Class: SimpleLdapAuthenticator

Inherits:

Object

• Object
• SimpleLdapAuthenticator

Defined in:

lib/simple_ldap_authenticator.rb

Overview

Allows for easily authenticating users via LDAP (or LDAPS). If authenticating via LDAP to a server running on localhost, you should only have to configure the login_format.

Can be configured using the following accessors (with examples):

• login_format = ‘%s@domain.com’ # Active Directory, OR

• login_format = ‘cn=%s,cn=users,o=organization,c=us’ # Other LDAP servers

• servers = [‘dc1.domain.com’, ‘dc2.domain.com’] # names/addresses of LDAP servers to use

• use_ssl = true # for logging in via LDAPS

• port = 3289 # instead of 389 for LDAP or 636 for LDAPS

• logger = Logger.new($stdout) # for logging authentication successes/failures

The class is used as a singleton, you are not supposed to create an instance of it. For example:

require 'simple_ldap_authenticator'

SimpleLdapAuthenticator.servers = %w'dc1.domain.com dc2.domain.com'
SimpleLdapAuthenticator.use_ssl = true
SimpleLdapAuthenticator.login_format = '%s@domain.com'

SimpleLdapAuthenticator.valid?(username, password)
# => true or false (or raise if there is an issue connecting to the server)

Class Attribute Summary

• .connection ⇒ Object

  The connection to the LDAP server.

• .ldap_library ⇒ Object

  Returns the value of attribute ldap_library.

• .logger ⇒ Object

  Returns the value of attribute logger.

• .login_format ⇒ Object

  Returns the value of attribute login_format.

• .port ⇒ Object

  The port to use.

• .servers ⇒ Object

  Returns the value of attribute servers.

• .use_ssl ⇒ Object

  Returns the value of attribute use_ssl.

Class Method Summary

• .load_ldap_library ⇒ Object

  Load the required LDAP library, either ‘ldap’ or ‘net/ldap’.

• .server ⇒ Object

  The next LDAP server to which to connect.

• .switch_server ⇒ Object

  Disconnect from current LDAP server and use a different LDAP server on the next authentication attempt.

• .valid?(login, password) ⇒ Boolean

  Check the validity of a login/password combination.

Class Attribute Details

.connection ⇒ Object

The connection to the LDAP server. A single connection is made and the connection is only changed if a server returns an error other than invalid password.

# File 'lib/simple_ldap_authenticator.rb', line 70

def connection
  return @connection if @connection
  load_ldap_library
  @connection = if ldap_library == 'net/ldap'
    Net::LDAP.new(:host=>server, :port=>(port), :encryption=>(:simple_tls if use_ssl))
  else
    (use_ssl ? LDAP::SSLConn : LDAP::Conn).new(server, port)
  end
end

.ldap_library ⇒ Object

Returns the value of attribute ldap_library.

# File 'lib/simple_ldap_authenticator.rb', line 36

def ldap_library
  @ldap_library
end

.logger ⇒ Object

Returns the value of attribute logger.

# File 'lib/simple_ldap_authenticator.rb', line 36

def logger
  @logger
end

.login_format ⇒ Object

Returns the value of attribute login_format.

# File 'lib/simple_ldap_authenticator.rb', line 36

def login_format
  @login_format
end

.port ⇒ Object

The port to use. Defaults to 389 for LDAP and 636 for LDAPS.

# File 'lib/simple_ldap_authenticator.rb', line 81

def port
  @port ||= use_ssl ? 636 : 389
end

.servers ⇒ Object

Returns the value of attribute servers.

# File 'lib/simple_ldap_authenticator.rb', line 36

def servers
  @servers
end

.use_ssl ⇒ Object

Returns the value of attribute use_ssl.

# File 'lib/simple_ldap_authenticator.rb', line 36

def use_ssl
  @use_ssl
end

Class Method Details

.load_ldap_library ⇒ Object

Load the required LDAP library, either ‘ldap’ or ‘net/ldap’

# File 'lib/simple_ldap_authenticator.rb', line 40

def load_ldap_library
  return if @ldap_library_loaded
  if @ldap_library
    if @ldap_library == 'net/ldap'
      require 'net/ldap'
    else
      require 'ldap'
      require 'ldap/control'
    end
  else
    begin
      require 'ldap'
      require 'ldap/control'
      @ldap_library = 'ldap'
    rescue LoadError
      require 'net/ldap'
      @ldap_library = 'net/ldap'
    end
  end
  @ldap_library_loaded = true
end

.server ⇒ Object

The next LDAP server to which to connect

# File 'lib/simple_ldap_authenticator.rb', line 63

def server
  servers[0]
end

.switch_server ⇒ Object

Disconnect from current LDAP server and use a different LDAP server on the next authentication attempt

# File 'lib/simple_ldap_authenticator.rb', line 87

def switch_server
  self.connection = nil
  servers << servers.shift
end

.valid?(login, password) ⇒ Boolean

Check the validity of a login/password combination

Returns:

• (Boolean)

# File 'lib/simple_ldap_authenticator.rb', line 93

def valid?(login, password)
  login = login.to_s
  password = password.to_s
  connection = self.connection
  if password == '' || password.include?("\0") || login.include?("\0")
    false
  elsif ldap_library == 'net/ldap'
    connection.authenticate(login_format % login, password)
    begin
      if connection.bind
        logger.info("Authenticated #{login} by #{server}") if logger
        true
      else
        logger.info("Error attempting to authenticate #{login} by #{server}: #{connection.get_operation_result.code} #{connection.get_operation_result.message}") if logger
        switch_server unless connection.get_operation_result.code == 49
        false
      end
    rescue Net::LDAP::Error, SocketError, SystemCallError => error
      logger.info("Error attempting to authenticate #{login} by #{server}: #{error.message}") if logger
      switch_server
      false
    end
  else
    connection.unbind if connection.bound?
    begin
      connection.bind(login_format % login, password)
      connection.unbind
      logger.info("Authenticated #{login} by #{server}") if logger
      true
    rescue LDAP::ResultError => error
      connection.unbind if connection.bound?
      logger.info("Error attempting to authenticate #{login} by #{server}: #{error.message}") if logger
      switch_server unless error.message == 'Invalid credentials'
      false
    end
  end
end