Class: ActiveDirectory::User

Inherits:

Base

• Object
• Base
• ActiveDirectory::User

Includes:

Member

Defined in:

lib/active_directory/user.rb

Constant Summary

UAC_ACCOUNT_DISABLED =

0x0002

UAC_NORMAL_ACCOUNT =

512

0x0200

UAC_PASSWORD_NEVER_EXPIRES =

65536

0x10000

Constants inherited from Base

Base::NIL_FILTER

Class Method Summary

• .filter ⇒ Object

  :nodoc:.

• .required_attributes ⇒ Object

  :nodoc:.

Instance Method Summary

• #authenticate(password) ⇒ Object

  Try to authenticate the current User against Active Directory using the supplied password.

• #can_login? ⇒ Boolean

  Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

• #change_password(new_password, force_change = false) ⇒ Object

  Change the password for this account.

• #direct_reports ⇒ Object

  Returns an array of User objects that have this User as their manager.

• #disable ⇒ Object

  Disables the account.

• #disabled? ⇒ Boolean

  Returns true if this account has been disabled.

• #enable ⇒ Object

  Enables the account.

• #expired? ⇒ Boolean

  Returns true if this account is expired.

• #groups ⇒ Object

  Returns an array of Group objects that this User belongs to.

• #locked? ⇒ Boolean

  Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

• #manager ⇒ Object

  Return the User’s manager (another User object), depending on what is stored in the manager attribute.

• #password_never_expires? ⇒ Boolean

  Returns true if this account has a password that does not expire.

• #unlock! ⇒ Object

  Unlocks this account.

Methods included from Member

#join, #member_of?, #unjoin

Methods inherited from Base

#==, cache?, #changed?, class_name, clear_cache, connected?, create, decode_field, #destroy, disable_cache, enable_cache, encode_field, error, error?, error_code, exists?, find, find_all, find_cached_results, find_first, from_dn, #get_attr, get_field_type, #initialize, make_filter, make_filter_from_hash, method_missing, #method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, #set_attr, setup, #sid, #to_ary, #update_attribute, #update_attributes, #valid_attribute?

Constructor Details

This class inherits a constructor from ActiveDirectory::Base

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base

Class Method Details

.filter ⇒ Object

:nodoc:

# File 'lib/active_directory/user.rb', line 29

def self.filter # :nodoc:
	Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
end

.required_attributes ⇒ Object

:nodoc:

# File 'lib/active_directory/user.rb', line 33

def self.required_attributes #:nodoc:
	{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
end

Instance Method Details

#authenticate(password) ⇒ Object

Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.

Authenticate can fail for a variety of reasons, primarily:

• The password is wrong

• The account is locked

• The account is disabled

User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.

# File 'lib/active_directory/user.rb', line 51

def authenticate(password)
	return false if password.to_s.empty?

	auth_ldap = @@ldap.dup.bind_as(
		:filter => "(sAMAccountName=#{sAMAccountName})",
		:password => password
	)
end

#can_login? ⇒ Boolean

Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 144

def can_login?
	!disabled? && !locked?
end

#change_password(new_password, force_change = false) ⇒ Object

Change the password for this account.

This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.

If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.

# File 'lib/active_directory/user.rb', line 159

def change_password(new_password, force_change = false)
	settings = @@settings.dup.merge({
		:port => 636,
		:encryption => { :method => :simple_tls }
	})

	ldap = Net::LDAP.new(settings)
	ldap.modify(
		:dn => distinguishedName,
		:operations => [
			[ :replace, :lockoutTime, [ '0' ] ],
			[ :replace, :unicodePwd, [ FieldType::Password.encode(new_password) ] ],
			[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
			[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
		]
	)
end

#direct_reports ⇒ Object

Returns an array of User objects that have this User as their manager.

# File 'lib/active_directory/user.rb', line 86

def direct_reports
	return [] if @entry.directReports.nil?
	@direct_reports ||= User.find(:all, @entry.directReports)
end

#disable ⇒ Object

Disables the account

# File 'lib/active_directory/user.rb', line 111

def disable
	new_mask = userAccountControl.to_i | UAC_ACCOUNT_DISABLED
	update_attributes userAccountControl: new_mask.to_s
end

#disabled? ⇒ Boolean

Returns true if this account has been disabled.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 104

def disabled?
	userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
end

#enable ⇒ Object

Enables the account

# File 'lib/active_directory/user.rb', line 119

def enable
	new_mask = userAccountControl.to_i ^ UAC_ACCOUNT_DISABLED
	update_attributes userAccountControl: new_mask.to_s
end

#expired? ⇒ Boolean

Returns true if this account is expired.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 128

def expired?
	!lockoutTime.nil? && lockoutTime.to_i != 0
end

#groups ⇒ Object

Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.

# File 'lib/active_directory/user.rb', line 78

def groups
	@groups ||= Group.find(:all, :distinguishedname => @entry[:memberOf] )
end

#locked? ⇒ Boolean

Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

Locked accounts can be unlocked with the User#unlock! method.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 97

def locked?
	!lockoutTime.nil? && lockoutTime.to_i != 0
end

#manager ⇒ Object

Return the User’s manager (another User object), depending on what is stored in the manager attribute.

Returns nil if the schema does not include the manager attribute or if no manager has been configured.

# File 'lib/active_directory/user.rb', line 67

def manager
	return nil if @entry.manager.nil?
	User.find_by_distinguishedName(@entry.manager.to_s)
end

#password_never_expires? ⇒ Boolean

Returns true if this account has a password that does not expire.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 135

def password_never_expires?
	userAccountControl.to_i & UAC_PASSWORD_NEVER_EXPIRES != 0
end

#unlock! ⇒ Object

Unlocks this account.

# File 'lib/active_directory/user.rb', line 180

def unlock!
	@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
end