Class: SimpleLdapAuthenticator

Inherits:

Object

• Object
• SimpleLdapAuthenticator

Defined in:

lib/simple_ldap_authenticator.rb

Overview

Allows for easily authenticating users via LDAP (or LDAPS). If authenticating via LDAP to a server running on localhost, you should only have to configure the login_format.

Can be configured using the following accessors (with examples):

• login_format = ‘%s@domain.com’ # Active Directory, OR

• login_format = ‘cn=%s,cn=users,o=organization,c=us’ # Other LDAP servers

• servers = [‘dc1.domain.com’, ‘dc2.domain.com’] # names/addresses of LDAP servers to use

• use_ssl = true # for logging in via LDAPS

• port = 3289 # instead of 389 for LDAP or 636 for LDAPS

• logger = RAILS_DEFAULT_LOGGER # for logging authentication successes/failures

The class is used as a global variable, you are not supposed to create an instance of it. For example:

require 'simple_ldap_authenticator'
SimpleLdapAuthenticator.servers = %w'dc1.domain.com dc2.domain.com'
SimpleLdapAuthenticator.use_ssl = true
SimpleLdapAuthenticator.login_format = '%s@domain.com'
SimpleLdapAuthenticator.logger = RAILS_DEFAULT_LOGGER
class LoginController < ApplicationController 
  def login
    return redirect_to(:action=>'try_again') unless SimpleLdapAuthenticator.valid?(params[:username], params[:password])
    session[:username] = params[:username]
  end
end

Class Attribute Summary

• .connection ⇒ Object

  The connection to the LDAP server.

• .ldap_library ⇒ Object

  Returns the value of attribute ldap_library.

• .logger ⇒ Object

  Returns the value of attribute logger.

• .login_format ⇒ Object

  Returns the value of attribute login_format.

• .port ⇒ Object

  The port to use.

• .servers ⇒ Object

  Returns the value of attribute servers.

• .use_ssl ⇒ Object

  Returns the value of attribute use_ssl.

Class Method Summary

• .load_ldap_library ⇒ Object

  Load the required LDAP library, either ‘ldap’ or ‘net/ldap’.

• .server ⇒ Object

  The next LDAP server to which to connect.

• .switch_server ⇒ Object

  Disconnect from current LDAP server and use a different LDAP server on the next authentication attempt.

• .valid?(login, password) ⇒ Boolean

  Check the validity of a login/password combination.

Class Attribute Details

.connection ⇒ Object

The connection to the LDAP server. A single connection is made and the connection is only changed if a server returns an error other than invalid password.

# File 'lib/simple_ldap_authenticator.rb', line 71

def connection
  @connection
end

.ldap_library ⇒ Object

Returns the value of attribute ldap_library.

# File 'lib/simple_ldap_authenticator.rb', line 38

def ldap_library
  @ldap_library
end

.logger ⇒ Object

Returns the value of attribute logger.

# File 'lib/simple_ldap_authenticator.rb', line 38

def logger
  @logger
end

.login_format ⇒ Object

Returns the value of attribute login_format.

# File 'lib/simple_ldap_authenticator.rb', line 38

def login_format
  @login_format
end

.port ⇒ Object

The port to use. Defaults to 389 for LDAP and 636 for LDAPS.

# File 'lib/simple_ldap_authenticator.rb', line 82

def port
  @port
end

.servers ⇒ Object

Returns the value of attribute servers.

# File 'lib/simple_ldap_authenticator.rb', line 38

def servers
  @servers
end

.use_ssl ⇒ Object

Returns the value of attribute use_ssl.

# File 'lib/simple_ldap_authenticator.rb', line 38

def use_ssl
  @use_ssl
end

Class Method Details

.load_ldap_library ⇒ Object

Load the required LDAP library, either ‘ldap’ or ‘net/ldap’

# File 'lib/simple_ldap_authenticator.rb', line 41

def load_ldap_library
  return if @ldap_library_loaded
  if ldap_library
    if ldap_library == 'net/ldap'
      require 'net/ldap'
    else
      require 'ldap'
      require 'ldap/control'
    end
  else
    begin
      require 'ldap'
      require 'ldap/control'
      ldap_library = 'ldap'
    rescue LoadError
      require 'net/ldap'
      ldap_library = 'net/ldap'
    end
  end
  @ldap_library_loaded = true
end

.server ⇒ Object

The next LDAP server to which to connect

# File 'lib/simple_ldap_authenticator.rb', line 64

def server
  servers[0]
end

.switch_server ⇒ Object

Disconnect from current LDAP server and use a different LDAP server on the next authentication attempt

# File 'lib/simple_ldap_authenticator.rb', line 88

def switch_server
  self.connection = nil
  servers << servers.shift
end

.valid?(login, password) ⇒ Boolean

Check the validity of a login/password combination

# File 'lib/simple_ldap_authenticator.rb', line 94

def valid?(login, password)
  if password.to_s == ''
    false
  elsif ldap_library == 'net/ldap'
    connection.authenticate(login_format % login.to_s, password.to_s)
    begin
      if connection.bind
          logger.info("Authenticated #{login.to_s} by #{server}") if logger
          true
        else
          logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{connection.get_operation_result.code} #{connection.get_operation_result.message}") if logger
          switch_server unless connection.get_operation_result.code == 49
          false
        end
    rescue Net::LDAP::LdapError => error
      logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{error.message}") if logger
      switch_server
      false
    end
  else
    connection.unbind if connection.bound?
    begin
      connection.bind(login_format % login.to_s, password.to_s)
      connection.unbind
      logger.info("Authenticated #{login.to_s} by #{server}") if logger
      true
    rescue LDAP::ResultError => error
      connection.unbind if connection.bound?
      logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{error.message}") if logger
      switch_server unless error.message == 'Invalid credentials'
      false
    end
  end
end