通过 Ruby 或 Rails 的 LDAP [英] LDAP through Ruby or Rails

问题描述

我一直在尝试将 Rails 应用程序连接到 ActiveDirectory.我将在 AD 和数据库之间同步有关用户的数据，目前是 MySQL(但可能会变成 SQL Server 或 PostgreSQL).

I've been attempting to hook a Rails application up to ActiveDirectory. I'll be synchronizing data about users between AD and a database, currently MySQL (but may turn into SQL Server or PostgreSQL).

我已经检查了 activedirectory-ruby，它看起来确实有问题(对于 1.0 版本！?).它封装了 Net::LDAP，所以我尝试使用它，但它非常接近 LDAP 的实际语法，而且我喜欢 ActiveDirectory-Ruby 的抽象，因为它的语法类似于 ActiveRecord.

I've checked out activedirectory-ruby, and it looks really buggy (for a 1.0 release!?). It wraps Net::LDAP, so I tried using that instead, but it's really close to the actual syntax of LDAP, and I enjoyed the abstraction of ActiveDirectory-Ruby because of its ActiveRecord-like syntax.

目录服务器有没有优雅的 ORM 类型的工具?更好的是，如果有某种 LDAP 脚手架工具(用于用户、组、组织单位等的 CRUD).然后我可以通过 Authlogic 快速将其与我现有的身份验证代码集成，并保持所有数据同步.

Is there an elegant ORM-type tool for a directory server? Better yet, if there were some kind of scaffolding tool for LDAP (CRUD for users, groups, organizational units, and so on). Then I could quickly integrate that with my existing authentication code though Authlogic, and keep all of the data synchronized.

推荐答案

这是我与 net-ldap gem 在我的工作中从 ActiveDirectory 服务器验证用户登录:

Here is sample code I use with the net-ldap gem to verify user logins from the ActiveDirectory server at my work:

require 'net/ldap' # gem install net-ldap

def name_for_login( email, password )
  email = email[/Aw+/].downcase  # Throw out the domain, if it was there
  email << "@mycompany.com"        # I only check people in my company
  ldap = Net::LDAP.new(
    host: 'ldap.mycompany.com',    # Thankfully this is a standard name
    auth: { method: :simple, email: email, password:password }
  )
  if ldap.bind
    # Yay, the login credentials were valid!
    # Get the user's full name and return it
    ldap.search(
      base:         "OU=Users,OU=Accounts,DC=mycompany,DC=com",
      filter:       Net::LDAP::Filter.eq( "mail", email ),
      attributes:   %w[ displayName ],
      return_result:true
    ).first.displayName.first
  end
end

最后的 first.displayName.first 代码看起来有点傻，所以可能会从一些解释中受益:

The first.displayName.first code at the end looks a little goofy, and so might benefit from some explanation:

• Net::LDAP#search 始终返回一组结果，即使您最终只匹配一个条目.第一次调用 first 会找到与电子邮件地址匹配的第一个(大概也是唯一的)条目.

• Net::LDAP#search always returns an array of results, even if you end up matching only one entry. The first call to first finds the first (and presumably only) entry that matched the email address.

Net::LDAP::Entry 搜索返回的结果可以方便地通过方法名称访问属性，因此 some_entry.displayName 与 some_entry['displayName'] 相同.

Net::LDAP::Entry 中的每个属性始终是一组值，即使只有一个值.尽管让用户具有多个displayName"值可能很愚蠢，但 LDAP 的通用性质意味着它是可能的.最后的 first 调用将一个字符串数组转换为用户全名的字符串.

Every attribute in a Net::LDAP::Entry is always an array of values, even when only one value is present. Although it might be silly to have a user with multiple "displayName" values, LDAP's generic nature means that it's possible. The final first invocation turns the array-of-one-string into just the string for the user's full name.

这篇关于通过 Ruby 或 Rails 的 LDAP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！