Thursday, August 2, 2007

ActiveDirectory (LDAP) integration with Rails - Update

Update: Replacing balance

So I managed to put together something in place:

<-----> [ balance <-----> Mongrel cluster ]
(ISAPI rewrite proxy) (backend server - Vmware m/c)

The IIS proxy takes of single-sign on and LDAP authentication. I used ISAPI rewrite proxy to rewrite requests to a virutal machine backend that hosts the actual rails cluster.
The rewrite rules look like:

RewriteCond URL (.*)
RewriteHeader X-Forwarded-URL: .* $1

RewriteCond Host: rails-backend(?:-dev)?(?:\
RewriteProxy (.*) http\://rails-backend:8081$1 [I,U,A]

On the backend side, rails-backend is a VMware guest that runs a Mongrel cluster of three Rails apps behind a load balancer balance (see the update above though).

balance 8081 cadweb:8000 cadweb:8001 cadweb:8002 %

# for debug use following
# balance -d -f -p 8081 cadweb:8000 cadweb:8001 cadweb:8002 %

The % at the end means to use a hash based routing. So the same client gets routed back to the same server for every request. Update - see the top of the post
One thing I wished balance would do is filter incoming connections. In this case I would have like balance to restrict all incoming connections to the IIS proxy. I had to use iptables to do it.

iptables -A INPUT -p tcp -s iis-proxy --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j DROP

A big issue with this solution is getting the list of access lists a user has rights to. And then use that information in rails somehow to limit which page can be shown to the user.

No comments: