Wednesday, June 20, 2007

ActiveDirectory (LDAP) integration with Rails

Updated:
The solution that I went with. Read this article completely first so you are aware of the landscape.
EOM

I am currently exploring options to allow my rails apps to authenticate against an ActiveDirectory server. Active Directory is Windows 2000/2003 implementation of LDAP.

This post rounds up the options available and is my brain dump on the topic:

Authentication built into Rails:
When you want to code in the authentication mechanism within the rails app itself, you can use one of the following modules. This may be of interest when the rails app needs to know more details about the user and user's group memberships etc for security purposes and restrict parts of the website depending on user.
  • Net:LDAP
    Recommended on rails wiki since it is pure ruby and has no other external dependencies. There is some code on the rails wiki that allows one to derive groups the user belongs to. I haven't tried it.
  • ruby/ldap
    This post describes using ruby/ldap to allows authentication against a AD server. It has sample code to get the groups a user is assigned to.
  • ActiveLDAP
    The rails wiki has more info. Looks like ruby/ldap is recommended over this library.
Authentication done via Web Server:
The idea here is to have the web server perform the authentication and only forward the request to the Rails app if the user is authenticated. The user info (username, groups) etc may be passed to the Rails app using HTTP variables or cgi params. I will write about this more later as I come to that step.

A big reason why one may wish to use authentication done by the web server is to support single sign-on. Microsoft IE (and firefox) allow the automatic authentication using the current Windows user information. This is called Integrated Windows Authentication, formerly called NTLM. However this requirement limits the web server that can be used as our front-end.

Here is a list of possible combinations:
Windows based
  • IIS + Mongrel + ISAPI Rewrite - more info here. The problem here is rails caching doesn't work with this setup.
  • IIS + Mongrel + lighttpd + Mongrel + ISAPI Rewrite - more info here. A better solution since static files and cached fragments can be served by the lighttpd quickly and faster.
  • Apache + SCGI + mod_auth_sspi - here . mod_auth_sspi adds NTLM/LDAP authentication to apache.
    However it is not known if it supports groups.
Linux
Hybrid
  • IIS + ISAPI Rewrite on Windows, proxying http requests to a lighttpd + Mongrel setup on a Linux box.
    This seems to be the ideal solution. The Lighttpd + Mongrel cluster is a proven setup and can be scaled by simply adding more rails instances. lighttpd can easily load balance these rails clusters. And static and cached fragments can be served quickly by the lighttpd.
More to come.

5 comments:

Anonymous said...

Hi,
I have been trying to integrate windows authentication in rails. After lot of googling I decided to use Apache + mod_auth_sspi + Mongrel. Many people claim that it works but I could not get it working. http://www.ruby-forum.com/topic/144662

Have you found any working solution?

Thanks,
Abhi

Juanjo said...

You can get more information about ActiveLdap in this post (in spanish)
http://divinapotentia.com/20/1/2008/autenticaci-n-con-activeldap-en-ruby-on-rails

Anonymous said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.
bumbu pecel bali said...
This comment has been removed by a blog administrator.