Class: ActiveDirectory::User

Inherits:
Base
  • Object
show all
Includes:
Member
Defined in:
lib/active_directory/user.rb

Constant Summary collapse

UAC_ACCOUNT_DISABLED = 
0x0002
UAC_NORMAL_ACCOUNT =

512

0x0200

Constants inherited from Base

Base::NIL_FILTER

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Member

#join, #member_of?, #unjoin

Methods inherited from Base

#==, #changed?, create, #destroy, error, exists?, find, find_all, find_first, #initialize, make_filter_from_hash, method_missing, #method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, setup, #update_attribute, #update_attributes

Constructor Details

This class inherits a constructor from ActiveDirectory::Base

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base

Class Method Details

.filterObject

:nodoc:



8
9
10
 
# File 'lib/active_directory/user.rb', line 8

def self.filter # :nodoc:
	Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
end

.required_attributesObject

:nodoc:



12
13
14
 
# File 'lib/active_directory/user.rb', line 12

def self.required_attributes #:nodoc:
	{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
end

Instance Method Details

#authenticate(password) ⇒ Object

Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.

Authenticate can fail for a variety of reasons, primarily:

  • The password is wrong

  • The account is locked

  • The account is disabled

User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.



30
31
32
33
34
35
36
37
 
# File 'lib/active_directory/user.rb', line 30

def authenticate(password)
	return false if password.to_s.empty?

	auth_ldap = @@ldap.dup.bind_as(
		:filter => "(sAMAccountName=#{sAMAccountName})",
		:password => password
	)
end

#can_login?Boolean

Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

Returns:

  • (Boolean) 


92
93
94
 
# File 'lib/active_directory/user.rb', line 92

def can_login?
	!disabled? && !locked?
end

#change_password(new_password, force_change = false) ⇒ Object

Change the password for this account.

This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.

If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.



117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'lib/active_directory/user.rb', line 117

def change_password(new_password, force_change = false)
	settings = @@settings.dup.merge({
		:port => 636,
		:encryption => { :method => :simple_tls }
	})

	ldap = Net::LDAP.new(settings)
	ldap.modify(
		:dn => distinguishedName,
		:operations => [
			[ :replace, :lockoutTime, [ '0' ] ],
			[ :replace, :unicodePwd, [ Password.encode(new_password) ] ],
			[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
			[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
		]
	)
end

#direct_reportsObject

Returns an array of User objects that have this User as their manager.



65
66
67
68
 
# File 'lib/active_directory/user.rb', line 65

def direct_reports
	return [] if @entry.directReports.nil?
	@direct_reports ||= @entry.directReports.collect { |dn| User.find_by_distinguishedName(dn) }
end

#disabled?Boolean

Returns true if this account has been disabled.

Returns:

  • (Boolean) 


83
84
85
 
# File 'lib/active_directory/user.rb', line 83

def disabled?
	userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
end

#enable!Object

Clear settings, make this account normal.



97
98
99
100
101
102
103
104
 
# File 'lib/active_directory/user.rb', line 97

def enable!
  if !disabled?
    return false
  end
  uac = userAccountControl.to_i - UAC_ACCOUNT_DISABLED
  self.userAccountControl = uac.to_s
  self.save
end

#groupsObject

Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.



57
58
59
 
# File 'lib/active_directory/user.rb', line 57

def groups
	@groups ||= memberOf.collect { |dn| Group.find_by_distinguishedName(dn) }
end

#locked?Boolean

Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

Locked accounts can be unlocked with the User#unlock! method.

Returns:

  • (Boolean) 


76
77
78
 
# File 'lib/active_directory/user.rb', line 76

def locked?
	!lockoutTime.nil? && lockoutTime.to_i != 0
end

#managerObject

Return the User’s manager (another User object), depending on what is stored in the manager attribute.

Returns nil if the schema does not include the manager attribute or if no manager has been configured.



46
47
48
49
 
# File 'lib/active_directory/user.rb', line 46

def manager
	return nil if @entry.manager.nil?
	User.find_by_distinguishedName(@entry.manager.to_s)
end

#unlock!Object

Unlocks this account.



138
139
140
 
# File 'lib/active_directory/user.rb', line 138

def unlock!
	@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
end