Provides multiple implementations of LDAP queries for various backends
Supports Active Directory, FreeIPA and posix-style LDAP
Now available in the rubygems.org repo, rubygems.org/gems/ldap_fluff
$ gem install ldap_fluff
You’ll have to configure the gem a little bit to get it hooked into your LDAP server.
It exposes these methods:
authenticate?(username, password) returns true if the username & password combo bind correctly group_list(uid) returns the set of LDAP groups a user belongs to in a string list user_list(gid) returns the set of users that belong to an LDAP group is_in_groups?(uid, grouplist) returns true if the user provided is in all of the groups listed in grouplist valid_user?(uid) returns true if the user provided exists valid_group?(uid) returns true if the group provided exists find_user(uid) returns the LDAP entry of the user if found, nil if not found find_group(gid) returns the LDAP entry of the group if found, nil if not found
These methods are handy for using LDAP for both authentication and authorization.
This gem integrates with warden/devise quite nicely.
Your global configuration must provide information about your LDAP host to function properly.
host: # ip address or hostname port: # port encryption: # blank, :simple_tls, or :start_tls base_dn: # base DN for LDAP auth, eg dc=redhat,dc=com group_base: # base DN for your LDAP groups, eg ou=Groups,dc=redhat,dc=com use_netgroups: # false by default, use true if you want to use netgroup triples, # supported only for server type :free_ipa and :posix server_type: # type of server. default == :posix. :active_directory, :posix, :free_ipa ad_domain: # domain for your users if using active directory, eg redhat.com service_user: # service account for authenticating LDAP calls. required unless you enable anon service_pass: # service password for authenticating LDAP calls. required unless you enable anon anon_queries: # false by default, true if you don't want to use the service user instrumentation_service: # nil by default, an object that supports the ActiveSupport::Notifications API
You can pass these arguments as a hash to LdapFluff to get a valid LdapFluff object.
ldap_config = { :host => "freeipa.localdomain", :port => 389, :encryption => nil, :base_dn => "DC=mydomain,DC=com", :group_base => "DC=groups,DC=mydomain,DC=com", :attr_login => "uid", :server_type => :free_ipa, :service_user => "admin", :search_filter => "(objectClass=*)", :service_pass => "mypass", :anon_queries => false } fluff = LdapFluff.new(ldap_config) fluff.valid_user?("admin") # returns true
ldap_fluff fully supports simple_tls and start_tls encryption, but most likely you’ll need to add your server’s CAs to the local bundle. on a Red Hat style system, it’s probably something like this:
$ cat ldap_server_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
ldap_fluff does not support searching/binding global catalogs
service_user (formatted as “ad_domain/username”) and service_pass OR anon_queries are required for AD support
Group membership searches will use “msds-memberOfTransitive” where possible, and will fall back to a recursive lookup
ldap_fluff appends cn=groups,cn=accounts to the beginning of all BIND calls. You do not need to include this in your base_dn string
Both net-ldap and ldap_fluff support instrumentation of API calls, which can help debug performance issues or to find what LDAP queries are being made.
The :instrumentation_service item in the configuration should support an equivalent API to ActiveSupport::Notifications. ldap_fluff will use this and also pass it to net-ldap.
When using Rails, pass ‘:instrumentation_service => ActiveSupport::Notifications` and then subscribe to, and optionally log events (e.g. gist.github.com/mnutt/566725).
Feel free to file PR against our github repository.
ldap_fluff is licensed under the GPLv2. Please read LICENSE for more information.