Awesome, thank you for the advice, Matt! I've pretty much got it
working. I just moved all that stuff out of environment.rb and into
it's own initializer. I somehow missed the comment in there that
reads: Application configuration should go into files in config/
initializers
# -- all .rb files in that directory are automatically loaded.
(Apologies in advance for the formatting)
In the user model I have:
def self.authenticate(login, password)
if SimpleLdapAuthenticator.valid?(login, password)
u = find(:first, :conditions => ["#...@login_attribute} = ?",
login +
"@domain.com"])
if u.nil?
u = User.new
u.email_address = login + "@domain.com"
#u.name = # Hmmmmm!
end
if u.respond_to?(:last_login_at) || u.respond_to?
(:login_count)
u.last_login_at = Time.now if u.respond_to?
(:last_login_at)
u.login_count = (u.login_count.to_i + 1) if u.respond_to?
(:login_count)
u.save
end
u
else
nil
end
end
Now I'm trying to figure out how to get the user's name out of Active
Directory so I can stick it in their user model record. I was
thinking I'd reuse SimpleLdapAuthenticator.connection to do a search,
but that's not working for me.
The search/query parameters I'm using work in the mmc snap-in, ADSI
Edit, so I know that's good.
I'm in a script/console now:
. >> conn = SimpleLdapAuthenticator.connection
. >> conn.bound?
. => false
. >> conn.bind("[email protected]","password")
. => <LDAP::Conn:0xb74e8a9c>
. >> conn.search("DC=mydomain,DC=com",LDAP::LDAP_SCOPE_SUBTREE,"(&
(objectCategory=user)(userPrincipalName=bcorbin))")
. LDAP::ResultError: Operations error
. from (irb):3:in `search'
. from (irb):3
. >> conn.perror('')
. : Operations error (1)
. additional info: 00000000: LdapErr: DSID-0C090627, comment:
In order to perform this operation a successful bind must be
completed . on the connection., data 0, vece
I haven't figured out yet why I don't have a successful bind, when it
looks like I do after the bind step. Anyway, I am done for today, I
will start again on this problem on Monday. I might try net/ldap
instead.. Anyway, thanks again for the very helpful hints!
Brian
On Dec 4, 3:30 pm, Matt Jones <[email protected]> wrote:
> On Dec 4, 2009, at 4:56 PM, Brian Corbin wrote:
>
> > I'm working on getting LDAP authentication into the hobo user model.
> > I'll create a recipe in the cookbook for it once I get it all
> > working.
>
> > I'm using the "simple_ldap_authenticator" gem.
>
> > I added the LDAP configuration settings to the top of environment.rb:
>
> Don't do this. Please don't do this. I spent a lot of time making
> config.gem work in 2.2 and 2.3 so you *didn't* have to do this. :)
>
> Ideally, you'll pull the gem in via "config.gem
> 'simple_ldap_authenticator'" (in the initializer block). Note that
> simple_ldap_authenticator already handles the "require 'ldap'" part.
>
> > SimpleLdapAuthenticator.servers = [<my domain controllers>]
> > SimpleLdapAuthenticator.use_ssl = false # so far I can't get SSL
> > to work yet
> > SimpleLdapAuthenticator.port = 389
> > SimpleLdapAuthenticator.login_format = '[email protected]'
>
> This should definitely go in an initializer. Note that the port
> doesn't need to be explicitly set if it's the standard (389 for non-
> SSL, 636 for SSL).
>
> > I was thinking I would override the .authenticate method of the user
> > model, but doing a def authenticate inside models/user.rb doesn't seem
> > to override the authenticate method that's defined in /usr/lib/ruby/
> > gems/1.8/gems/hobo-0.9.102/lib/hobo/user.rb. So for now I have to do
> > my experimentation inside /usr/lib/ruby/gems/1.8/gems/hobo-0.9.102/
> > lib/
> > hobo/user.rb.
>
> authenticate is a class method on User; you may have been thinking of
> the instance method "authenticated?(password)" which does the actual
> check on a User object.
>
> To override authenticate, you'll need to declare it as a class method:
>
> def self.authenticate(login, password)
> ...
> end
>
>
>
> > The authenticate method should check if the login/password combination
> > is valid using SimpleLdapAuthenticator.valid?(login, password). If
> > it's valid, then find the user in the database and use it. If the
> > user does not exist in the database, create the user record.
>
> > Something like this:
> > def authenticate(login, password)
> > if SimpleLdapAuthenticator.valid?(login, password)
> > u = find(:first, :conditions => ["#...@login_attribute} = ?",
> > login])
> > # need to get the salt (actually, no I don't care about salt anymore,
> > I just want the record :)
> > if u.nil?
> > u = User.new # Doesn't work
> > u.email_address = login + "@domain.com"
> > end
> > u
> > end
>
> > User.new works in script/console, but not in this authenticate
> > method. It's a Hobo::User, not a User here, and Hobo::User doesn't
> > have a new method.. Maybe I need @user_models.new or something?
>
> This is getting confused because you're inside the Hobo module here,
> so a bare constant starts looking for its definition there. ::User
> would be the way to refer to a toplevel user class.
>
> > So my questions for the gurus:
>
> > 0. Is this even the correct approach?
>
> Looks reasonable, with the above changes. Although getting LDAP over
> SSL working with Active Directory looks painful, even by LDAP standards:
>
> http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
>
> > 1. How can I override/redefine the authenticate method of the user
> > model?
>
> See above...
>
> > 2. How do I create a new user record in the database from the
> > authenticate method?
>
> I think things will be more straightforward once you're actually in
> the right module.
>
> Hope this helps!
>
> --Matt Jones
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=en.
