Comments on: LDAP-based RBAC with ActiveLdap and declarative_authorization http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/ Enrico on programming, living, and everything in between Tue, 22 Jun 2010 16:13:06 -0400 hourly 1 http://wordpress.org/?v=3.0 By: Enrico http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/comment-page-1/#comment-2184 Enrico Fri, 29 Jan 2010 22:35:23 +0000 http://www.liveandcode.com/?p=271#comment-2184 Yeah, looking into it, caching things the way I was only kept the information stored for the request and not for the entire session as I previously thought. So you're storing the role information in the database, then? It seems that the biggest obstacle to caching the role information in the session properly is that declarative_authorization expects the roles to be defined in the User model but Authlogic doesn't store the User instance in the session directly. Depending on your session storage mechanism, storing the User instance might be impractical. Out of curiosity, which lower-level Ruby LDAP library are you using? My posts set up ActiveLdap with net-ldap but I've actually switched to ruby-ldap (ActiveLdap supports both!) because I was having an issue similar to yours with Active Directory where looking up an entry would fail after the connection had been idle for a while. If you're using net-ldap, try switching to ruby-ldap and see if it works better for you. Yeah, looking into it, caching things the way I was only kept the information stored for the request and not for the entire session as I previously thought.

So you’re storing the role information in the database, then?

It seems that the biggest obstacle to caching the role information in the session properly is that declarative_authorization expects the roles to be defined in the User model but Authlogic doesn’t store the User instance in the session directly. Depending on your session storage mechanism, storing the User instance might be impractical.

Out of curiosity, which lower-level Ruby LDAP library are you using? My posts set up ActiveLdap with net-ldap but I’ve actually switched to ruby-ldap (ActiveLdap supports both!) because I was having an issue similar to yours with Active Directory where looking up an entry would fail after the connection had been idle for a while. If you’re using net-ldap, try switching to ruby-ldap and see if it works better for you.

]]> By: Joe Wakefield http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/comment-page-1/#comment-2183 Joe Wakefield Fri, 29 Jan 2010 17:13:36 +0000 http://www.liveandcode.com/?p=271#comment-2183 I made a bit of a lame solution, but given: 1. My system doesn't need to have multiple roles per user, 2. I don't plan to ever change the role names, and 3. I'm not a database normal form zealot, it addresses my issue. The user session 'create' code grabs user data, runs a check on the relevant domain security groups, and saves the highest level I care about as the user's role. Whenever DA asks for 'role_symbols', it receives the user's role put in array form. ## xxxxxxxxxxxxxx_add_role_to_users.rb add_column :users, :role, :string, :null => false, :default => "Guest" ## user_sessions_controller.rb def create @user_session = UserSession.new(params[:user_session]) @groups = LdapUser.find(@user_session.login).groups.collect(&:cn.to_sym) @curuser = User.find_by_login(@user_session.login) if @groups.include?("Inventory Admins") then @curuser.update_attribute(:role, "admin") elsif @groups.include?("Inventory Users") then @curuser.update_attribute(:role, "user") else @curuser.update_attribute(:role, "guest") end if @user_session.save flash[:notice] = "Login successful!" redirect_back_or_default account_url else render :action => :new end end ## user.rb def role_symbols [ self.role.to_sym() ] end I made a bit of a lame solution, but given:
1. My system doesn’t need to have multiple roles per user,
2. I don’t plan to ever change the role names, and
3. I’m not a database normal form zealot,

it addresses my issue.

The user session ‘create’ code grabs user data, runs a check on the relevant domain security groups, and saves the highest level I care about as the user’s role. Whenever DA asks for ‘role_symbols’, it receives the user’s role put in array form.

## xxxxxxxxxxxxxx_add_role_to_users.rb
add_column :users, :role, :string, :null => false, :default => “Guest”

## user_sessions_controller.rb
def create
@user_session = UserSession.new(params[:user_session])
@groups = LdapUser.find(@user_session.login).groups.collect(&:cn.to_sym)

@curuser = User.find_by_login(@user_session.login)
if @groups.include?(“Inventory Admins”) then
@curuser.update_attribute(:role, “admin”)
elsif @groups.include?(“Inventory Users”) then
@curuser.update_attribute(:role, “user”)
else
@curuser.update_attribute(:role, “guest”)
end

if @user_session.save
flash[:notice] = “Login successful!”
redirect_back_or_default account_url
else
render :action => :new
end
end

## user.rb
def role_symbols
[ self.role.to_sym() ]
end

]]> By: Joe Wakefield http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/comment-page-1/#comment-2175 Joe Wakefield Thu, 28 Jan 2010 20:15:54 +0000 http://www.liveandcode.com/?p=271#comment-2175 @enrico: If you are referring to "@ldap_entry ||= LdapUser.find(self.login)", I found that only reduces the LDAP queries per page from four to two. I made a small paste running your example code to demonstrate: http://rails.pastebin.com/m74ed7f8e As far as I can tell, 'session' storage is only accessible through controllers, and models can't access controller-level variables (such as current_user). Considering "declarative authorization" requires role_symbols in the model, I have been unable to figure out how to cache group membership properly. @enrico: If you are referring to “@ldap_entry ||= LdapUser.find(self.login)”, I found that only reduces the LDAP queries per page from four to two. I made a small paste running your example code to demonstrate:
http://rails.pastebin.com/m74ed7f8e

As far as I can tell, ‘session’ storage is only accessible through controllers, and models can’t access controller-level variables (such as current_user). Considering “declarative authorization” requires role_symbols in the model, I have been unable to figure out how to cache group membership properly.

]]> By: Enrico http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/comment-page-1/#comment-2173 Enrico Thu, 28 Jan 2010 16:41:13 +0000 http://www.liveandcode.com/?p=271#comment-2173 @Joe: Perhaps you could take a similar approach to the one I took for caching the LDAP entry in my previous post. That is, the first time you determine role symbols for a User, store the array in an instance variable and that way you don't have to look it up again until you build a fresh User instance for that person (which I think would happen at next login). But there's a disadvantage to caching that information: if you accidentally gave a person a role they shouldn't have and fix that by removing them from the group, you still have to wait for that person to log out (or the session to expire) before the change will take effect. But if you have a large number of users that might be your best option. @Joe: Perhaps you could take a similar approach to the one I took for caching the LDAP entry in my previous post. That is, the first time you determine role symbols for a User, store the array in an instance variable and that way you don’t have to look it up again until you build a fresh User instance for that person (which I think would happen at next login).

But there’s a disadvantage to caching that information: if you accidentally gave a person a role they shouldn’t have and fix that by removing them from the group, you still have to wait for that person to log out (or the session to expire) before the change will take effect. But if you have a large number of users that might be your best option.

]]> By: Joe Wakefield http://www.liveandcode.com/2009/12/14/ldap-based-rbac-with-activeldap-and-declarative_authorization/comment-page-1/#comment-2172 Joe Wakefield Thu, 28 Jan 2010 16:24:23 +0000 http://www.liveandcode.com/?p=271#comment-2172 A nice expansion to this would involve caching the user data (specifically group memberships) in the database, updated every login. Currently it queries Active Directory every time a page is loaded, and I found that it would cause a broken pipe error if I left it idle for a bit while logged in. A nice expansion to this would involve caching the user data (specifically group memberships) in the database, updated every login. Currently it queries Active Directory every time a page is loaded, and I found that it would cause a broken pipe error if I left it idle for a bit while logged in.

]]>