Re: Ruby-net-ldap fail

From: brabuhr@xxxxxxxxx
Date: Mon, 3 Aug 2009 20:24:02 -0500

On Mon, Aug 3, 2009 at 2:57 PM, Bruno Sousa<brgsousa@xxxxxxxxx> wrote:

Ben Bleything wrote:

On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<brgsousa@xxxxxxxxx> wrote:

I got it working with ruby-ldap.
Is it necessary to specify the organization unit? It's working ONLY if I
specify it:

Yes, as mentioned before you need to provide the full path (DN) or
similar so that the ldap server can find your user. When you don't,
it assumes you mean ou=Users.

Is it a library limitation? Or it really should work like this?
I imagined it should work as when you log in windows computers:
username, passwod and Domain. No need for OUs :)

You could provide your own function to search the tree based
on username to get the DN and then use that to bind.
But then either your directory would need to allow an anonymous
connection search rights or you would need a service account
for the script to use. You would also need to consider the
possibility of duplicate usernames with different DNs (this is
less of an issue in Active Directory since AD is in some ways
still a flat domain with a simulated hierarchy bolted on).
A production implementation would probably want to cache rather
than run an extra search for every authentication request.

Alternatively, you could attempt to authenticate the user in all
possible OUs until one works or all have failed. :-)

Or finally, you can use UPNs if you don't mind being non-portable
to any other LDAP implementations. This is what I do in my own
corporate apps (despite the bad taste it leaves in my mouth).
I've done a couple of variations:
* Ask for "Username" and append the UPN suffix
* Ask for "UPN" and pass it through
* Ask for "Email Address" and hope they enter their
canonical address and not a special alias

.

References:
- Re: Ruby-net-ldap fail
  - From: Ben Bleything
- Re: Ruby-net-ldap fail
  - From: brabuhr
- Re: Ruby-net-ldap fail
  - From: Ben Bleything
- Re: Ruby-net-ldap fail
  - From: Bruno Sousa
- Re: Ruby-net-ldap fail
  - From: Ben Bleything
- Re: Ruby-net-ldap fail
  - From: Bruno Sousa

Prev by Date: Correctly upgrading ruby on MS Windows
Next by Date: Best way to implement animated chart in ruby
Previous by thread: Re: Ruby-net-ldap fail
Next by thread: debugging messages from a daemon program
Index(es):
- Date
- Thread

Relevant Pages

Re: UPN vs sAMAccountName
... part of the username, so for me it would be something like 123456arba in the ... That would give a UPN default to ... for weblogin) - that is - for applications that support it. ... Security is a huge issue. ...
(microsoft.public.windows.server.active_directory)
Re: UPN logon oddity?
... When you enter the username in UPN format does the domain box gray out? ... Please do not send email directly to this alias. ... > act exactly the same as logging in with the sam account name and the ...
(microsoft.public.exchange.connectivity)
Re: UPN vs sAMAccountName
... username and then select your domain name from this drop down list of 23 ... That would give a UPN default ... > sAMAcconutName field due to applications that does not support UPN ... I think it might play a role for managed desktops. ...
(microsoft.public.windows.server.active_directory)
Re: UPN vs sAMAccountName
... Think of the UPN as a possible way of using shorthand for the domain name. ... easy to remember) so you log on with the username ... > One bad thing though was that we used the same value for Pre Windows ... > Server the management tools won't let you use the @ sign in the Pre> Windows 2000 logon name and we are in the process of renaming all> users before we upgrade our servers. ...
(microsoft.public.windows.server.active_directory)
Re: Permissions
... where I must specify the correct username and password ... connect to the database without specifying a username and password. ... In enterprise manager and query analyser I must specify any of the ... > Are you using mixed mode security? ...
(microsoft.public.dotnet.framework.adonet)