If you manage anything beyond the simplest of setups, you’ve probably got an LDAP server providing directory services to your network. If you don’t, this one probably isn’t for you.
Authenticate using LDAP
The first step is getting Apache to authenticate all requests before they reach your Rails application. This is fiddly work, and Apache already has a rather lovely module – mod_authnz_ldap – that handles the heavy lifting.
<VirtualHost 193.219.108.xxx:443>
# I've used port 443 above because I'm dealing with passwords.
# [...snip...]
<Directory /var/www/foo.example.com/current/public>
AuthType Basic
AuthName "Foo Application Control Panel"
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthLDAPUrl ldap://ldap.example.com/ou=people,dc=example,dc=com?userid?one
Require valid-user
</Directory>
# [...snip...]
# Your normal Rails HTTP configuration goes here
</VirtualHost>
Look up the user in Rails
At this point, any request hitting your application has already been authenticated against your LDAP directory. Now you need Rails to identify the user. For this I wrote a mixin called Xeriom::Acts::ProtectedSystem:
module Xeriom # :nodoc:
module Acts # :nodoc:
module ProtectedSystem # :nodoc:
def self.included(base)
base.send(:extend, ClassMethods)
end
module ClassMethods
def acts_as_protected_system
include InstanceMethods
send(:before_filter, :ensure_user_is_logged_in)
send(:helper_method, :current_user)
send(:helper_method, :logged_in?)
end
end
module InstanceMethods
def ensure_user_is_logged_in
if !logged_in?
authenticate_user
end
end
def logged_in?
!current_user.blank?
end
def current_user
@current_user ||= User.find_by_id(session[:user_id])
end
def current_user=(user)
@current_user = user
session[:user_id] = user.blank? ? nil : user.id
end
def authenticate_user
authenticate_or_request_with_http_basic("Protected Area") do |username, password|
# Lock your application servers down to listen to only
# the web tier or this will kick your ass.
send(:current_user=, User.find_by_username(username))
end
end
end
end
end
end
ActionController::Base.send(:include, Xeriom::Acts::ProtectedSystem)
To use it, drop the code in your lib/ directory, then call acts_as_protected_system in your ApplicationController:
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
protect_from_forgery # because CSRF sucks!
acts_as_protected_system # lock the door
end
The key insight here is that Apache does the hard work of validating credentials against LDAP. Rails simply trusts the authenticated username and looks up the corresponding user record. Just make sure your application servers are locked down to only accept requests from the web tier – otherwise anyone could pass through a forged username.