Class: ActiveDirectory::User

Inherits:

Base

• Object
• Base
• ActiveDirectory::User

Includes:

Member

Defined in:

lib/bsb_active_directory/user.rb

Constant Summary

UAC_ACCOUNT_DISABLED =

0x0002

UAC_NORMAL_ACCOUNT =

512

0x0200

UAC_PASSWORD_NEVER_EXPIRES =

65536

0x10000

Constants inherited from Base

Base::NIL_FILTER

Class Method Summary

• .filter ⇒ Object

  :nodoc:.

• .required_attributes ⇒ Object

  :nodoc:.

Instance Method Summary

• #authenticate(password) ⇒ Object

  Try to authenticate the current User against Active Directory using the supplied password.

• #can_login? ⇒ Boolean

  Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

• #change_password(new_password, force_change = false) ⇒ Object

  Change the password for this account.

• #direct_reports ⇒ Object

  Returns an array of User objects that have this User as their manager.

• #disable ⇒ Object

  Disables the account.

• #disabled? ⇒ Boolean

  Returns true if this account has been disabled.

• #enable ⇒ Object

  Enables the account.

• #expired? ⇒ Boolean

  Returns true if this account is expired.

• #groups ⇒ Object

  Returns an array of Group objects that this User belongs to.

• #locked? ⇒ Boolean

  Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

• #manager ⇒ Object

  Return the User's manager (another User object), depending on what is stored in the manager attribute.

• #password_never_expires? ⇒ Boolean

  Returns true if this account has a password that does not expire.

• #unlock! ⇒ Object

  Unlocks this account.

Methods included from Member

#join, #member_of?, #unjoin

Methods inherited from Base

#==, cache?, #changed?, class_name, clear_cache, connected?, create, decode_field, #destroy, disable_cache, enable_cache, encode_field, error, error?, error_code, exists?, find, find_all, find_cached_results, find_first, from_dn, #get_attr, get_field_type, #initialize, make_filter, make_filter_from_hash, method_missing, #method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, #set_attr, setup, #sid, #to_ary, #update_attribute, #update_attributes, #valid_attribute?

Constructor Details

This class inherits a constructor from ActiveDirectory::Base

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base

Class Method Details

.filter ⇒ Object

:nodoc:

# File 'lib/bsb_active_directory/user.rb', line 29

def self.filter # :nodoc:
  Net::LDAP::Filter.eq(:objectClass, 'user') & ~Net::LDAP::Filter.eq(:objectClass, 'computer')
end

.required_attributes ⇒ Object

:nodoc:

# File 'lib/bsb_active_directory/user.rb', line 33

def self.required_attributes #:nodoc:
  { objectClass: %w[top organizationalPerson person user] }
end

Instance Method Details

#authenticate(password) ⇒ Object

Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.

Authenticate can fail for a variety of reasons, primarily:

• The password is wrong

• The account is locked

• The account is disabled

User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.

# File 'lib/bsb_active_directory/user.rb', line 50

def authenticate(password)
  return false if password.to_s.empty?

  auth_ldap = @@ldap.dup.bind_as(
    filter: "(sAMAccountName=#{sAMAccountName})",
    password: password
  )
end

#can_login? ⇒ Boolean

Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

Returns:

• (Boolean)

# File 'lib/bsb_active_directory/user.rb', line 142

def can_login?
  !disabled? && !locked?
end

#change_password(new_password, force_change = false) ⇒ Object

Change the password for this account.

This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.

If the force_change argument is passed as true, the password will be marked as 'expired', forcing the user to change it the next time they successfully log into the domain.

# File 'lib/bsb_active_directory/user.rb', line 157

def change_password(new_password, force_change = false)
  settings = @@settings.dup.merge(
    port: 636,
    encryption: { method: :simple_tls }
  )

  ldap = Net::LDAP.new(settings)
  ldap.modify(
    dn: distinguishedName,
    operations: [
      [:replace, :lockoutTime, ['0']],
      [:replace, :unicodePwd, [FieldType::Password.encode(new_password)]],
      [:replace, :userAccountControl, [UAC_NORMAL_ACCOUNT.to_s]],
      [:replace, :pwdLastSet, [(force_change ? '0' : '-1')]]
    ]
  )
end

#direct_reports ⇒ Object

Returns an array of User objects that have this User as their manager.

# File 'lib/bsb_active_directory/user.rb', line 85

def direct_reports
  return [] if @entry.directReports.nil?
  @direct_reports ||= User.find(:all, @entry.directReports)
end

#disable ⇒ Object

Disables the account

# File 'lib/bsb_active_directory/user.rb', line 110

def disable
  new_mask = userAccountControl.to_i | UAC_ACCOUNT_DISABLED
  update_attributes userAccountControl: new_mask.to_s
end

#disabled? ⇒ Boolean

Returns true if this account has been disabled.

Returns:

• (Boolean)

# File 'lib/bsb_active_directory/user.rb', line 103

def disabled?
  userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
end

#enable ⇒ Object

Enables the account

# File 'lib/bsb_active_directory/user.rb', line 118

def enable
  new_mask = userAccountControl.to_i ^ UAC_ACCOUNT_DISABLED
  update_attributes userAccountControl: new_mask.to_s
end

#expired? ⇒ Boolean

Returns true if this account is expired.

Returns:

• (Boolean)

# File 'lib/bsb_active_directory/user.rb', line 126

def expired?
  !lockoutTime.nil? && lockoutTime.to_i != 0
end

#groups ⇒ Object

Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.

# File 'lib/bsb_active_directory/user.rb', line 77

def groups
  @groups ||= Group.find(:all, distinguishedname: @entry[:memberOf])
end

#locked? ⇒ Boolean

Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

Locked accounts can be unlocked with the User#unlock! method.

Returns:

• (Boolean)

# File 'lib/bsb_active_directory/user.rb', line 96

def locked?
  !lockoutTime.nil? && lockoutTime.to_i != 0
end

#manager ⇒ Object

Return the User's manager (another User object), depending on what is stored in the manager attribute.

Returns nil if the schema does not include the manager attribute or if no manager has been configured.

# File 'lib/bsb_active_directory/user.rb', line 66

def manager
  return nil if @entry.manager.nil?
  User.find_by_distinguishedName(@entry.manager.to_s)
end

#password_never_expires? ⇒ Boolean

Returns true if this account has a password that does not expire.

Returns:

• (Boolean)

# File 'lib/bsb_active_directory/user.rb', line 133

def password_never_expires?
  userAccountControl.to_i & UAC_PASSWORD_NEVER_EXPIRES != 0
end

#unlock! ⇒ Object

Unlocks this account.

# File 'lib/bsb_active_directory/user.rb', line 178

def unlock!
  @@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
end