I'm trying write a Ruby script that checks if user credentials are valid using an active directory server. Here's what I've tried so far:

我正在尝试编写一个Ruby脚本,使用活动目录服务器检查用户凭据是否有效。这是我到目前为止所尝试的内容:

require 'rubygems'
require 'net-ldap'

host = '10.4.1.6'
port = 389

username = 'username'
password = 'password'

ldap = Net::LDAP.new
ldap.host = host
ldap.port = port
ldap.auth "CN=#{username},CN=Users,DC=companyname,DC=ad", password

if ldap.bind
  puts 'YES!'
  puts ldap.get_operation_result.message
else
  puts 'NO :-('
  puts ldap.get_operation_result.message
end

If I enter a non existing username and an empty string as a password, the bind operation succeeds. If I enter a valid username and a valid/invalid/empty password, the bind operation fails with error message 'Invalid Credentials'.

如果我输入一个不存在的用户名和一个空字符串作为密码,则绑定操作会成功。如果我输入有效的用户名和有效/无效/空密码,则绑定操作将失败,并显示错误消息“Invalid Credentials”。

I've looked at other threads and read the net-ldap documentation but I can't figure out what I'm doing wrong.

我查看了其他线程并阅读了net-ldap文档,但我无法弄清楚我做错了什么。

Can someone give me some ideas on how to achieve this?

有人可以给我一些关于如何实现这一目标的想法吗?

Thanks in advance for any replies :-)

在此先感谢任何回复:-)

Edit:

As @StuartEllis suggested, the problem was with the user identifier. To figure out the correct DN, I used the following script (taken from the net-ldap documentation):

正如@StuartEllis所建议的,问题在于用户标识符。为了找出正确的DN,我使用了以下脚本(取自net-ldap文档):

ldap.auth "CN='adminUser',CN=Users,DC=companyname,DC=ad", 'adminUserPwd'
ldap.bind
treebase = "DC=companyname,DC=ad"
filter = Net::LDAP::Filter.eq( "mail", "username@companyname.com" )
attrs = ["mail", "cn", "sn","objectclass"]
ldap.search( :base => treebase, :filter => filter, :attributes => attrs, :return_result => false ) do |entry|
  puts entry._dump 0
end

I then retried using my original script (above) with the obtained DN and voila!

然后我使用我的原始脚本(上面)重新获得了获得的DN和瞧!

2 个解决方案

def name_for_login( email, password )
  email = email[/\A\w+/].downcase  # Throw out the domain, if it was there
  email << "@mycompany.com"        # I only check people in my company
  ldap = Net::LDAP.new(
    host: 'ldap.mycompany.com',    # Thankfully this is a standard name
    auth: { method: :simple, email: email, password:password }
  )
  if ldap.bind
    # Yay, the login credentials were valid!
    # Get the user's full name and return it
    ldap.search(
      base:         "OU=Users,OU=Accounts,DC=mycompany,DC=com",
      filter:       Net::LDAP::Filter.eq( "mail", email ),
      attributes:   %w[ displayName ],
      return_result:true
    ).first.displayName.first
  end
end

#1

#2

def name_for_login( email, password )
  email = email[/\A\w+/].downcase  # Throw out the domain, if it was there
  email << "@mycompany.com"        # I only check people in my company
  ldap = Net::LDAP.new(
    host: 'ldap.mycompany.com',    # Thankfully this is a standard name
    auth: { method: :simple, email: email, password:password }
  )
  if ldap.bind
    # Yay, the login credentials were valid!
    # Get the user's full name and return it
    ldap.search(
      base:         "OU=Users,OU=Accounts,DC=mycompany,DC=com",
      filter:       Net::LDAP::Filter.eq( "mail", email ),
      attributes:   %w[ displayName ],
      return_result:true
    ).first.displayName.first
  end
end