Search for Enabled users in net-ldap for Ruby
You can use the ruleOID LDAP_MATCHING_RULE_BIT_AND rule to check UserAccountControl.
I use this filter to find users that are enabled:
(&(objectCategory=organizationalPerson)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
userAccountControl:1.2.840.113556.1.4.803 will have Bit 2 set if the account is disabled.
The value of ruleOID can be one of the following:
•1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
•1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
(UserAccountControl:1.2.840.113556.1.4.803:=2)
Search for Enabled users in net-ldap for Ruby
You can use the ruleOID LDAP_MATCHING_RULE_BIT_AND rule to check UserAccountControl.
I use this filter to find users that are enabled:
(&(objectCategory=organizationalPerson)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
userAccountControl:1.2.840.113556.1.4.803 will have Bit 2 set if the account is disabled.
The value of ruleOID can be one of the following:
•1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
•1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
(UserAccountControl:1.2.840.113556.1.4.803:=2)
Query all the users in a system with LDAP
So the short answer to the question is that it all depends on how your schema is setup. If you are setting up an LDAP schema, you need to have several groups of records with various cn (common name) identifiers, eg cn=activeUsers and cn=inactiveUsers which will allow you to query down the list much deeper than in my situation.
Better way to query an LDAP users via ruby net-ldap?
You can use the Join filter functionality of net-ldap:
filter = Net::LDAP::Filter.eq("sAMAccountName", "*")
filter2 = Net::LDAP::Filter.eq("objectCategory", "organizationalPerson")
joined_filter = Net::LDAP::Filter.join(filter, filter2)
ldap.search(:base => treebase, :filter => joined_filter) do |entry|
puts entry.sAMAccountName
end
LDAP : Find if user is member of group
This is what I ended up doing:
def query(username)
result = nil
ldap = Net::LDAP.new(@ldap_settings) #ldap_settings has the authentication stuff
filter = "(&(objectClass=user)(sAMAccountName=#{username}))"
if ldap.bind
ldap.search(:base => @base, :filter => filter) do |object|
puts object.memberof.include?("CN=group-im-looking-for,OU=myou,OU=ou,DC=dc,DC=dc,DC=dc")
end
else
raise 'Authentication Error!'
end
result
end
This returns True if user is part of the group else False.
How to check for user credentials using active directory and a ruby script
I would guess that your LDAP account details aren't correct, but your LDAP server accepts anonymous binds, which is why it works when you don't specify a valid username and password. LDAP user identifiers are very fiddly, so I'd suggest double-checking the whole thing, including the case of the parts.
How to query list of objects in an Active Directory OU from Ruby
I think this is because you're setting the Net::LDAP::Filter.eq("OU", "ServerGroups") filter which only matches the ServerGroups object itself.
To get all the objects, try searching without specifying a filter. When there's no filter specified, Net::LDAP uses Net::LDAP::Filter.eq("objectClass", "*") as the default filter which matches all of the objects.
Related Topics
What's Wrong with the Square and Rectangle Inheritance
Rails 5 - Using Polymorphic Associations - Rendering the Views
Nanoc Changing the Base Path When Deploying Page in Github
How to Access a Symbol Hash Key Using a Variable in Ruby
How to Generate a Unique Request Id in Rails
Can You 'Require' Ruby File in Irb Session, Automatically, on Every Command
Remote Form_Tag in Rails3 Without a Named Route
Error: "Fatal: I Don't Handle Protocol ''Git' When Using Bundle Install
Ruby How to Merge Two CSV Files with Slightly Different Headers
What's the Best Way to Return an Enumerator::Lazy When Your Class Doesn't Define #Each
Ruby Ternary Operator Structure
Writing Ruby Console Output to Text File
How to Convert 1 to "First", 2 to "Second", and So On, in Ruby
Unexpected Value of _Callee_ When Including a Module - Is This a Ruby Bug
How to Make Rake Db:Migrate Generate Schema.Rb When Using :SQL Schema Format