Hello everyone, I need to create a rails app where authentication and permissions for certain application actions will be provided by LDAP server. There is a problem with LDAP connection management, as every user login will spawn new connection object instance it may dangerously increase application memory usage (tbh i dont know what will happen, nothing good for sure) - LDAP server can close connection remotly after some idle time, but some connection resources will remain in memory non the less. I''ve made some google research what may be best course of action to manage this issue and i think creating connection pool sounds good. I''ve commited few average sized rails projects but nothing i''ve experienced so far is giving me any clues how to implement this solution. I''ll be happy to hear how You would do it. Marcin, -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mar 6, 2012, at 12:54 PM, Marcin S wrote:> Hello everyone, > > I need to create a rails app where authentication and permissions for > certain application actions will be provided by LDAP server. There is > a problem with LDAP connection management, as every user login will > spawn new connection object instance it may dangerously increase > application memory usage (tbh i dont know what will happen, nothing > good for sure) - LDAP server can close connection remotly after some > idle time, but some connection resources will remain in memory non the > less. > I''ve made some google research what may be best course of action to > manage this issue and i think creating connection pool sounds good. > I''ve commited few average sized rails projects but nothing i''ve > experienced so far is giving me any clues how to implement this > solution. > > I''ll be happy to hear how You would do it.---- No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task. It''s easy enough to create ''local'' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want. simple ruby app using net-ldap #!/usr/local/bin/ruby # require ''rubygems'' require ''net/ldap'' $person = "cwhite" $passwd = "won''t_work" ldap = Net::LDAP.new :encryption => :simple_tls, :host => ''ldap.server'', :port => 636, # use 389 for non-ssl :auth => { :method => :simple, :username => "uid=" + $person + ", ou=people, dc=example, dc=com", :password => $passwd } if ldap.bind p "LDAP authentication succeeded" else p "LDAP authentication failed" end Should give you enough of a concept for implementing in Rails Craig -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
2012/3/6 Craig White <craig.white-wmL3h9Ogt9DQT0dZR+AlfA@public.gmane.org>:> > On Mar 6, 2012, at 12:54 PM, Marcin S wrote: > >> Hello everyone, >> >> I need to create a rails app where authentication and permissions for >> certain application actions will be provided by LDAP server. There is >> a problem with LDAP connection management, as every user login will >> spawn new connection object instance it may dangerously increase >> application memory usage (tbh i dont know what will happen, nothing >> good for sure) - LDAP server can close connection remotly after some >> idle time, but some connection resources will remain in memory non the >> less. >> I''ve made some google research what may be best course of action to >> manage this issue and i think creating connection pool sounds good. >> I''ve commited few average sized rails projects but nothing i''ve >> experienced so far is giving me any clues how to implement this >> solution. >> >> I''ll be happy to hear how You would do it. > ---- > No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task. > > It''s easy enough to create ''local'' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want. > > simple ruby app using net-ldap > > #!/usr/local/bin/ruby > # > require ''rubygems'' > require ''net/ldap'' > > $person = "cwhite" > $passwd = "won''t_work" > > ldap = Net::LDAP.new :encryption => :simple_tls, > :host => ''ldap.server'', > :port => 636, # use 389 for non-ssl > :auth => { > :method => :simple, > :username => "uid=" + $person + ", ou=people, dc=example, dc=com", > :password => $passwd > } > > if ldap.bind > p "LDAP authentication succeeded" > else > p "LDAP authentication failed" > end > > Should give you enough of a concept for implementing in Rails > > Craig >Yeah i have login covered already, in simmilar way, but what with application permissions? I can read it at login time, save it somewhere and never user LDAP again until next login - but when i give that user a cookie, and then authenticate him with it any permissions changes on ldap wont have any effect (untile next login) How would You solve that? Marcin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mar 6, 2012, at 11:10 PM, Marcin S wrote:> 2012/3/6 Craig White <craig.white-wmL3h9Ogt9DQT0dZR+AlfA@public.gmane.org>: >> >> On Mar 6, 2012, at 12:54 PM, Marcin S wrote: >> >>> Hello everyone, >>> >>> I need to create a rails app where authentication and permissions for >>> certain application actions will be provided by LDAP server. There is >>> a problem with LDAP connection management, as every user login will >>> spawn new connection object instance it may dangerously increase >>> application memory usage (tbh i dont know what will happen, nothing >>> good for sure) - LDAP server can close connection remotly after some >>> idle time, but some connection resources will remain in memory non the >>> less. >>> I''ve made some google research what may be best course of action to >>> manage this issue and i think creating connection pool sounds good. >>> I''ve commited few average sized rails projects but nothing i''ve >>> experienced so far is giving me any clues how to implement this >>> solution. >>> >>> I''ll be happy to hear how You would do it. >> ---- >> No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task. >> >> It''s easy enough to create ''local'' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want. >> >> simple ruby app using net-ldap >> >> #!/usr/local/bin/ruby >> # >> require ''rubygems'' >> require ''net/ldap'' >> >> $person = "cwhite" >> $passwd = "won''t_work" >> >> ldap = Net::LDAP.new :encryption => :simple_tls, >> :host => ''ldap.server'', >> :port => 636, # use 389 for non-ssl >> :auth => { >> :method => :simple, >> :username => "uid=" + $person + ", ou=people, dc=example, dc=com", >> :password => $passwd >> } >> >> if ldap.bind >> p "LDAP authentication succeeded" >> else >> p "LDAP authentication failed" >> end >> >> Should give you enough of a concept for implementing in Rails >> >> Craig >> > > Yeah i have login covered already, in simmilar way, but what with > application permissions? > I can read it at login time, save it somewhere and never user LDAP > again until next login - but when i give that user a cookie, and then > authenticate him with it any permissions changes on ldap wont have any > effect (untile next login) > How would You solve that?---- as best as I understand your question, this is what I do. I have an SQL User class which shares the ''name'' with the uid of the LDAP user and the user_id and the user_name are inserted into session variables which tie it together. Then I have all the controllers & methods of my application subject to Right/Roles permissions model so those can be changed at will since a ''before_filter'' requires that a particular user has permissions to access. Thus while LDAP does authentication (user/password), I use my own hand rolled authorization scheme to allow/deny access to any/all methods & controllers. I don''t store any Rails permissions on LDAP whatsoever. Craig -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.