web app authentication to active directory

[Nick Brown]

I have a Windows/IIS server which is running some plain-old-CGI Ruby web
apps. Because it's Windows/IIS, authentication is *really* easy in our
active directory environment. I simply have to enable authentication
(kerberos) for the app, then set the permissions on the .cgi files
(users in group X may access this file).

Well, I want to start using Rack-based apps (such as Sinatra), but I
still want seamless authentication. I don't want to force users to type
their passwords--I want the browser and the web server to do seamless
kerberos authentication.

What are my options? I gather that there are no Rack implementations for
IIS. Has anyone successfully managed to get something like this working
on Apache/Passenger? Or is there a better option? Or is it possible to
trigger kerberos at the application level?

Thanks in advance for any advice...

 

[Richard Conroy]

[Note: parts of this message were removed to make it a legal post.]

Well, I want to start using Rack-based apps (such as Sinatra), but I
still want seamless authentication. I don't want to force users to type
their passwords--I want the browser and the web server to do seamless
kerberos authentication.

What are my options? I gather that there are no Rack implementations for
IIS. Has anyone successfully managed to get something like this working
on Apache/Passenger? Or is there a better option? Or is it possible to
trigger kerberos at the application level?

Nick,
this question comes up a fair bit. I think most of the
Ruby/ActiveDirectory
integration issues end up directing people to the various ldap options for
Ruby.

I would also look and see if anyone has built any Rack Middleware around
this.

Sorry I can't be more help.

 

[Nick Brown]

this question comes up a fair bit.

Ruby moves so quickly that it's worth asking questions frequently, as
the answers from six months ago are often obsolete ;-)

I think most of the Ruby/ActiveDirectory
integration issues end up directing people to the various ldap options
for Ruby.

Net-ldap does work! But it requires that I solicit usernames and
passwords. And the "activedirectory" gem seems to be broken and
unmaintained.

I would also look and see if anyone has built any Rack Middleware around
this.

I looked for a way to use Rack on IIS. I didn't find anything considered
"stable" and compatible with MRI :-/

I would love to hear experiences from someone who actually has a
production application using kerberos/AD/MRI.

 

[Richard Conroy]

[Note: parts of this message were removed to make it a legal post.]

Ruby moves so quickly that it's worth asking questions frequently, as
the answers from six months ago are often obsolete ;-)

My main concern with this topic, is that I dont think I have ever seen this
question
answered well. Its not a good sign, as it implies that you are on your own
when you
go down this route.

Net-ldap does work! But it requires that I solicit usernames and
passwords. And the "activedirectory" gem seems to be broken and
unmaintained.

Nicely, net-ldap is being actively maintained (saw some recent
announcements).
I think there is also a ruby-net-ldap which is pure ruby, and gets some
recommendations.

I looked for a way to use Rack on IIS. I didn't find anything considered
"stable" and compatible with MRI :-/

Don't get me started. I dont think there is anybody in the entire planet
putting Ruby
on production windows web servers with MRI. If there was, you would expect
to see
a lot more solutions out there that solve the common problems.

That said, you might want to check out IronRuby, and their solution
ecosystem.

The best advice I often see is to deploy your app on JRuby, then take
advantage
of Java APIs that can do the integration better.

I would love to hear experiences from someone who actually has a
production application using kerberos/AD/MRI.

So would I. I would buy beers for people who can put together all the pieces
of
successfully deploying Ruby web apps on windows.