AD
gems but the documentation assumed that I knew what I was doing
already, and *seemed* to imply that I needed to be running this from a
windows box sitting in a windows domain.

4

The former. Will check out Net::LDAP - is there anything different I
have to do, or do I simply treat AD as just another LDAP server?

martin

···

On 9/24/07, Francis Cianfrocca <garbagecat10@gmail.com> wrote:

Do you want to do an LDAP bind-authentication from Linux with a username and
password? If so, look at Net::LDAP. If you're trying to do a Kerberos-style
authentication, there are several NTLM gems you can look at.

5

Thanks a lot, Arlen, this looks extremely helpful!

martin

···

On 9/26/07, Arlen Christian Mart Cuss <celtic@sairyx.org> wrote:

class LDAPAuth

6

Some users have found Net::LDAP simpler because it doesn't require the
installation of an outboard LDAP library. Here's how the equivalent solution
might look in Net::LDAP (as you said, "your schema may vary"):

require 'rubygems'
require 'net/ldap'

ldap = Net::LDAP.new
ldap.host = your_server_ip_address
ldap.port = your_server_port # typically 389 or 3268 for A/D
ldap.auth "CN=John Smith,CN=Users,dc=yourcompany,dc=com", "a-password"

ldap.search(
            :filter=>"sAMAccountName=John Smith",
            :attributes=>[:memberOf],
            :base=>"cn=Users,dc=yourcompany,dc=com",
           ) {|entry|
     p entry[:memberof]
}

···

On 9/26/07, Arlen Christian Mart Cuss <celtic@sairyx.org> wrote:

On Tue, 2007-09-25 at 04:06 +0900, Martin DeMello wrote:

> Is there any ruby library that will let me authenticate against an
> active directory server from a linux machine? I looked through the AD
> gems but the documentation assumed that I knew what I was doing
> already, and *seemed* to imply that I needed to be running this from a
> windows box sitting in a windows domain.

I recently had this problem.

7

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and #bind_as
methods.

···

On 9/24/07, Martin DeMello <martindemello@gmail.com> wrote:

On 9/24/07, Francis Cianfrocca <garbagecat10@gmail.com> wrote:
>
> Do you want to do an LDAP bind-authentication from Linux with a username
and
> password? If so, look at Net::LDAP. If you're trying to do a
Kerberos-style
> authentication, there are several NTLM gems you can look at.

The former. Will check out Net::LDAP - is there anything different I
have to do, or do I simply treat AD as just another LDAP server?

martin

8

thanks.

martin

···

On 9/24/07, Francis Cianfrocca <garbagecat10@gmail.com> wrote:

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and #bind_as
methods.

9

Well, I recently did it the nasty way (I just post to the relevant Remote Web Workplace server for a specific domain).
Certainly not the proper-clean way to do it, but beats the hell out of setting up the LDAP toolchain, in my book anyways.

···

On Sep 24, 2007, at 11:14 PM, Francis Cianfrocca wrote:

You can treat AD as any LDAP server. Look at the Net::LDAP#bind and #bind_as
methods.

10

I'm not sure how that would be any easier, or what you mean by setting up an
LDAP "toolchain" - Net:::LDAP is a self-contained library in pure Ruby. All
you have to do is install it like any other Ruby library. Calling
Net::LDAP#bind to authenticate against an LDAP directory or A/D is a
one-liner. (Two lines if you count require 'net/ldap')

···

On 9/24/07, julik <listbox@julik.nl> wrote:

On Sep 24, 2007, at 11:14 PM, Francis Cianfrocca wrote:
> You can treat AD as any LDAP server. Look at the Net::LDAP#bind and
> #bind_as
> methods.

Well, I recently did it the nasty way (I just post to the relevant
Remote Web Workplace server for a specific domain).
Certainly not the proper-clean way to do it, but beats the hell out
of setting up the LDAP toolchain, in my book anyways.