On Mar 6, 2012, at 11:10 PM, Marcin S wrote: > 2012/3/6 Craig White <[email protected]>: >> >> On Mar 6, 2012, at 12:54 PM, Marcin S wrote: >> >>> Hello everyone, >>> >>> I need to create a rails app where authentication and permissions for >>> certain application actions will be provided by LDAP server. There is >>> a problem with LDAP connection management, as every user login will >>> spawn new connection object instance it may dangerously increase >>> application memory usage (tbh i dont know what will happen, nothing >>> good for sure) - LDAP server can close connection remotly after some >>> idle time, but some connection resources will remain in memory non the >>> less. >>> I've made some google research what may be best course of action to >>> manage this issue and i think creating connection pool sounds good. >>> I've commited few average sized rails projects but nothing i've >>> experienced so far is giving me any clues how to implement this >>> solution. >>> >>> I'll be happy to hear how You would do it. >> ---- >> No - only 1 connection to LDAP server using a special account for the >> purpose with sufficient privileges for the task. >> >> It's easy enough to create 'local' users who authenticate via LDAP and then >> you can manage their privileges/permissions via Rights/Roles if you want. >> >> simple ruby app using net-ldap >> >> #!/usr/local/bin/ruby >> # >> require 'rubygems' >> require 'net/ldap' >> >> $person = "cwhite" >> $passwd = "won't_work" >> >> ldap = Net::LDAP.new :encryption => :simple_tls, >> :host => 'ldap.server', >> :port => 636, # use 389 for non-ssl >> :auth => { >> :method => :simple, >> :username => "uid=" + $person + ", ou=people, dc=example, dc=com", >> :password => $passwd >> } >> >> if ldap.bind >> p "LDAP authentication succeeded" >> else >> p "LDAP authentication failed" >> end >> >> Should give you enough of a concept for implementing in Rails >> >> Craig >> > > Yeah i have login covered already, in simmilar way, but what with > application permissions? > I can read it at login time, save it somewhere and never user LDAP > again until next login - but when i give that user a cookie, and then > authenticate him with it any permissions changes on ldap wont have any > effect (untile next login) > How would You solve that? ---- as best as I understand your question, this is what I do.
I have an SQL User class which shares the 'name' with the uid of the LDAP user and the user_id and the user_name are inserted into session variables which tie it together. Then I have all the controllers & methods of my application subject to Right/Roles permissions model so those can be changed at will since a 'before_filter' requires that a particular user has permissions to access. Thus while LDAP does authentication (user/password), I use my own hand rolled authorization scheme to allow/deny access to any/all methods & controllers. I don't store any Rails permissions on LDAP whatsoever. Craig -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
