activedirectory 0.9.3 → 1.0.0

data/lib/active_directory.rb

@@ -1,15 +1,37 @@
-$:.unshift(File.dirname(__FILE__) + "/active_directory/vendor/")
+#-- license
+#
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
+#
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
 
-# External Dependencies
-require 'ldap'
-require 'logger'
+require 'net/ldap'
 
-# Extensions to Ruby
-Dir[File.dirname(__FILE__) + "/active_directory/ext/*.rb"].each { |file|
-  require file
-}
+require 'active_directory/base.rb'
+require 'active_directory/container.rb'
+require 'active_directory/member.rb'
 
-# Active Directory Classes
-require 'active_directory/base'
-require 'active_directory/user'
-require 'active_directory/group'
+require 'active_directory/user.rb'
+require 'active_directory/group.rb'
+require 'active_directory/computer.rb'
+
+require 'active_directory/password.rb'
+require 'active_directory/timestamp.rb'
+
+require 'active_directory/rails/user.rb'

data/lib/active_directory/base.rb

@@ -1,368 +1,404 @@
-#--
-# Active Directory Module for Ruby
+#-- license
 #
-# Copyright (c) 2005-2006 Justin Mecham
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
 #
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
 #
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-# IN THE SOFTWARE.
-#++
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
 
 module ActiveDirectory
-
-  #
-  # The ActiveDirectory module contains the classes used for communicating with
-  # Active Directory LDAP servers. ActiveDirectory::Base is the basis from which
-  # all classes derive.
-  #
-  class Base
-
-    #
-    # Configuration
-    #
-    @@server_settings = {
-      :host     => "localhost",
-      :port     => 389,
-      :username => nil,
-      :password => nil,
-      :domain   => nil,
-      :base_dn  => nil
-    }
-    cattr_accessor :server_settings
-
-    #
-    # Logging
-    #
-    cattr_writer :logger
-    def self.logger
-      @@logger || Logger.new(STDOUT)
-    end
-
-    #
-    # Returns a connection to the configured Active Directory instance. If a
-    # connection is not already established, it will attempt to establish the
-    # connection.
-    #
-    def self.connection
-      @@connection ||= connect
-    end
-
-    #
-    # Opens and returns a connection to the Active Directory instance. By
-    # default, secure connections will be attempted first while gracefully
-    # falling back to lesser secure methods.
-    #
-    # The order by which connections are attempted are: TLS, SSL, unencrypted.
-    #
-    # Calling #connection will automatically call this method if a connection
-    # has not already been established.
-    #
-    def self.connect
-
-      host = @@server_settings[:host]
-      port = @@server_settings[:port] || 389
-
-      # Attempt to connect using TLS
-      begin
-        connection = LDAP::SSLConn.new(host, port, true)
-        connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
-        bind(connection)
-        logger.info("ActiveDirectory: Connected to #{@@server_settings[:host]} using TLS...") unless logger.nil?
-      rescue
-        logger.debug("ActiveDirectory: Failed to connect to #{@@server_settings[:host]} using TLS!") unless logger.nil?
-        # Attempt to connect using SSL
-        begin
-          connection = LDAP::SSLConn.new(host, port, false)
-          connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
-          bind(connection)
-          logger.info("ActiveDirectory: Connected to #{@@server_settings[:host]} over SSL...") unless logger.nil?
-        rescue
-          logger.debug("ActiveDirectory: Failed to connect to #{@@server_settings[:host]} over SSL!") unless logger.nil?
-          # Attempt to connect without encryption
-          begin
-            connection = LDAP::Conn.new(host, port)
-            connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
-            bind(connection)
-            logger.info("ActiveDirectory: Connected to #{@@server_settings[:host]} without encryption!") unless logger.nil?
-          rescue
-            logger.error("ActiveDirectory: Failed to connect to #{@@server_settings[:host]}!") unless logger.nil?
-            puts "EXCEPTION: #{$!}"
-            connection = nil
-            raise
-          end
-        end
-      end
-
-      connection.set_option(LDAP::LDAP_OPT_REFERRALS, 0)
-
-      connection
-    
-    end
-
-    #
-    # Unbinds (if bound) and closes the current connection.
-    #
-    def self.close
-      begin
-        @@connection.unbind unless @@connection.nil?
-      rescue
-      end
-      @@connection = nil
-    end
-
-    #
-    # Attempts to reconnect to the server by closing the existing connection
-    # and reconnecting.
-    #
-    def self.reconnect
-      close
-      @@connection = connect
-    end
-
-    #
-    # Search interface for querying for objects within the directory, such as
-    # users and groups. Searching the directory is quite similar to a normal
-    # LDAP search, but with a better API.
-    #
-    # If you call this method from User or Group, it will narrow your searches
-    # to those specific objects by default. Calling this method on Base will
-    # return objects of any class and provides the most flexibility.
-    #
-    # ==== Searching Users
-    #
-    # Users may be located within the directory by their distinguished name
-    # (DN), their username (sAMAccountName), or through any other valid LDAP
-    # filter and optional search base.
-    #
-    #  # Load all users (including disabled) within the default Base DN.
-    #  all_users      = ActiveDirectory::User.find(:all)
-    #
-    #  # Load all disabled users within the default Base DN.
-    #  disabled_users = ActiveDirectory::User.find(:all,
-    #                     :filter => "(userAccountControl=514)")
-    #
-    #  # Load all users who are in the Managers organizational unit whose
-    #  # accounts are not disabled.
-    #  managers       = ActiveDirectory::User.find(:all,
-    #                     :base   => "OU=Managers,DC=example,DC=com",
-    #                     :filter => "(userAccountControl=512)")
-    #
-    #  # Load the user "John Doe" by his sAMAccountName.
-    #  user = ActiveDirectory::User.find("jdoe")
-    #
-    #  # Load the user "John Doe" by his distinguished name (DN).
-    #  user = ActiveDirectory::User.find("CN=John Doe,CN=Users,DC=example,DC=com")
-    #
-    # ==== Searching Groups
-    #
-    # Groups may be located within the diretctory by their distinguished name
-    # (DN) or through any other valid LDAP filter and optional search base.
-    #
-    #  # Load all groups within the default Base DN.
-    #  all_groups = ActiveDirectory::Group.find(:all)
-    #
-    #  # Load the "Developers" group by its distinguished name (DN).
-    #  developers = ActiveDirectory::Group.find("CN=Developers,DC=example,DC=com")
-    #
-    # ==== More Advanced Examples
-    #
-    # By calling ActiveDirectory::Base#find you can query objects across
-    # classes, allowing you to pull in both Groups and Users that match your
-    # criteria.
-    #
-    #  # Load all Contacts
-    #  contacts = ActiveDirectory::Base.find(:all,
-    #               :filter => "(&(objectClass=User)(objectCategory=Contact))")
-    #
-    def self.find(*args)
-
-      options    = extract_options_from_args!(args)
-      attributes = [ "distinguishedName", "objectClass" ]
-
-      # Determine the appropriate search filter
-      if self.name == "ActiveDirectory::Base"
-        if options[:filter]
-          filter = options[:filter]
-        else
-          filter = "(|(&(objectCategory=Person)(objectClass=User))(objectClass=Group))"
-        end
-      else
-        subklass = class_name_of_active_directory_descendent(self)
-        if subklass == "ActiveDirectory::User"
-          filter = "(&(objectCategory=Person)(objectClass=User)#{options[:filter]})"
-        elsif subklass == "ActiveDirectory::Group"
-          filter = "(&(objectClass=Group)#{options[:filter]})"
-        end
-      end
-
-      # Determine the appropriate search base
-      base_dn = options[:base] ? options[:base] : @@server_settings[:base_dn]
-
-      # Determine the appropriate scope
-      scope = options[:scope] ? options[:scope] : LDAP::LDAP_SCOPE_SUBTREE
-
-      # Load all matching objects
-      if args.first == :all
-
-        logger.debug "Searching Active Directory" \
-                     " - Filter: #{filter}" \
-                     " - Search Base: #{base_dn} " \
-                     " - Scope: #{scope}"
-
-        # Perform search
-        entries = self.search(base_dn, scope, filter, attributes)
-
-        result = Array.new
-        unless entries.nil?
-          for entry in entries
-            if entry['objectClass'].include? "person"
-              result << User.new(entry['distinguishedName'][0])
-            elsif entry['objectClass'].include? "group"
-              result << Group.new(entry['distinguishedName'][0])
-            end
-          end
-        end
-        result
-
-      else
-
-        # Load a single matching object by either a common name or a
-        # sAMAccountName
-        if args.first =~ /(CN|cn)=/
-          base_dn = args.first
-        else
-          filter = "(&(objectCategory=Person)(objectClass=User)(samAccountName=#{args.first})#{options[:filter]})"
-        end
-
-        logger.debug "Searching Active Directory" \
-                     " - Filter: #{filter}" \
-                     " - Search Base: #{base_dn} " \
-                     " - Scope: #{scope}"
-
-        begin
-          entry = self.search(base_dn, scope, filter, attributes)
-        rescue
-          if $!.message == "No such object"
-            raise UnknownUserError
-          else
-            raise
-          end
-        end
-
-        entry = entry[0]
-        if entry['objectClass'].include? "person"
-          User.new(entry['distinguishedName'][0])
-        elsif entry['objectClass'].include? "group"
-          Group.new(entry['distinguishedName'][0])
-        end
-
-      end
-
-    end
-
-  protected
-
-    #
-    # Implement our own interface to LDAP::Conn#search so that we can attempt
-    # graceful reconnections when the connection becomes stale or otherwise
-    # terminates.
-    #
-    def self.search(base_dn, scope, filter, attrs = nil) #:nodoc:
-      retries = 0
-      entries = nil
-      begin
-        connection.search(base_dn, scope, filter, attrs) { |entry|
-          entries = Array.new if entries.nil?
-          entries << entry.to_hash
-        }
-      rescue
-        logger.debug("ActiveDirectory: Attempting to re-establish connection to Active Directory server... (Exception: \"#{$!}\" – Retry ##{retries} – #{$!.class})}") unless logger.nil?
-        begin
-          reconnect
-        rescue
-          (retries += 1) < 3 ? retry : raise
-        end
-        retry
-      end
-      entries
-    end
-
-  private
-
-    #
-    # Attempts to bind to the Active Directory instance. If a bind attempt
-    # fails by simple authentication an attempt at anonymous binding will be
-    # made.
-    #
-    def self.bind(connection)
-      # Attempt to bind with a username and password
-      begin
-        connection.bind("#{@@server_settings[:username]}@#{@@server_settings[:domain]}", @@server_settings[:password])
-        logger.info("ActiveDirectory: Bound to Active Directory server as #{@@server_settings[:username]}.") unless logger.nil?
-      rescue
-        logger.debug("ActiveDirectory: Failed to bind to Active Directory server as \"#{@@server_settings[:username]}\"!") unless logger.nil?
-        # Attempt to bind anonymously
-        begin
-          connection.bind()
-          logger.info("ActiveDirectory: Bound anonymously to Active Directory server.") unless logger.nil?
-        rescue
-          logger.debug("ActiveDirectory: Failed to bind anonymously to Active Directory server!") unless logger.nil?
-          raise
-        end
-      end
-    end
-  
-    def self.extract_options_from_args!(args)
-      options = args.last.is_a?(Hash) ? args.pop : {}
-      validate_find_options(options)
-      options
-    end
-
-    def self.validate_find_options(options)
-      options.assert_valid_keys [ :base, :filter, :scope ]
-    end
-
-    def self.class_of_active_directory_descendent(klass)
-      if klass.superclass == Base
-        klass
-      elsif klass.superclass.nil?
