activedirectory 0.9.3 → 1.0.0

data/lib/active_directory/user.rb

@@ -1,296 +1,155 @@
-#--
-# Active Directory Module for Ruby
+#-- license
 #
-# Copyright (c) 2005-2006 Justin Mecham
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
 #
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
 #
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-# IN THE SOFTWARE.
-#++
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
 
 module ActiveDirectory
-
-  #
-  # Represents a User object within an Active Directory instance.
-  #
-  class User < Base
-
-    # Distinguished Name (DN)
-    attr_reader :dn
-
-    # Display Name (e.g. "John Q. Public")
-    attr_reader :name
-
-    # Given Name (e.g. "John")
-    attr_reader :given_name
-
-    # Surname (e.g. "Public")
-    attr_reader :surname
-
-    # Primary E-Mail Address
-    attr_reader :email
-
-    # Account/Username (e.g. "jpublic")
-    attr_reader :username
-
-    # Job Title
-    attr_reader :title
-
-    # Company Name
-    attr_reader :company
-
-    # Department Name
-    attr_reader :department
-
-    # Primary Phone Number
-    attr_reader :main_number
-
-    # Mobile Number
-    attr_reader :mobile_number
-
-    # Street Address
-    attr_reader :street_address
-
-    # City / Town
-    attr_reader :city
-
-    # State/Province
-    attr_reader :state
-
-    # Zip/Postal Code
-    attr_reader :zip
-
-    # Country
-    attr_reader :country
-
-    # Direct Reports
-    attr :direct_reports
-
-    # Manager
-    attr :manager
-
-    # Groups this User is a member of
-    attr :groups
-
-    #
-    # Attributes that we wish to pull from Active Directory for any User that
-    # can be located within the directory.
-    #
-    ATTRIBUTES = ["displayName",        # Name (e.g. "John Doe")
-                  "givenName",          # Given (First) Name
-                  "sn",                 # Surname (Last)
-                  "distinguishedName",  # DN of User
-                  "sAMAccountName",     # Account Name
-                  "mail",               # Primary E-Mail Address
-                  "manager",            # DN Reference to Manager
-                  "directReports",      # DN References to Minions
-                  "memberOf",           # Group Membership
-                  "company",            # Company Name
-                  "department",         # Department Name
-                  "title",              # Title
-                  "mobile",             # Mobile Phone Number
-                  "telephoneNumber",    # Primary Phone Number
-                  "streetAddress",      # Street Address
-                  "l",                  # City
-                  "st",                 # State
-                  "postalCode",         # Zip Code
-                  "co"] #:nodoc:        # Country
-
-    #
-    # Attempts to load a User by a Distinguished Name (DN) or sAMAccountName.
-    #
-    def initialize(identifier)
-
-      if (identifier =~ /(CN|cn)=/) != nil
-        load_by_dn(identifier)
-      else
-        load_by_username(identifier)
-      end
-
-    end
-
-    #
-    # Attempts to authenticate the loaded user with the supplied password.
-    # Returns true if the authentication attempt was successful.
-    #
-    def authenticate(password)
-
-      # Clean up the password before we run it through our series of tests.
-      password.strip!
-
-      # If no password was specified, raise an exception. This check must
-      # occur to avoid a huge security hole if anonymous bind is on - if this
-      # check is not performed, someone can authenticate without providing a
-      # password when anonymous bind is turned on.
-      raise PasswordInvalid unless (!password.nil? and password.length > 0)
-
-      # Clone our shared connection for isolated use in determining the
-      # validity of our user's credentials.
-      auth_connection = Base.connection.clone
-
-      # Unbind the connection if it is already bound.
-      auth_connection.unbind if auth_connection.bound?
-
-      begin
-
-        # Attempt to bind to the connection as the currently loaded user with
-        # the supplied password.
-        auth_connection.bind("#{@username}@#{@@server_settings[:domain]}",
-                             password)
-
-        return true
-
-      rescue LDAP::ResultError
-        if ($!.to_s == "Invalid credentials")
-          raise PasswordInvalid
-        else
-          raise
-        end
-      ensure
-        auth_connection.unbind
-        auth_connection = nil
-      end
-
-      return false
-
-    end
-
-    #
-    # Conveniently return the name of the User if the object is called
-    # directly.
-    #
-    def to_s #:nodoc:
-      @name
-    end
-
-    #
-    # Proxy for loading and returning this users' manager.
-    #
-    def manager #:nodoc:
-      @manager ||= User.new(@manager_dn) unless @manager_dn.nil?
-    end
-
-    #
-    # Proxy for loading and returning the group membership of this user.
-    #
-    def groups #:nodoc:
-      groups = Array.new
-      unless @groups.nil?
-        for group_dn in @groups
-          groups << Group.new(group_dn)
-        end
-      end
-      groups
-    end
-
-    #
-    # Proxy for loading and returning the users who report directly to this
-    # user.
-    #
-    def direct_reports #:nodoc:
-      direct_reports = Array.new
-      unless @direct_reports.nil?
-        for user_dn in @direct_reports
-          direct_reports << User.new(user_dn)
-        end
-      end
-      direct_reports
-    end
-
-    #
-    # Determines if the user is a member of the given group. Returns true if
-    # the user is in the passed group.
-    #
-    def member_of?(group)
-      @groups.include?(group.dn)
-    end
-    
-    private
-
-    #
-    # Attempt to load a user by their username (sAMAccountName).
-    #
-    def load_by_username(username)
-
-      if username.nil? or username.length == 0
-        raise ArgumentError, "No username provided."
-      end
-
-      @username = username
-
