David Chilton
2005-Nov-15 17:18 UTC
RE: IE/NTLM/Rails [was: Re: Re: Rails core going multiligual...ever?]
I thought I''d go ahead and post this here, since I haven''t had time to do a full write up for my site but some people might find it useful. How we authenticate with NTLM and IE passthrough: What we did is set up a second rails app that uses mod_auth_sspi in apache to authenticate (we also did it on IIS using a php file, since IIS makes it easy to do single file permissions). I also wrote a plugin that supplies an authenticate method for use with a before_filter, like the login_generator does. The authenticate method looks for a cookie and redirects to the secured rails app if it doesn''t find one. This avoids a problem ajax methods seem to have using http authentication schemes. You can use a second function "authenticate_dont_redirect" to check for the cookie, but not try to redirect to the authentication app. This lets you still check for a valid user with ajax methods, but doesn''t have the problem of the authentication loop. I also wrote a library to interact with active directory through the use of Win32 api calls instead of LDAP (I couldn''t get ActiveDirectory (active record like LDAP interface) or RubyLDAP to run on Win32) If you have my ActiveDirectory plugin installed then the @logged_user object created by authenticate is return as a User object and you can easily get the username, firstname, lastname, etc. If not then it just returns the username. You can get my plugins and the authentication rails app from http://www.chiltie.com/svn/rails_plugins/trunk There are comments in the source files, as well as the directory configuration for httpd.conf for mod_auth_sspi. I can''t remember right now where to download it. It does have to be used with Apache on Win32. Also, we used a subfolder set-up but you could use a virtual server approach. You''d need to actually change the authentication plugin to use virtual servers, I haven''t added configuration options to it yet to configure where the authentication app resides. When stuff slows down at school (end of semester, senior year, really busy time) I''ll write up something on www.chiltie.com giving a more detailed walk through of using the plugins, especially the ActiveDirectory plugin. Note that ActiveDirectory doesn''t have to be a rails plugin, I''ve found it useful for non-rails ruby things too, but I packaged it up as a plugin to make it easier to use for our apps. Also note that I stripped out the test code from the active directory plugin before posting it to the world, since it needed internal information to actually be tested. David =============================================================================CONFIDENTIALITY NOTICE: The information in this electronic message (including any attachments) is confidential and may be privileged or proprietary. If you are not the intended recipient, any dissemination, disclosure, copying, downloading, or other use of the information is prohibited and unauthorized, and may be unlawful, regardless of address or routing. If you are not the intended recipient, please inform the sender immediately and permanently delete and destroy the original and any copies of this message, including any attachments. ==============================================================================