-        raise ActiveDirectoryError, "#{name} doesn't belong in a class \
-          hierarchy descending from ActiveDirectory"
-      else
-        self.class_of_active_directory_descendent(klass.superclass)
-      end
-    end
-
-    def self.class_name_of_active_directory_descendent(klass)
-      self.class_of_active_directory_descendent(klass).name
-    end
-
-  end
-
-  class ActiveDirectoryError < StandardError #:nodoc:
-  end
-
-  class UnknownUserError < StandardError #:nodoc:
-  end
-
-  class UnknownGroupError < StandardError #:nodoc:
-  end
-
-  class PasswordInvalid < StandardError #:nodoc:
-  end
-
-end
+	#
+	# Base class for all Ruby/ActiveDirectory Entry Objects (like User and Group)
+	#
+	class Base
+		#
+		# A Net::LDAP::Filter object that doesn't do any filtering
+		# (outside of check that the CN attribute is present.  This
+		# is used internally for specifying a 'no filter' condition
+		# for methods that require a filter object.
+		#
+		NIL_FILTER = Net::LDAP::Filter.pres('cn')
+
+		@@ldap = nil
+
+		#
+		# Configures the connection for the Ruby/ActiveDirectory library.
+		#
+		# For example:
+		#
+		#   ActiveDirectory::Base.setup(
+		#     :host => 'domain_controller1.example.org',
+		#     :port => 389,
+		#     :base => 'dc=example,dc=org',
+		#     :auth => {
+		#       :username => 'querying_user@example.org',
+		#       :password => 'querying_users_password'
+		#     }
+		#   )
+		#
+		# This will configure Ruby/ActiveDirectory to connect to the domain
+		# controller at domain_controller1.example.org, using port 389. The
+		# domain's base LDAP dn is expected to be 'dc=example,dc=org', and
+		# Ruby/ActiveDirectory will try to bind as the
+		# querying_user@example.org user, using the supplied password.
+		#
+		# Currently, there can be only one active connection per
+		# execution context.
+		#
+		# For more advanced options, refer to the Net::LDAP.new
+		# documentation.
+		#
+		def self.setup(settings)
+			@@settings = settings
+			@@ldap = Net::LDAP.new(settings)
+		end
+
+		def self.error
+			"#{@@ldap.get_operation_result.code}: #{@@ldap.get_operation_result.message}"
+		end
+
+		def self.filter # :nodoc:
+			NIL_FILTER 
+		end
+
+		def self.required_attributes # :nodoc:
+			{}
+		end
+
+		#
+		# Check to see if any entries matching the passed criteria exists.
+		#
+		# Filters should be passed as a hash of 
+		# attribute_name => expected_value, like:
+		#
+		#   User.exists?(
+		#     :sn => 'Hunt',
+		#     :givenName => 'James'
+		#   )
+		#
+		# which will return true if one or more User entries have an
+		# sn (surname) of exactly 'Hunt' and a givenName (first name)
+		# of exactly 'James'.
+		#
+		# Partial attribute matches are available.  For instance,
+		#
+		#   Group.exists?(
+		#     :description => 'OldGroup_*'
+		#   )
+		#
+		# would return true if there are any Group objects in
+		# Active Directory whose descriptions start with OldGroup_,
+		# like OldGroup_Reporting, or OldGroup_Admins.
+		#
+		# Note that the * wildcard matches zero or more characters,
+		# so the above query would also return true if a group named
+		# 'OldGroup_' exists.
+		# 
+		def self.exists?(filter_as_hash)
+			criteria = make_filter_from_hash(filter_as_hash) & filter
+			(@@ldap.search(:filter => criteria).size > 0)
+		end
+
+		#
+		# Whether or not the entry has local changes that have not yet been
+		# replicated to the Active Directory server via a call to Base#save
+		#
+		def changed?
+			!@attributes.empty?
+		end
+
+		def self.make_filter_from_hash(filter_as_hash) # :nodoc:
+			return NIL_FILTER if filter_as_hash.nil? || filter_as_hash.empty?
+			keys = filter_as_hash.keys
+
+			first_key = keys.delete(keys[0])
+			f = Net::LDAP::Filter.eq(first_key, filter_as_hash[first_key].to_s)
+			keys.each do |key|
+				f = f & Net::LDAP::Filter.eq(key, filter_as_hash[key].to_s)
+			end
+			f
+		end
+
+		#
+		# Performs a search on the Active Directory store, with similar
+		# syntax to the Rails ActiveRecord#find method.
+		#
+		# The first argument passed should be
+		# either :first or :all, to indicate that we want only one
+		# (:first) or all (:all) results back from the resultant set.
+		#
+		# The second argument should be a hash of attribute_name =>
+		# expected_value pairs.
+		#
+		#   User.find(:all, :sn => 'Hunt')
+		#
+		# would find all of the User objects in Active Directory that
+		# have a surname of exactly 'Hunt'.  As with the Base.exists?
+		# method, partial searches are allowed.
+		#
+		# This method always returns an array if the caller specifies
+		# :all for the search type (first argument).  If no results
+		# are found, the array will be empty.
+		#
+		# If you call find(:first, ...), you will either get an object
+		# (a User or a Group) back, or nil, if there were no entries
+		# matching your filter.
+		#
+		def self.find(*args)
+			options = {
+				:filter => NIL_FILTER,
+				:in => ''
+			}
+			options.merge!(args[1]) unless args[1].nil?
+			options[:in] = [ options[:in].to_s, @@settings[:base] ].delete_if { |part| part.empty? }.join(",")
+			if options[:filter].is_a? Hash
+				options[:filter] = make_filter_from_hash(options[:filter])
+			end
+			options[:filter] = options[:filter] & filter unless self.filter == NIL_FILTER
+			
+			if (args.first == :all)
+				find_all(options)
+			elsif (args.first == :first)
+				find_first(options)
+			else
+				raise ArgumentError, 'Invalid specifier (not :all, and not :first) passed to find()'
+			end
+		end
+
+		def self.find_all(options)
+			results = []
+			@@ldap.search(:filter => options[:filter], :base => options[:in], :return_result => false) do |entry|
+				results << new(entry)
+			end
+			results
+		end
+
+		def self.find_first(options)
+			@@ldap.search(:filter => options[:filter], :base => options[:in], :return_result => false) do |entry|
+				return new(entry)
+			end
+		end
+
+		def self.method_missing(name, *args) # :nodoc:
+			name = name.to_s
+			if (name[0,5] == 'find_')
+				find_spec, attribute_spec = parse_finder_spec(name)
+				raise ArgumentError, "find: Wrong number of arguments (#{args.size} for #{attribute_spec.size})" unless args.size == attribute_spec.size
+				filters = {}
+				[attribute_spec,args].transpose.each { |pr| filters[pr[0]] = pr[1] }
+				find(find_spec, :filter => filters)
+			else
+				super name.to_sym, args
+			end
+		end
+
+		def self.parse_finder_spec(method_name) # :nodoc:
+			# FIXME: This is a prime candidate for a
+			# first-class object, FinderSpec
+
+			method_name = method_name.gsub(/^find_/,'').gsub(/^by_/,'first_by_')
+			find_spec, attribute_spec = *(method_name.split('_by_'))
+			find_spec = find_spec.to_sym
+			attribute_spec = attribute_spec.split('_and_').collect { |s| s.to_sym }
+
+			return find_spec, attribute_spec
+		end
+
+		def ==(other) # :nodoc:
+			return false if other.nil?
+			other.distinguishedName == distinguishedName
+		end
+
+		#
+		# Returns true if this entry does not yet exist in Active Directory.
+		#
+		def new_record?
+			@entry.nil?
+		end
+
+		#
+		# Refreshes the attributes for the entry with updated data from the
+		# domain controller.
+		#
+		def reload
+			return false if new_record?
+
+			@entry = @@ldap.search(:filter => Net::LDAP::Filter.eq('distinguishedName',distinguishedName))[0]
+			return !@entry.nil?
+		end
+
+		#
+		# Updates a single attribute (name) with one or more values
+		# (value), by immediately contacting the Active Directory
+		# server and initiating the update remotely.
+		#
+		# Entries are always reloaded (via Base.reload) after calling
+		# this method.
+		#
+		def update_attribute(name, value)
+			update_attributes(name.to_s => value)
+		end
+
+		#
+		# Updates multiple attributes, like ActiveRecord#update_attributes.
+		# The updates are immediately sent to the server for processing,
+		# and the entry is reloaded after the update (if all went well).
+		#
+		def update_attributes(attributes_to_update)
+			return true if attributes_to_update.empty?
+
+			operations = []
+			attributes_to_update.each do |attribute, values|
+				if values.nil? || values.empty?
+					operations << [ :delete, attribute, nil ]
+				else
+					values = [values] unless values.is_a? Array
+					values = values.collect { |v| v.to_s }
+
+					current_value = begin
+						@entry.send(attribute)
+					rescue NoMethodError
+						nil
+					end
+
+					operations << [ (current_value.nil? ? :add : :replace), attribute, values ]
+				end
+			end
+
+			@@ldap.modify(
+				:dn => distinguishedName,
+				:operations => operations
+			) && reload
+		end
+
+		#
+		# Create a new entry in the Active Record store.
+		#
+		# dn is the Distinguished Name for the new entry.	This must be
+		# a unique identifier, and can be passed as either a Container
+		# or a plain string.
+		#
+		# attributes is a symbol-keyed hash of attribute_name => value
+		# pairs.
+		#
+		def self.create(dn,attributes)
+			return nil if dn.nil? || attributes.nil?
+			begin
+				attributes.merge!(required_attributes)
+				if @@ldap.add(:dn => dn.to_s, :attributes => attributes)
+					return find_by_distinguishedName(dn.to_s)
+				else
+					return nil
+				end
+			rescue
+				return nil
+			end
+		end
+
+		#
+		# Deletes the entry from the Active Record store and returns true
+		# if the operation was successfully.
+		#
+		def destroy
+			return false if new_record?
+
+			if @@ldap.delete(:dn => distinguishedName)
+				@entry = nil
+				@attributes = {}
+				return true
+			else
+				return false
+			end
+		end
+
+		#
+		# Saves any pending changes to the entry by updating the remote
+		# entry.
+		#
+		def save
+			if update_attributes(@attributes)
+				@attributes = {}
+				return true
+			else
+				return false
+			end
+		end
+
+		#
+		# This method may one day provide the ability to move entries from
+		# container to container. Currently, it does nothing, as we are
+		# waiting on the Net::LDAP folks to either document the
+		# Net::LDAP#modrdn method, or provide a similar method for
+		# moving / renaming LDAP entries.
+		#
+		def move(new_rdn)
+			return false if new_record?
+			puts "Moving #{distinguishedName} to RDN: #{new_rdn}"
+
+			settings = @@settings.dup
+			settings[:port] = 636
+			settings[:encryption] = { :method => :simple_tls }
+
+			ldap = Net::LDAP.new(settings)
+
+			if ldap.rename(
+				:olddn => distinguishedName,
+				:newrdn => new_rdn,
+				:delete_attributes => false
+			)
+				return true
+			else
+				puts Base.error
+				return false
+			end
+		end
+
+		# FIXME: Need to document the Base::new
+		def initialize(attributes = {}) # :nodoc:
+			if attributes.is_a? Net::LDAP::Entry
+				@entry = attributes
+				@attributes = {}
+			else
+				@entry = nil
+				@attributes = attributes
+			end
+		end
+
+		def method_missing(name, args = []) # :nodoc:
+			name_s = name.to_s.downcase
+			name = name_s.to_sym
+			if name_s[-1,1] == '='
+				@attributes[name_s[0,name_s.size-1].to_sym] = args
+			else
+				if @attributes.has_key?(name)
+					return @attributes[name]
+				elsif @entry
+					begin
+						value = @entry.send(name)
+						value = value.to_s if value.nil? || value.size == 1
+						return value
+					rescue NoMethodError
+						return nil
+					end
+				else
+					super
+				end
+			end
+		end
+	end
+end