Here is sample code I use with the net-ldapgem to verify user logins from the ActiveDirectory server at my work:

下面是我在工作中使用net-ldapgem 来验证来自 ActiveDirectory 服务器的用户登录的示例代码：

require 'net/ldap' # gem install net-ldap

def name_for_login( email, password )
  email = email[/\A\w+/].downcase  # Throw out the domain, if it was there
  email << "@mycompany.com"        # I only check people in my company
  ldap = Net::LDAP.new(
    host: 'ldap.mycompany.com',    # Thankfully this is a standard name
    auth: { method: :simple, email: email, password:password }
  )
  if ldap.bind
    # Yay, the login credentials were valid!
    # Get the user's full name and return it
    ldap.search(
      base:         "OU=Users,OU=Accounts,DC=mycompany,DC=com",
      filter:       Net::LDAP::Filter.eq( "mail", email ),
      attributes:   %w[ displayName ],
      return_result:true
    ).first.displayName.first
  end
end

The first.displayName.firstcode at the end looks a little goofy, and so might benefit from some explanation:

最后的first.displayName.first代码看起来有点傻，所以可能会从一些解释中受益：

• Net::LDAP#searchalways returns an array of results, even if you end up matching only one entry. The first call to firstfinds the first (and presumably only) entry that matched the email address.

• The Net::LDAP::Entryreturned by the search conveniently lets you access attributes via method name, so some_entry.displayNameis the same as some_entry['displayName'].

• Every attribute in a Net::LDAP::Entryis always an array of values, even when only one value is present. Although it might be silly to have a user with multiple "displayName" values, LDAP's generic nature means that it's possible. The final firstinvocation turns the array-of-one-string into just the string for the user's full name.

• Net::LDAP#search始终返回一组结果，即使您最终只匹配一个条目。第一次调用first找到与电子邮件地址匹配的第一个（并且可能是唯一的）条目。

• 该Net::LDAP::Entry搜索返回的方便，您可以通过方法的名称访问属性，所以some_entry.displayName是一样的some_entry['displayName']。

• a 中的每个属性Net::LDAP::Entry始终是一组值，即使只有一个值。尽管让用户具有多个“displayName”值可能很愚蠢，但 LDAP 的通用性质意味着它是可能的。最后的first调用将一个字符串数组转换为用户全名的字符串。

Have you tried looking at these:

你有没有试过看这些：

http://saush.wordpress.com/2006/07/18/rubyrails-user-authentication-with-microsoft-active-directory/

http://saush.wordpress.com/2006/07/18/rubyrails-user-authentication-with-microsoft-active-directory/

http://xaop.com/blog/2008/06/17/simple-windows-active-directory-ldap-authentication-with-rails/

http://xaop.com/blog/2008/06/17/simple-windows-active-directory-ldap-authentication-with-rails/

This is more anecdotal than a real answer...

这比真正的答案更轶事......

I had a similar experience using Samba and OpenLDAP server. I couldn't find a library to really do what I wanted so I rolled my own helper classes.

我在使用 Samba 和 OpenLDAP 服务器时也有类似的经历。我找不到一个库来真正做我想做的事，所以我推出了自己的帮助类。

I used ldapbrowserto see what fields Samba filled in when I created a user the "official" way and and basically duplicated that.

当我以“官方”方式创建用户时，我使用ldapbrowser查看 Samba 填充的字段，并且基本上复制了它。

The only tricky/non-standard LDAP thing was the crazy password encryption we have:

唯一棘手/非标准的 LDAP 事情是我们拥有的疯狂密码加密：

userPass:

用户密码：

"{MD5}" + Base64.encode64(Digest::MD5.digest(pass))

sambaNTPassword:

sambaNTP密码：

OpenSSL::Digest::MD4.hexdigest(Iconv.iconv("UCS-2", "UTF-8", pass).join).upcase

For the def authenticate(user, pass)function I try to get LDAP to bind to the domain using their credentials, if I catch an exception then the login failed, otherwise let them in.

对于该def authenticate(user, pass)功能，我尝试使用他们的凭据让 LDAP 绑定到域，如果我捕捉到异常，则登录失败，否则让他们进入。

Sorry, cannot comment yet... perhaps someone can relocate this appropriately.

抱歉，还不能发表评论……也许有人可以适当地重新安置它。

@Phrogz's solution works well, but bind_simple (inside bind) raises an Net::LDAP::LdapError exception due to auth[:username] not being set as shown here:

@Phrogz 的解决方案运行良好，但由于未设置 auth[:username]，bind_simple（内部绑定）引发 Net::LDAP::LdapError 异常，如下所示：

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb

https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb

The corrected replaces:

更正后的替换为：

auth: { method: :simple, email: email, password:password }

with:

和：

auth: { method: :simple, username: email, password:password }

I began using ruby-activedirectory, and even extended it/fixed a few things, hosting judy-activedirectory in Github.

我开始使用 ruby​​-activedirectory，甚至扩展它/修复了一些东西，在 Github 中托管 judy-activedirectory。

Doing the next iteration, I've discovered ActiveLdap has a much better code base, and I'm seriously contemplating switching to it. Does anyone have personal experience with this?

在进行下一次迭代时，我发现 ActiveLdap 有一个更好的代码库，我正在认真考虑切换到它。有没有人有这方面的个人经验？

Have you checked out thoughtbot's ldap-activerecord-gateway? It might be something for you to consider...

你有没有检查过thoughtbot的ldap-activerecord-gateway？这可能是你需要考虑的事情......

http://github.com/thoughtbot/ldap-activerecord-gateway/tree/master

http://github.com/thoughtbot/ldap-activerecord-gateway/tree/master