Class: ActiveDirectory::User
- Includes:
- Member
- Defined in:
- lib/active_directory/user.rb
Constant Summary collapse
- UAC_ACCOUNT_DISABLED =
0x0002
- UAC_NORMAL_ACCOUNT =
512
0x0200
Constants inherited from Base
Class Method Summary collapse
-
.filter ⇒ Object
:nodoc:.
-
.required_attributes ⇒ Object
:nodoc:.
Instance Method Summary collapse
-
#authenticate(password) ⇒ Object
Try to authenticate the current User against Active Directory using the supplied password.
-
#can_login? ⇒ Boolean
Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).
-
#change_password(new_password, force_change = false) ⇒ Object
Change the password for this account.
-
#direct_reports ⇒ Object
Returns an array of User objects that have this User as their manager.
-
#disabled? ⇒ Boolean
Returns true if this account has been disabled.
-
#enable! ⇒ Object
Clear settings, make this account normal.
-
#groups ⇒ Object
Returns an array of Group objects that this User belongs to.
-
#locked? ⇒ Boolean
Returns true if this account has been locked out (usually because of too many invalid authentication attempts).
-
#manager ⇒ Object
Return the User’s manager (another User object), depending on what is stored in the manager attribute.
-
#unlock! ⇒ Object
Unlocks this account.
Methods included from Member
Methods inherited from Base
#==, #changed?, create, #destroy, error, exists?, find, find_all, find_first, #initialize, make_filter_from_hash, method_missing, #method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, setup, #update_attribute, #update_attributes
Constructor Details
This class inherits a constructor from ActiveDirectory::Base
Dynamic Method Handling
This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base
Class Method Details
.filter ⇒ Object
:nodoc:
8 9 10 |
# File 'lib/active_directory/user.rb', line 8 def self.filter # :nodoc: Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer') end |
.required_attributes ⇒ Object
:nodoc:
12 13 14 |
# File 'lib/active_directory/user.rb', line 12 def self.required_attributes #:nodoc: { :objectClass => ['top', 'organizationalPerson', 'person', 'user'] } end |
Instance Method Details
#authenticate(password) ⇒ Object
Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.
Authenticate can fail for a variety of reasons, primarily:
-
The password is wrong
-
The account is locked
-
The account is disabled
User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.
30 31 32 33 34 35 36 37 |
# File 'lib/active_directory/user.rb', line 30 def authenticate(password) return false if password.to_s.empty? auth_ldap = @@ldap.dup.bind_as( :filter => "(sAMAccountName=#{sAMAccountName})", :password => password ) end |
#can_login? ⇒ Boolean
Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).
92 93 94 |
# File 'lib/active_directory/user.rb', line 92 def can_login? !disabled? && !locked? end |
#change_password(new_password, force_change = false) ⇒ Object
Change the password for this account.
This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.
If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'lib/active_directory/user.rb', line 117 def change_password(new_password, force_change = false) settings = @@settings.dup.merge({ :port => 636, :encryption => { :method => :simple_tls } }) ldap = Net::LDAP.new(settings) ldap.modify( :dn => distinguishedName, :operations => [ [ :replace, :lockoutTime, [ '0' ] ], [ :replace, :unicodePwd, [ Password.encode(new_password) ] ], [ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ], [ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ] ] ) end |
#direct_reports ⇒ Object
Returns an array of User objects that have this User as their manager.
65 66 67 68 |
# File 'lib/active_directory/user.rb', line 65 def direct_reports return [] if @entry.directReports.nil? @direct_reports ||= @entry.directReports.collect { |dn| User.find_by_distinguishedName(dn) } end |
#disabled? ⇒ Boolean
Returns true if this account has been disabled.
83 84 85 |
# File 'lib/active_directory/user.rb', line 83 def disabled? userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0 end |
#enable! ⇒ Object
Clear settings, make this account normal.
97 98 99 100 101 102 103 104 |
# File 'lib/active_directory/user.rb', line 97 def enable! if !disabled? return false end uac = userAccountControl.to_i - UAC_ACCOUNT_DISABLED self.userAccountControl = uac.to_s self.save end |
#groups ⇒ Object
Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.
57 58 59 |
# File 'lib/active_directory/user.rb', line 57 def groups @groups ||= memberOf.collect { |dn| Group.find_by_distinguishedName(dn) } end |
#locked? ⇒ Boolean
Returns true if this account has been locked out (usually because of too many invalid authentication attempts).
Locked accounts can be unlocked with the User#unlock! method.
76 77 78 |
# File 'lib/active_directory/user.rb', line 76 def locked? !lockoutTime.nil? && lockoutTime.to_i != 0 end |
#manager ⇒ Object
Return the User’s manager (another User object), depending on what is stored in the manager attribute.
Returns nil if the schema does not include the manager attribute or if no manager has been configured.
46 47 48 49 |
# File 'lib/active_directory/user.rb', line 46 def manager return nil if @entry.manager.nil? User.find_by_distinguishedName(@entry.manager.to_s) end |
#unlock! ⇒ Object
Unlocks this account.
138 139 140 |
# File 'lib/active_directory/user.rb', line 138 def unlock! @@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0']) end |