On Mon, Aug 3, 2009 at 2:57 PM, Bruno Sousa<brgsousa / gmail.com> wrote:
> Ben Bleything wrote:
>> On Mon, Aug 3, 2009 at 11:46 AM, Bruno Sousa<brgsousa / gmail.com> wrote:
>>> I got it working with ruby-ldap.
>>> Is it necessary to specify the organization unit? It's working ONLY if I
>>> specify it:
>>
>> Yes, as mentioned before you need to provide the full path (DN) or
>> similar so that the ldap server can find your user.  
>> it assumes you mean ou=Users.
>
> Is it a library limitation? Or it really should work like this?
> I imagined it should work as when you log in windows computers:
> username, passwod and Domain. No need for OUs :)

You could provide your own function to search the tree based
on username to get the DN and then use that to bind.
    But then either your directory would need to allow an anonymous
    connection search rights or you would need a service account
    for the script to use.  You would also need to consider the
    possibility of duplicate usernames with different DNs (this is
    less of an issue in Active Directory since AD is in some ways
    still a flat domain with a simulated hierarchy bolted on).
    A production implementation would probably want to cache rather
    than run an extra search for every authentication request.

Alternatively, you could attempt to authenticate the user in all
possible OUs until one works or all have failed.  :-)

Or finally, you can use UPNs if you don't mind being non-portable
to any other LDAP implementations.  This is what I do in my own
corporate apps (despite the bad taste it leaves in my mouth).
    I've done a couple of variations:
        * Ask for "Username" and append the UPN suffix
        * Ask for "UPN" and pass it through
        * Ask for "Email Address" and hope they enter their
        canonical address and not a special alias