我一直在试图勾Rails应用程序可达ActiveDirectory中。我将同步数据约公元和数据库，目前MySQL之间的用户（但可能变成SQL服务器或PostgreSQL）。

I've been attempting to hook a Rails application up to ActiveDirectory. I'll be synchronizing data about users between AD and a database, currently MySQL (but may turn into SQL Server or PostgreSQL).

我已经签出的ActiveDirectory，红宝石，它看起来真的越野车（为1.0版本！？）。它包装的Net :: LDAP，所以我尝试使用替代，但它真正贴近LDAP的实际语法和我喜欢的ActiveDirectory，红宝石，因为它的ActiveRecord的语法。

I've checked out activedirectory-ruby, and it looks really buggy (for a 1.0 release!?). It wraps Net::LDAP, so I tried using that instead, but it's really close to the actual syntax of LDAP, and I enjoyed the abstraction of ActiveDirectory-Ruby because of its ActiveRecord-like syntax.

有一种优雅的ORM型工具的目录服务器？更妙的是，如果有某种脚手架工具的LDAP（CRUD用户，组，组织单位，等等）。然后，我可以快速集成与我现有的认证code，虽然Authlogic，并保持所有数据同步。

Is there an elegant ORM-type tool for a directory server? Better yet, if there were some kind of scaffolding tool for LDAP (CRUD for users, groups, organizational units, and so on). Then I could quickly integrate that with my existing authentication code though Authlogic, and keep all of the data synchronized.

推荐答案

下面是一个示例code我与净LDAP使用宝石来验证从ActiveDirectory的服务器用户登录我的作品：

Here is sample code I use with the net-ldap gem to verify user logins from the ActiveDirectory server at my work:

require 'net/ldap' # gem install net-ldap

def name_for_login( email, password )
  email = email[/\A\w+/].downcase  # Throw out the domain, if it was there
  email << "@mycompany.com"        # I only check people in my company
  ldap = Net::LDAP.new(
    host: 'ldap.mycompany.com',    # Thankfully this is a standard name
    auth: { method: :simple, email: email, password:password }
  )
  if ldap.bind
    # Yay, the login credentials were valid!
    # Get the user's full name and return it
    ldap.search(
      base:         "OU=Users,OU=Accounts,DC=mycompany,DC=com",
      filter:       Net::LDAP::Filter.eq( "mail", email ),
      attributes:   %w[ displayName ],
      return_result:true
    ).first.displayName.first
  end
end

在 first.displayName.first code在最后看起来有点傻傻的，所以从一些解释可能会受益：

The first.displayName.first code at the end looks a little goofy, and so might benefit from some explanation:

的Net :: LDAP＃搜索 总是返回的结果数组，即使你最终匹配的只有一个入口。以第一个调用第一个找到的第一个（presumably专用）相匹配的电子邮件地址条目。

Net::LDAP#search always returns an array of results, even if you end up matching only one entry. The first call to first finds the first (and presumably only) entry that matched the email address.

在 的Net :: LDAP ::进入 返回搜索方便，您可以通过方法名称访问属性，因此 some_entry.displayName 是一样的 some_entry ['显示名'] 。

在的Net :: LDAP ::进入每个属性始终是值的数组，即使只有一个值是present。虽然这可能是愚蠢的，有多个显示名值的用户，LDAP的一般性质意味着它是可能的。最后第一调用轮番数组的一串逼到字符串用户的全名。

Every attribute in a Net::LDAP::Entry is always an array of values, even when only one value is present. Although it might be silly to have a user with multiple "displayName" values, LDAP's generic nature means that it's possible. The final first invocation turns the array-of-one-string into just the string for the user's full name.