chuckdbacon-activedirectory 1.0.4

data/lib/active_directory/rails/user.rb

@@ -0,0 +1,141 @@
+#-- license
+#
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
+#
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module ActiveDirectory
+			module Rails
+				module User
+			def self.included(klass)
+				klass.extend(ClassMethods)
+				klass.send(:include, InstanceMethods)
+			end
+
+			module InstanceMethods
+				# Is this Person active? Active people have valid
+				# usernames. Inactive people have empty usernames.
+				#
+				def active?
+					username != ""
+				end
+
+				# Whether or not this Person has a corresponding Active Directory
+				# account that we can synchronize with, through the PeopleSynchronizer.
+				#
+				def in_active_directory?
+					!guid.blank?
+				end
+
+				# Whether or not this Person can be authenticated with the
+				# given password, against Active Directory.
+				#
+				# For Active Directory authentication, we attempt to bind to the
+				# configured AD server as the user, and supply the password for
+				# authentication.
+				#
+				# There are two special cases for authentication, related to the
+				# environment the app is currently running in:
+				#
+				# *Development*
+				#
+				# In development, the blank password ('') will always cause this method
+				# to return true, thereby allowing developers to test functionality
+				# for a variety of roles.
+				#
+				# *Training*
+				#
+				# In training, a special training password ('trainme') will always
+				# cause this method to return true, thereby allowing trainers to
+				# use other people accounts to illustrate certain restricted processes.
+				#
+				def authenticates?(password)
+					# Never allow inactive users.
+					return false unless active?
+
+					# Allow blank password for any account in development.
+					return true if password == "" and ENV['RAILS_ENV'] == 'development'
+					return true if password == "trainme" and ENV['RAILS_ENV'] == 'training'
+
+					# Don't go against AD unless we really mean it.
+					return false unless ENV['RAILS_ENV'] == 'production'
+
+					# If they are not in AD, fail.
+					return false unless in_active_directory?
+
+					ad_user = ActiveDirectory::User.find_by_sAMAccountName(self.username)
+					ad_user and ad_user.authenticate(password)
+				end
+
+				def active_directory_equivalent=(ad_user)
+					return unless ad_user
+					update_attributes(
+						:first_name  => ad_user.givenName,
+						:middle_name => ad_user.initials,
+						:last_name   => ad_user.sn,
+						:username    => ad_user.sAMAccountName,
+						:email       => ad_user.mail,
+						:guid        => ad_user.objectGUID
+					)
+				end
+			end
+
+			module ClassMethods
+				# Attempt to authenticate someone with a username and password.
+				# This method properly handles both local store users and AD
+				# users.
+				#
+				# If the username is valid, and the password matches the username,
+				# the Person object corresponding to the username is return.
+				# 
+				# Otherwise, nil is returned, to indicate an authentication failure.
+				#
+				def authenticate(username, password)
+					person = find_by_username(username)
+					return person if (person and person.authenticates?(password))
+					nil
+				end
+
+				# Retrieves all of the Person objects that have corresponding
+				# Active Directory accounts. This method does not contact
+				# the AD servers to retrieve the AD objects -- that is left up
+				# to the caller.
+				#
+				def in_active_directory
+					find(:all, :conditions => 'guid IS NOT NULL AND guid != ""')
+				end
+
+				# Retrieves all Person objects that are currently active,
+				# meaning they have not been disabled by PeopleSynchronizer.
+				#
+				def active
+					find(:all, :conditions => 'username != ""')
+				end
+
+				# Retrieves all Person objects that are currently inactive,
+				# meaning they have been disabled by PeopleSynchronizer.
+				#
+				def inactive
+					find(:all, :conditions => 'username = ""')
+				end
+			end
+		end # module User
+	end # module Rails
+end #module ActiveDirectory

data/lib/active_directory/timestamp.rb

@@ -0,0 +1,46 @@
+#-- license
+#
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
+#
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module ActiveDirectory
+	class Timestamp
+		AD_DIVISOR = 10_000_000     #:nodoc:
+		AD_OFFSET  = 11_644_473_600 #:nodoc:
+
+		#
+		# Encodes a local Time object (or the number of seconds since January
+		# 1, 1970) into a timestamp that the Active Directory server can
+		# understand (number of 100 nanosecond time units since January 1, 1600)
+		# 
+		def self.encode(local_time)
+			(local_time.to_i + AD_OFFSET) * AD_DIVISOR
+		end
+
+		#
+		# Decodes an Active Directory timestamp (the number of 100 nanosecond time
+		# units since January 1, 1600) into a Ruby Time object.
+		#
+		def self.decode(remote_time)
+			Time.at( (remote_time.to_i / AD_DIVISOR) - AD_OFFSET )
+		end
+	end
+end

data/lib/active_directory/user.rb

@@ -0,0 +1,155 @@
+#-- license
+#
+# This file is part of the Ruby Active Directory Project
+# on the web at http://rubyforge.org/projects/activedirectory
+#
+#  Copyright (c) 2008, James Hunt <filefrog@gmail.com>
+#    based on original code by Justin Mecham
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#++ license
+
+module ActiveDirectory
+	class User < Base
+		include Member
+
+		UAC_ACCOUNT_DISABLED = 0x0002
+		UAC_NORMAL_ACCOUNT   = 0x0200 # 512
+
+		def self.filter # :nodoc:
+			Net::LDAP::Filter.eq(:objectClass,'user') & ~Net::LDAP::Filter.eq(:objectClass,'computer')
+		end
+
+		def self.required_attributes #:nodoc:
+			{ :objectClass => ['top', 'organizationalPerson', 'person', 'user'] }
+		end
+
+		#
+		# Try to authenticate the current User against Active Directory
+		# using the supplied password. Returns false upon failure.
+		#
+		# Authenticate can fail for a variety of reasons, primarily:
+		#
+		# * The password is wrong
+		# * The account is locked
+		# * The account is disabled
+		#
+		# User#locked? and User#disabled? can be used to identify the
+		# latter two cases, and if the account is enabled and unlocked,
+		# Athe password is probably invalid.
+		#
+		def authenticate(password)
+			return false if password.to_s.empty?
+
+			auth_ldap = @@ldap.dup.bind_as(
+				:filter => "(sAMAccountName=#{sAMAccountName})",
+				:password => password
+			)
+		end
+
+		#
+		# Return the User's manager (another User object), depending on
+		# what is stored in the manager attribute.
+		#
+		# Returns nil if the schema does not include the manager attribute
+		# or if no manager has been configured.
+		#
+		def manager
+			return nil if @entry.manager.nil?
+			User.find_by_distinguishedName(@entry.manager.to_s)
+		end
+
+		#
+		# Returns an array of Group objects that this User belongs to.
+		# Only the immediate parent groups are returned, so if the user
+		# Sally is in a group called Sales, and Sales is in a group
+		# called Marketting, this method would only return the Sales group.
+		#
+		def groups
+			@groups ||= memberOf.collect { |dn| Group.find_by_distinguishedName(dn) }
+		end
+
+		#
+		# Returns an array of User objects that have this
+		# User as their manager.
+		#
+		def direct_reports
+			return [] if @entry.directReports.nil?
+			@direct_reports ||= @entry.directReports.collect { |dn| User.find_by_distinguishedName(dn) }
+		end
+
+		#
+		# Returns true if this account has been locked out
+		# (usually because of too many invalid authentication attempts).
+		#
+		# Locked accounts can be unlocked with the User#unlock! method.
+		#
+		def locked?
+			!lockoutTime.nil? && lockoutTime.to_i != 0
+		end
+
+		#
+		# Returns true if this account has been disabled.
+		#
+		def disabled?
+			userAccountControl.to_i & UAC_ACCOUNT_DISABLED != 0
+		end
+
+		#
+		# Returns true if the user should be able to log in with a correct
+		# password (essentially, their account is not disabled or locked
+		# out).
+		#
+		def can_login?
+			!disabled? && !locked?
+		end
+
+		#
+		# Change the password for this account.
+		#
+		# This operation requires that the bind user specified in
+		# Base.setup have heightened privileges. It also requires an
+		# SSL connection.
+		#
+		# If the force_change argument is passed as true, the password will
+		# be marked as 'expired', forcing the user to change it the next
+		# time they successfully log into the domain.
+		#
+		def change_password(new_password, force_change = false)
+			settings = @@settings.dup.merge({
+				:port => 636,
+				:encryption => { :method => :simple_tls }
+			})
+
+			ldap = Net::LDAP.new(settings)
+			ldap.modify(
+				:dn => distinguishedName,
+				:operations => [
+					[ :replace, :lockoutTime, [ '0' ] ],
+					[ :replace, :unicodePwd, [ Password.encode(new_password) ] ],
+					[ :replace, :userAccountControl, [ UAC_NORMAL_ACCOUNT.to_s ] ],
+					[ :replace, :pwdLastSet, [ (force_change ? '0' : '-1') ] ]
+				]
+			)
+		end
+
+		#
+		# Unlocks this account.
+		#
+		def unlock!
+			@@ldap.replace_attribute(distinguishedName, :lockoutTime, ['0'])
+		end
+	end
+end

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification
+name: chuckdbacon-activedirectory
+version: !ruby/object:Gem::Version
+  version: 1.0.4
+  prerelease: 
+platform: ruby
+authors:
+- James R Hunt
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-11-04 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: &70256844765740 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *70256844765740
+description: ActiveDirectory uses Net::LDAP to provide a means of accessing and modifying
+  an Active Directory data store.
+email: filefrog@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README
+files:
+- lib/active_directory.rb
+- lib/active_directory/base.rb
+- lib/active_directory/computer.rb
+- lib/active_directory/container.rb
+- lib/active_directory/group.rb
+- lib/active_directory/member.rb
+- lib/active_directory/password.rb
+- lib/active_directory/rails/synchronizer.rb
+- lib/active_directory/rails/user.rb
+- lib/active_directory/timestamp.rb
+- lib/active_directory/user.rb
+- README
+homepage: http://github.com/filefrog/activedirectory
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: An interface library for accessing Microsoft's Active Directory.
+test_files: []