Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>While I don't have any code to share and don't have an AD server to test against, I'll post some general information that others might find helpful when using rack-ntlm (which would be the best route at this point).</p> <p>First thing to understand is that NTLM never actually gives you the user password. You don't NEED to authenticate the user inside your app. NTLM has already done that. What rack-ntlm will give you is a domain + user that you can then work with.</p> <p>rack-ntlm does some additional work with that information that may or may not be valuable to you. You provide it with an AD server, port and a set of credentials. It will the take that user object (for lack of a better word) and look them up in AD via an LDAP call.</p> <p>The credentials that rack-ntlm is asking for in settings would be YOUR credentials (or optimally, application-specific credentials in the domain that have limited query access). With that query, you would get back the details of that user from AD (group membership, email addresses, whatever). You can use that to further populate your database with user details.</p> <p>One thing to note is that if you're using any browser OTHER than IE (and in some cases, even with IE), your users will get an HTTP authentication dialog. Depending on if your site is on the "intranet" or not, IE will passthrough the NTLM credentials automatically. This is controlled on per-browser basis so you may not have any control. In firefox, there's an "about:config" setting that will let you populate trusted sites.</p> <p>So if we're going back to rack-ntlm, the flow would look something like this:</p> <ul> <li>browser -> sinatra app </li> <li>(handwaving challenge/response work<br> here) </li> <li>rack-ntlm now looks up user in AD via LDAP </li> <li>sinatra app now has user details from LDAP in some hash </li> <li>sinatra app creates a base user</li> <li>store username (no password<br> because you don't HAVE it) with some basic set of abilities in local datastore</li> <li>sinatra sets cookie to "logged-in" or whatever</li> </ul> <p>If you wanted, you could map AD groups to application roles in some capacity so that, say, domain admins automatically were added to your admin role.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload