Class: ActiveDirectory::User

Inherits:
Base
  • Object
show all
Includes:
Member
Defined in:
lib/active_directory/user.rb

Constant Summary collapse

UAC_ACCOUNT_DISABLED = 
0x0002
UAC_NORMAL_ACCOUNT =

512

0x0200

Constants inherited from Base

Base::NIL_FILTER

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Member

#join, #member_of?, #unjoin

Methods inherited from Base

#==, cache?, #changed?, class_name, clear_cache, connected?, create, decode_field, #destroy, disable_cache, enable_cache, encode_field, error, error?, error_code, exists?, find, find_all, find_cached_results, find_first, #get_attr, get_field_type, #initialize, make_filter, make_filter_from_hash, #method_missing, method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, #set_attr, setup, #to_ary, #update_attribute, #update_attributes, #valid_attribute?

Constructor Details

This class inherits a constructor from ActiveDirectory::Base

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base

Class Method Details

.filterObject

:nodoc:



28
29
30
 
# File 'lib/active_directory/user.rb', line 28

def self.filter # :nodoc:
	Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
end

.required_attributesObject

:nodoc:



32
33
34
 
# File 'lib/active_directory/user.rb', line 32

def self.required_attributes #:nodoc:
	{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
end

Instance Method Details

#authenticate(password) ⇒ Object

Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.

Authenticate can fail for a variety of reasons, primarily:

  • The password is wrong

  • The account is locked

  • The account is disabled

User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.



50
51
52
53
54
55
56
57
 
# File 'lib/active_directory/user.rb', line 50

def authenticate(password)
	return false if password.to_s.empty?

	auth_ldap = @@ldap.dup.bind_as(
		:filter => "(sAMAccountName=#{sAMAccountName})",
		:password => password
	)
end

#can_login?Boolean

Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).

Returns:

  • (Boolean) 


112
113
114
 
# File 'lib/active_directory/user.rb', line 112

def can_login?
	!disabled? && !locked?
end

#change_password(new_password, force_change = false) ⇒ Object

Change the password for this account.

This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.

If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
 
# File 'lib/active_directory/user.rb', line 127

def change_password(new_password, force_change = false)
	settings = @@settings.dup.merge({
		:port => 636,
		:encryption => { :method => :simple_tls }
	})

	ldap = Net::LDAP.new(settings)
	ldap.modify(
		:dn => distinguishedName,
		:operations => [
			[ :replace, :lockoutTime, [ '0' ] ],
			[ :replace, :unicodePwd, [ FieldType::Password.encode(new_password) ] ],
			[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
			[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
		]
	)
end

#direct_reportsObject

Returns an array of User objects that have this User as their manager.



85
86
87
88
 
# File 'lib/active_directory/user.rb', line 85

def direct_reports
	return [] if @entry.directReports.nil?
	@direct_reports ||= User.find(:all, @entry.directReports)
end

#disabled?Boolean

Returns true if this account has been disabled.

Returns:

  • (Boolean) 


103
104
105
 
# File 'lib/active_directory/user.rb', line 103

def disabled?
	userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
end

#groupsObject

Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.



77
78
79
 
# File 'lib/active_directory/user.rb', line 77

def groups
	@groups ||= Group.find(:all, :distinguishedname => @entry.memberOf)
end

#locked?Boolean

Returns true if this account has been locked out (usually because of too many invalid authentication attempts).

Locked accounts can be unlocked with the User#unlock! method.

Returns:

  • (Boolean) 


96
97
98
 
# File 'lib/active_directory/user.rb', line 96

def locked?
	!lockoutTime.nil? && lockoutTime.to_i != 0
end

#managerObject

Return the User’s manager (another User object), depending on what is stored in the manager attribute.

Returns nil if the schema does not include the manager attribute or if no manager has been configured.



66
67
68
69
 
# File 'lib/active_directory/user.rb', line 66

def manager
	return nil if @entry.manager.nil?
	User.find_by_distinguishedName(@entry.manager.to_s)
end

#unlock!Object

Unlocks this account.



148
149
150
 
# File 'lib/active_directory/user.rb', line 148

def unlock!
	@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
end