Class: ActiveDirectory::User

Inherits:

Base

• Object
• Base
• ActiveDirectory::User

Includes:

Member

Defined in:

lib/active_directory/user.rb

Constant Summary

UAC_ACCOUNT_DISABLED =

0x0002

UAC_NORMAL_ACCOUNT =

512

0x0200

Constants inherited from Base

Base::NIL_FILTER

Class Method Summary

• .filter ⇒ Object

  :nodoc:.

• .required_attributes ⇒ Object

  :nodoc:.

Instance Method Summary

• #authenticate(password) ⇒ Object

  Try to authenticate the current User against Active Directory using the supplied password.

• #can_login? ⇒ Boolean

  Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

• #change_password(new_password, force_change = false) ⇒ Object

  Change the password for this account.

• #direct_reports ⇒ Object

  Returns an array of User objects that have this User as their manager.

• #disabled? ⇒ Boolean

  Returns true if this account has been disabled.

• #groups ⇒ Object

  Returns an array of Group objects that this User belongs to.

• #locked? ⇒ Boolean

  Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

• #manager ⇒ Object

  Return the User’s manager (another User object), depending on what is stored in the manager attribute.

• #unlock! ⇒ Object

  Unlocks this account.

Methods included from Member

#join, #member_of?, #unjoin

Methods inherited from Base

#==, #changed?, create, #destroy, error, exists?, find, find_all, find_first, #initialize, make_filter_from_hash, method_missing, #method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, setup, #update_attribute, #update_attributes

Constructor Details

This class inherits a constructor from ActiveDirectory::Base

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base

Class Method Details

.filter ⇒ Object

:nodoc:

# File 'lib/active_directory/user.rb', line 31

def self.filter # :nodoc:
	Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
end

.required_attributes ⇒ Object

:nodoc:

# File 'lib/active_directory/user.rb', line 35

def self.required_attributes #:nodoc:
	{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
end

Instance Method Details

#authenticate(password) ⇒ Object

Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.

Authenticate can fail for a variety of reasons, primarily:

• The password is wrong

• The account is locked

• The account is disabled

User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.

# File 'lib/active_directory/user.rb', line 53

def authenticate(password)
	return false if password.to_s.empty?

	auth_ldap = @@ldap.dup.bind_as(
		:filter => "(sAMAccountName=#{sAMAccountName})",
		:password => password
	)
end

#can_login? ⇒ Boolean

Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 115

def can_login?
	!disabled? && !locked?
end

#change_password(new_password, force_change = false) ⇒ Object

Change the password for this account.

This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.

If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.

# File 'lib/active_directory/user.rb', line 130

def change_password(new_password, force_change = false)
	settings = @@settings.dup.merge({
		:port => 636,
		:encryption => { :method => :simple_tls }
	})

	ldap = Net::LDAP.new(settings)
	ldap.modify(
		:dn => distinguishedName,
		:operations => [
			[ :replace, :lockoutTime, [ '0' ] ],
			[ :replace, :unicodePwd, [ Password.encode(new_password) ] ],
			[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
			[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
		]
	)
end

#direct_reports ⇒ Object

Returns an array of User objects that have this User as their manager.

# File 'lib/active_directory/user.rb', line 88

def direct_reports
	return [] if @entry.directReports.nil?
	@direct_reports ||= @entry.directReports.collect { |dn| User.find_by_distinguishedName(dn) }
end

#disabled? ⇒ Boolean

Returns true if this account has been disabled.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 106

def disabled?
	userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
end

#groups ⇒ Object

Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.

# File 'lib/active_directory/user.rb', line 80

def groups
	@groups ||= memberOf.collect { |dn| Group.find_by_distinguishedName(dn) }
end

#locked? ⇒ Boolean

Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

Locked accounts can be unlocked with the User#unlock! method.

Returns:

• (Boolean)

# File 'lib/active_directory/user.rb', line 99

def locked?
	!lockoutTime.nil? && lockoutTime.to_i != 0
end

#manager ⇒ Object

Return the User’s manager (another User object), depending on what is stored in the manager attribute.

Returns nil if the schema does not include the manager attribute or if no manager has been configured.

# File 'lib/active_directory/user.rb', line 69

def manager
	return nil if @entry.manager.nil?
	User.find_by_distinguishedName(@entry.manager.to_s)
end

#unlock! ⇒ Object

Unlocks this account.

# File 'lib/active_directory/user.rb', line 151

def unlock!
	@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
end