-      # Set our filter to include only information about the requested user of
-      # class user.
-      filter = "(&(objectClass=user)(sAMAccountName=#{@username}))"
-
-      entries = Base.search(@@server_settings[:base_dn],
-                  LDAP::LDAP_SCOPE_SUBTREE, filter, ATTRIBUTES)
-
-      raise UnknownUserError if (entries.nil? or entries.length != 1)
-
-      parse_ldap_entry(entries[0])
-
-    end
-
-    #
-    # Attempt to load a User by its Distinguished Name (DN).
-    #
-    def load_by_dn(dn)
-
-      if dn.nil? or dn.length == 0
-        raise ArgumentError, "No distinguished name provided."
-      end
-
-      # De-escape the DN
-      dn = dn.gsub(/"/, "\\\"")
-
-      # Set our filter to include only information about the requested user of
-      # class user.
-      filter = "(&(objectClass=user))"
-
-      entries = Base.search(dn, LDAP::LDAP_SCOPE_BASE, filter)
-
-      raise UnknownUserError if (entries.nil? or entries.length != 1)
-
-      parse_ldap_entry(entries[0])
-
-    end
-
-    def parse_ldap_entry(entry)
-      @dn             = entry['distinguishedName'][0]
-      @username       = entry['sAMAccountName'][0]
-      @name           = entry['displayName'][0] unless entry['displayName'].nil?
-      @given_name     = entry['givenName'][0] unless entry['givenName'].nil?
-      @surname        = entry['sn'][0] unless entry['sn'].nil?
-      @email          = entry['mail'][0] unless entry['mail'].nil?
-      @manager_dn     = entry['manager'][0] unless entry['manager'].nil?
-      @company        = entry['company'][0] unless entry['company'].nil?
-      @department     = entry['department'][0] unless entry['department'].nil?
-      @title          = entry['title'][0] unless entry['title'].nil?
-      @main_number    = entry['telephoneNumber'][0] unless entry['telephoneNumber'].nil?
-      @mobile_number  = entry['mobile'][0] unless entry['mobile'].nil?
-      @street_address = entry['streetAddress'][0] unless entry['streetAddress'].nil?
-      @city           = entry['l'][0] unless entry['l'].nil?
-      @state          = entry['st'][0] unless entry['st'].nil?
-      @zip            = entry['postalCode'][0] unless entry['postalCode'].nil?
-      @country        = entry['co'][0] unless entry['co'].nil?
-      @direct_reports = entry['directReports']
-      @groups         = entry['memberOf']
-    end
-
-  end
-
-end
+	class User < Base
+		include Member
+
+		UAC_ACCOUNT_DISABLED = 0x0002
+		UAC_NORMAL_ACCOUNT   = 0x0200 # 512
+
+		def self.filter # :nodoc:
+			Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
+		end
+
+		def self.required_attributes #:nodoc:
+			{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
+		end
+
+		#
+		# Try to authenticate the current User against Active Directory
+		# using the supplied password. Returns false upon failure.
+		#
+		# Authenticate can fail for a variety of reasons, primarily:
+		#
+		# * The password is wrong
+		# * The account is locked
+		# * The account is disabled
+		#
+		# User#locked? and User#disabled? can be used to identify the
+		# latter two cases, and if the account is enabled and unlocked,
+		# Athe password is probably invalid.
+		#
+		def authenticate(password)
+			return false if password.to_s.empty?
+
+			auth_ldap = @@ldap.dup.bind_as(
+				:filter => "(sAMAccountName=#{sAMAccountName})",
+				:password => password
+			)
+		end
+
+		#
+		# Return the User's manager (another User object), depending on
+		# what is stored in the manager attribute.
+		#
+		# Returns nil if the schema does not include the manager attribute
+		# or if no manager has been configured.
+		#
+		def manager
+			return nil if @entry.manager.nil?
+			User.find_by_distinguishedName(@entry.manager.to_s)
+		end
+
+		#
+		# Returns an array of Group objects that this User belongs to.
+		# Only the immediate parent groups are returned, so if the user
+		# Sally is in a group called Sales, and Sales is in a group
+		# called Marketting, this method would only return the Sales group.
+		#
+		def groups
+			@groups ||= memberOf.collect { |dn| Group.find_by_distinguishedName(dn) }
+		end
+
+		#
+		# Returns an array of User objects that have this
+		# User as their manager.
+		#
+		def direct_reports
+			return [] if @entry.directReports.nil?
+			@direct_reports ||= @entry.directReports.collect { |dn| User.find_by_distinguishedName(dn) }
+		end
+
+		#
+		# Returns true if this account has been locked out
+		# (usually because of too many invalid authentication attempts).
+		#
+		# Locked accounts can be unlocked with the User#unlock! method.
+		#
+		def locked?
+			!lockoutTime.nil? && lockoutTime.to_i != 0
+		end
+
+		#
+		# Returns true if this account has been disabled.
+		#
+		def disabled?
+			userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
+		end
+
+		#
+		# Returns true if the user should be able to log in with a correct
+		# password (essentially, their account is not disabled or locked
+		# out).
+		#
+		def can_login?
+			!disabled? && !locked?
+		end
+
+		#
+		# Change the password for this account.
+		#
+		# This operation requires that the bind user specified in
+		# Base.setup have heightened privileges. It also requires an
+		# SSL connection.
+		#
+		# If the force_change argument is passed as true, the password will
+		# be marked as 'expired', forcing the user to change it the next
+		# time they successfully log into the domain.
+		#
+		def change_password(new_password, force_change = false)
+			settings = @@settings.dup.merge {
+				:port => 636,
+				:encryption => { :method => :simple_tls }
+			}
+
+			ldap = Net::LDAP.new(settings)
+			ldap.modify(
+				:dn => distinguishedName,
+				:operations => [
+					[ :replace, :lockoutTime, [ '0' ] ],
+					[ :replace, :unicodePwd, [ Password.encode(new_password) ] ],
+					[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
+					[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
+				]
+			)
+		end
+
+		#
+		# Unlocks this account.
+		#
+		def unlock!
+			@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
+		end
+	end
+end

