LDAP Server for ActiveRecord Models
Posted by Tammer Saleh
Nov 09
(also posted here)
This daemon came about as an addon to a CRM application that we are developing for a client here at Thoughtbot.
I’m standing firmly on the shoulders of others for this one. Specifically, the Ruby LDAP Server, and this post on daemonizing ruby code.
Grab the source from our SVN repository (svn.thoughtbot.com/ldap-activerecord-gateway/).
Requirements
The only requirement that the daemon imposes on the AR class is that it implement two methods:
Class.search(query)– returns a collection of records that somehow match the string given byqueryrecord.to_ldap_entry– returns a hash representing the LDAP information returned to the client. Here’s an example hash:
1 2 3 4 5 6 |
{ "objectclass" => [ "top", "person", "organizationalPerson", "inetOrgPerson", "mozillaOrgPerson"],
"uid" => [123],
"sn" => ["Lastname"],
"givenname" => ["Firstname"],
"cn" => [ "Firstname Lastname" ],
"mail" => [ "email@address.com" ] } |
Configuration
The LDAP gateway is a separate process from your Rails application, and is not expected to live under the RAILS_DIR. You can install it in any directory you please, and it can run as any user you need (see note about the port number below).
To configure the gateway, copy the conf/ldap-server.example.yml file to conf/ldap-server.yml and edit that file.
- rails_dir: RAILS_DIR directory for your rails application.
- active_record_model: Name of the AR Model you’d like to serve.
- basedn: The LDAP basedn for your server. This is installation specific, and is usually keyed to your domainname. Whatever you put here has to be entered in the client configuration as well.
- port: The port your server will listen on. If you are not running the server as root, then this port needs to be greater than 1000. 389 is the standard LDAP port.
- tcp_nodelay: Not sure.
- preforked_threads: How many threads to run.
- bind_address: The IP address on which the server will listen. Unless you have security issues, 0.0.0.0 will work just fine.
- debug: Set this to true to get more verbose startup and logging messages.
Running the Server
Once you’ve configured the server, you can run it with “bin/ldap-server.rb start”. It should immediately daemonize itself and start logging to log/ldap-server.log. As one of the first log messages, it should state how many records it has access to.
As a final test, you should connect to the server with an addressbook client (such as Thunderbird) and try querying for known records.
Final notes
It looks like the ruby-ldapserver library that I’m using has support for dropping privileges after binding to a port, but I wasn’t able to test that functionality. Also, I believe that you should be able to run this as a different user than the one running your rails application, but that might not be true (you might get log file ownership conflicts). Again, didn’t have time to test that part.
Sorry, comments are closed for this article.
© 2000 - 2009 by thoughtbot, inc.
written by a bushel of tiny robots
Come “ride the toad” on Hoptoad, the app error app.
Thunder Thimble: Brand monitoring for social media.
Widgetfinger: Simple content management for simple websites.
Tee-Bot, funny shirts your friends won't understand!
Umbrella Today: “It’s like totally the simplest weather report ever, Julie.”
Thoughtbot
thoughtbot is a technology consulting firm that provides web application development and design services. We focus on building modern systems, embracing good ideas and delivering elegant solutions.
Interested in learning Rails?
Sign up for our beginning or advanced training.
Archives