Ruby-net-ldap fail

Discussion in 'Ruby' started by Bruno Sousa, Jul 31, 2009.

  1. Bruno Sousa

    Bruno Sousa Guest

    Hi,
    I am using ruby-net-ldap to connect to a Active Directory server.
    The problem is that it only works for users that are in "Users"
    Organization unit.
    (See attachment) ==> it can connect with joe user. But it fails to
    connect with users from OU "terceiros" for example.

    why is that?
    Is there a better gem for that?

    here is the code:
    1 require 'rubygems'
    2 require 'net/ldap'
    3
    4 ldap = Net::LDAP.new
    5 ldap.host = "10.1.0.32"
    6 ldap.port = "389"
    7
    8 us = "userhere"
    9 ps = "passwordhere"
    10
    11 ldap.authenticate us, ps
    12
    13 puts ldap.bind
    14 puts ldap.get_operation_result.message


    regards

    Attachments:
    http://www.ruby-forum.com/attachment/3918/Untitled.png

    --
    Posted via http://www.ruby-forum.com/.
    Bruno Sousa, Jul 31, 2009
    #1
    1. Advertising

  2. On Fri, Jul 31, 2009 at 2:15 PM, Bruno Sousa<> wrote:
    > Hi,
    > I am using ruby-net-ldap to connect to a Active Directory server.
    > The problem is that it only works for users that are in "Users"
    > Organization unit.
    > (See attachment) ==> it can connect with joe user. But it fails to
    > connect with users from OU "terceiros" for example.
    >
    > why is that?


    Likely because the server wants a full DN and ruby-net-ldap is
    assuming ou=Users,dc=... behind the scenes. Try to auth using the
    full DN, I'll bet it's going to work.

    > Is there a better gem for that?


    There is a better library, yes. http://ruby-ldap.sourceforge.net/

    Ben
    Ben Bleything, Jul 31, 2009
    #2
    1. Advertising

  3. Bruno Sousa

    Glen Holcomb Guest

    On Fri, Jul 31, 2009 at 3:22 PM, Ben Bleything <> wrote:

    > On Fri, Jul 31, 2009 at 2:15 PM, Bruno Sousa<> wrote:
    > > Hi,
    > > I am using ruby-net-ldap to connect to a Active Directory server.
    > > The problem is that it only works for users that are in "Users"
    > > Organization unit.
    > > (See attachment) =3D=3D> it can connect with joe user. But it fails to
    > > connect with users from OU "terceiros" for example.
    > >
    > > why is that?

    >
    > Likely because the server wants a full DN and ruby-net-ldap is
    > assuming ou=3DUsers,dc=3D... behind the scenes. Try to auth using the
    > full DN, I'll bet it's going to work.
    >
    > > Is there a better gem for that?

    >
    > There is a better library, yes. http://ruby-ldap.sourceforge.net/
    >
    > Ben
    >
    >

    In my experience you need to provide as the
    username when connecting to AD.

    --=20
    "Hey brother Christian with your high and mighty errand, Your actions speak
    so loud, I can=92t hear a word you=92re saying."

    -Greg Graffin (Bad Religion)
    Glen Holcomb, Jul 31, 2009
    #3
  4. Bruno Sousa

    Guest

    On Fri, Jul 31, 2009 at 5:22 PM, Ben Bleything<> wrote:
    > On Fri, Jul 31, 2009 at 2:15 PM, Bruno Sousa<> wrote:
    >> Hi,
    >> (See attachment) =3D=3D> it can connect with joe user. But it fails to
    >> connect with users from OU "terceiros" for example.
    >>
    >> why is that?

    >
    > Likely because the server wants a full DN and ruby-net-ldap is
    > assuming ou=3DUsers,dc=3D... behind the scenes. =A0Try to auth using the
    > full DN, I'll bet it's going to work.


    In an Active Directory environment you can also use the user's UPN
    instead of his DN for the bind username.
    , Jul 31, 2009
    #4
  5. Bruno Sousa

    Glen Holcomb Guest

    On Fri, Jul 31, 2009 at 3:42 PM, <> wrote:

    > On Fri, Jul 31, 2009 at 5:22 PM, Ben Bleything<> wrote:
    > > On Fri, Jul 31, 2009 at 2:15 PM, Bruno Sousa<> wrote:
    > >> Hi,
    > >> (See attachment) =3D=3D> it can connect with joe user. But it fails to
    > >> connect with users from OU "terceiros" for example.
    > >>
    > >> why is that?

    > >
    > > Likely because the server wants a full DN and ruby-net-ldap is
    > > assuming ou=3DUsers,dc=3D... behind the scenes. Try to auth using the
    > > full DN, I'll bet it's going to work.

    >
    > In an Active Directory environment you can also use the user's UPN
    > instead of his DN for the bind username.
    >
    >

    Yep, UPN that's the term I couldn't remember so constructed with written
    gesticulations.

    --=20
    "Hey brother Christian with your high and mighty errand, Your actions speak
    so loud, I can=92t hear a word you=92re saying."

    -Greg Graffin (Bad Religion)
    Glen Holcomb, Jul 31, 2009
    #5
  6. On Fri, Jul 31, 2009 at 2:42 PM, <> wrote:
    > In an Active Directory environment you can also use the user's UPN
    > instead of his DN for the bind username.


    Ahh cool. I've never really worked with AD except to sync it with
    openldap so I'm not really familiar with such things.

    Ben
    Ben Bleything, Jul 31, 2009
    #6
  7. Bruno Sousa

    Bruno Sousa Guest

    Ben Bleything wrote:
    > On Fri, Jul 31, 2009 at 2:42 PM, <> wrote:
    >> In an Active Directory environment you can also use the user's UPN
    >> instead of his DN for the bind username.

    >
    > Ahh cool. I've never really worked with AD except to sync it with
    > openldap so I'm not really familiar with such things.
    >
    > Ben



    I got it working with ruby-ldap.
    Is it necessary to specify the organization unit? It's working ONLY if I
    specify it:

    require "ldap"
    require "pp"

    $HOST = '10.1.0.3'
    $PORT = 389

    conn = LDAP::Conn.new($HOST, $PORT)
    conn.bind('cn=somebody,ou=terceiros,dc=intranet,dc=example,dc=com',password='secret')
    --
    Posted via http://www.ruby-forum.com/.
    Bruno Sousa, Aug 3, 2009
    #7
  8. On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<> wrote:
    > I got it working with ruby-ldap.
    > Is it necessary to specify the organization unit? It's working ONLY if I
    > specify it:


    Yes, as mentioned before you need to provide the full path (DN) or
    similar so that the ldap server can find your user. When you don't,
    it assumes you mean ou=Users.

    Ben
    Ben Bleything, Aug 3, 2009
    #8
  9. Bruno Sousa

    Bruno Sousa Guest

    Ben Bleything wrote:
    > On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<> wrote:
    >> I got it working with ruby-ldap.
    >> Is it necessary to specify the organization unit? It's working ONLY if I
    >> specify it:

    >
    > Yes, as mentioned before you need to provide the full path (DN) or
    > similar so that the ldap server can find your user. When you don't,
    > it assumes you mean ou=Users.
    >
    > Ben


    Is it a library limitation? Or it really should work like this?
    I imagined it should work as when you log in windows computers:
    username, passwod and Domain. No need for OUs :)
    --
    Posted via http://www.ruby-forum.com/.
    Bruno Sousa, Aug 3, 2009
    #9
  10. On Mon, Aug 3, 2009 at 11:57 AM, Bruno Sousa<> wrote:
    > Is it a library limitation? Or it really should work like this?
    > I imagined it should work as when you log in windows computers:
    > username, passwod and Domain. No need for OUs :)


    No, this is How LDAP Works=99. Remember that Active Directory is like
    LDAP++... it does things that LDAP doesn't do natively, like
    recursively searching the tree for users.

    Ben
    Ben Bleything, Aug 3, 2009
    #10
  11. Bruno Sousa

    Glen Holcomb Guest

    On Mon, Aug 3, 2009 at 12:57 PM, Bruno Sousa <> wrote:

    > Ben Bleything wrote:
    > > On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<> wrote:
    > >> I got it working with ruby-ldap.
    > >> Is it necessary to specify the organization unit? It's working ONLY if=

    I
    > >> specify it:

    > >
    > > Yes, as mentioned before you need to provide the full path (DN) or
    > > similar so that the ldap server can find your user. When you don't,
    > > it assumes you mean ou=3DUsers.
    > >
    > > Ben

    >
    > Is it a library limitation? Or it really should work like this?
    > I imagined it should work as when you log in windows computers:
    > username, passwod and Domain. No need for OUs :)
    > --
    > Posted via http://www.ruby-forum.com/.
    >
    >

    You are forgetting that when you log into a Windows computer you have to
    specify the domain. That info plus your username become the authentication
    string. Microsoft just hides it well.

    --=20
    "Hey brother Christian with your high and mighty errand, Your actions speak
    so loud, I can=92t hear a word you=92re saying."

    -Greg Graffin (Bad Religion)
    Glen Holcomb, Aug 3, 2009
    #11
  12. Bruno Sousa

    Guest

    On Mon, Aug 3, 2009 at 2:57 PM, Bruno Sousa<> wrote:
    > Ben Bleything wrote:
    >> On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<> wrote:
    >>> I got it working with ruby-ldap.
    >>> Is it necessary to specify the organization unit? It's working ONLY if =

    I
    >>> specify it:

    >>
    >> Yes, as mentioned before you need to provide the full path (DN) or
    >> similar so that the ldap server can find your user. =A0When you don't,
    >> it assumes you mean ou=3DUsers.

    >
    > Is it a library limitation? Or it really should work like this?
    > I imagined it should work as when you log in windows computers:
    > username, passwod and Domain. No need for OUs :)


    You could provide your own function to search the tree based
    on username to get the DN and then use that to bind.
    But then either your directory would need to allow an anonymous
    connection search rights or you would need a service account
    for the script to use. You would also need to consider the
    possibility of duplicate usernames with different DNs (this is
    less of an issue in Active Directory since AD is in some ways
    still a flat domain with a simulated hierarchy bolted on).
    A production implementation would probably want to cache rather
    than run an extra search for every authentication request.

    Alternatively, you could attempt to authenticate the user in all
    possible OUs until one works or all have failed. :)

    Or finally, you can use UPNs if you don't mind being non-portable
    to any other LDAP implementations. This is what I do in my own
    corporate apps (despite the bad taste it leaves in my mouth).
    I've done a couple of variations:
    * Ask for "Username" and append the UPN suffix
    * Ask for "UPN" and pass it through
    * Ask for "Email Address" and hope they enter their
    canonical address and not a special alias
    , Aug 4, 2009
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason Wold

    using LDAP Controls in ruby-ldap

    Jason Wold, Nov 4, 2004, in forum: Ruby
    Replies:
    5
    Views:
    240
  2. Ian Macdonald
    Replies:
    0
    Views:
    215
    Ian Macdonald
    Mar 15, 2005
  3. James Hughes
    Replies:
    4
    Views:
    324
    James Hughes
    Dec 13, 2005
  4. Replies:
    1
    Views:
    203
    Austin Ziegler
    Oct 11, 2006
  5. dacat

    Net::LDAP vs ruby/ldap

    dacat, Apr 27, 2007, in forum: Ruby
    Replies:
    3
    Views:
    294
    Ian Macdonald
    May 18, 2007
Loading...

Share This Page