metadata

@@ -1,18 +1,18 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.8.11
+rubygems_version: 0.9.4
 specification_version: 1
 name: activedirectory
 version: !ruby/object:Gem::Version 
-  version: 0.9.3
-date: 2006-05-11 00:00:00 -06:00
-summary: Module for easy interaction with Active Directory servers.
+  version: 1.0.0
+date: 2008-08-02 00:00:00 -05:00
+summary: An interface library for accessing Microsoft's Active Directory.
 require_paths: 
 - lib
-email: justin@aspect.net
-homepage: 
-rubyforge_project: 
-description: Makes it trivial to integrate with Active Directory servers for information and authentication concerning users and groups.
-autorequire: active_directory
+email: filefrog@gmail.com
+homepage: http://rubyforge.net/projects/activedirectory
+rubyforge_project: activedirectory
+description: ActiveDirectory uses Net::LDAP to provide a means of accessing and modifying an Active Directory data store.
+autorequire: 
 default_executable: 
 bindir: bin
 has_rdoc: true
@@ -25,22 +25,21 @@ required_ruby_version: !ruby/object:Gem::Version::Requirement
 platform: ruby
 signing_key: 
 cert_chain: 
+post_install_message: 
 authors: 
-- Justin Mecham
+- James R. Hunt
 files: 
-- Rakefile
-- install.rb
-- README
-- LICENSE
-- lib/active_directory
-- lib/active_directory.rb
+- lib/active_directory/container.rb
+- lib/active_directory/timestamp.rb
+- lib/active_directory/user.rb
+- lib/active_directory/computer.rb
+- lib/active_directory/password.rb
+- lib/active_directory/member.rb
 - lib/active_directory/base.rb
-- lib/active_directory/ext
+- lib/active_directory/rails/user.rb
+- lib/active_directory/rails/synchronizer.rb
 - lib/active_directory/group.rb
-- lib/active_directory/user.rb
-- lib/active_directory/version.rb
-- lib/active_directory/ext/class.rb
-- lib/active_directory/ext/hash.rb
+- lib/active_directory.rb
 test_files: []
 
 rdoc_options: []
@@ -51,7 +50,15 @@ executables: []
 
 extensions: []
 
-requirements: 
-- none
-dependencies: []
+requirements: []
 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ruby-net-ldap
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Version::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.0.4
+    version: