Class: ActiveDirectory::User
- Includes:
- Member
- Defined in:
- lib/active_directory/user.rb
Constant Summary collapse
- UAC_ACCOUNT_DISABLED =
0x0002
- UAC_NORMAL_ACCOUNT =
512
0x0200
Constants inherited from Base
Class Method Summary collapse
-
.filter ⇒ Object
:nodoc:.
-
.required_attributes ⇒ Object
:nodoc:.
Instance Method Summary collapse
-
#authenticate(password) ⇒ Object
Try to authenticate the current User against Active Directory using the supplied password.
-
#can_login? ⇒ Boolean
Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).
-
#change_password(new_password, force_change = false) ⇒ Object
Change the password for this account.
-
#direct_reports ⇒ Object
Returns an array of User objects that have this User as their manager.
-
#disabled? ⇒ Boolean
Returns true if this account has been disabled.
-
#groups ⇒ Object
Returns an array of Group objects that this User belongs to.
-
#locked? ⇒ Boolean
Returns true if this account has been locked out (usually because of too many invalid authentication attempts).
-
#manager ⇒ Object
Return the User’s manager (another User object), depending on what is stored in the manager attribute.
-
#unlock! ⇒ Object
Unlocks this account.
Methods included from Member
Methods inherited from Base
#==, cache?, #changed?, class_name, clear_cache, connected?, create, decode_field, #destroy, disable_cache, enable_cache, encode_field, error, error?, error_code, exists?, find, find_all, find_cached_results, find_first, #get_attr, get_field_type, #initialize, make_filter, make_filter_from_hash, #method_missing, method_missing, #move, #new_record?, parse_finder_spec, #reload, #save, #set_attr, setup, #to_ary, #update_attribute, #update_attributes, #valid_attribute?
Constructor Details
This class inherits a constructor from ActiveDirectory::Base
Dynamic Method Handling
This class handles dynamic methods through the method_missing method in the class ActiveDirectory::Base
Class Method Details
.filter ⇒ Object
:nodoc:
28 29 30 |
# File 'lib/active_directory/user.rb', line 28 def self.filter # :nodoc: Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer') end |
.required_attributes ⇒ Object
:nodoc:
32 33 34 |
# File 'lib/active_directory/user.rb', line 32 def self.required_attributes #:nodoc: { :objectClass => ['top', 'organizationalPerson', 'person', 'user'] } end |
Instance Method Details
#authenticate(password) ⇒ Object
Try to authenticate the current User against Active Directory using the supplied password. Returns false upon failure.
Authenticate can fail for a variety of reasons, primarily:
-
The password is wrong
-
The account is locked
-
The account is disabled
User#locked? and User#disabled? can be used to identify the latter two cases, and if the account is enabled and unlocked, Athe password is probably invalid.
50 51 52 53 54 55 56 57 |
# File 'lib/active_directory/user.rb', line 50 def authenticate(password) return false if password.to_s.empty? auth_ldap = @@ldap.dup.bind_as( :filter => "(sAMAccountName=#{sAMAccountName})", :password => password ) end |
#can_login? ⇒ Boolean
Returns true if the user should be able to log in with a correct password (essentially, their account is not disabled or locked out).
112 113 114 |
# File 'lib/active_directory/user.rb', line 112 def can_login? !disabled? && !locked? end |
#change_password(new_password, force_change = false) ⇒ Object
Change the password for this account.
This operation requires that the bind user specified in Base.setup have heightened privileges. It also requires an SSL connection.
If the force_change argument is passed as true, the password will be marked as ‘expired’, forcing the user to change it the next time they successfully log into the domain.
127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'lib/active_directory/user.rb', line 127 def change_password(new_password, force_change = false) settings = @@settings.dup.merge({ :port => 636, :encryption => { :method => :simple_tls } }) ldap = Net::LDAP.new(settings) ldap.modify( :dn => distinguishedName, :operations => [ [ :replace, :lockoutTime, [ '0' ] ], [ :replace, :unicodePwd, [ FieldType::Password.encode(new_password) ] ], [ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ], [ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ] ] ) end |
#direct_reports ⇒ Object
Returns an array of User objects that have this User as their manager.
85 86 87 88 |
# File 'lib/active_directory/user.rb', line 85 def direct_reports return [] if @entry.directReports.nil? @direct_reports ||= User.find(:all, @entry.directReports) end |
#disabled? ⇒ Boolean
Returns true if this account has been disabled.
103 104 105 |
# File 'lib/active_directory/user.rb', line 103 def disabled? userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0 end |
#groups ⇒ Object
Returns an array of Group objects that this User belongs to. Only the immediate parent groups are returned, so if the user Sally is in a group called Sales, and Sales is in a group called Marketting, this method would only return the Sales group.
77 78 79 |
# File 'lib/active_directory/user.rb', line 77 def groups @groups ||= Group.find(:all, :distinguishedname => @entry.memberOf) end |
#locked? ⇒ Boolean
Returns true if this account has been locked out (usually because of too many invalid authentication attempts).
Locked accounts can be unlocked with the User#unlock! method.
96 97 98 |
# File 'lib/active_directory/user.rb', line 96 def locked? !lockoutTime.nil? && lockoutTime.to_i != 0 end |
#manager ⇒ Object
Return the User’s manager (another User object), depending on what is stored in the manager attribute.
Returns nil if the schema does not include the manager attribute or if no manager has been configured.
66 67 68 69 |
# File 'lib/active_directory/user.rb', line 66 def manager return nil if @entry.manager.nil? User.find_by_distinguishedName(@entry.manager.to_s) end |
#unlock! ⇒ Object
Unlocks this account.
148 149 150 |
# File 'lib/active_directory/user.rb', line 148 def unlock! @@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0']) end |