Redmine LDAP authentication fails for SOME users - ruby-on-rails

I have a redmine instance with configured LDAP authentication. 90-95% of users which are listed in LDAP catalog have no problem with logging into the application(redmine). But some users do, they are present in LDAP, but at the time they try to login into redmine, it responds: Invalid credentials.
My observation is: such issue happens with the users who didnt login into redmine more than 3-5 months. At that time, due to security policy, LDAP system requires the accounts to change their password. So my thought is that when they had changed the password and try to login, there is a conflict between old and new password.
At the same time there is no any problems with LDAP itself (only when user tries to login into redmine, thats why i thought its some kind of internal application conflict).
password_authentication called
try_to_login called
#<User id: 111, login: "qwe", hashed_password: "", firstname: "qwe", lastname: "qwe", admin: false, status: 1, last_login_on: "2020-02-14 04:36:51", language: "", auth_source_id: 1, created_on: "2018-10-05 00:46:00", updated_on: "2019-06-20 01:30:34", type: "User", identity_url: nil, mail_notification: "only_my_events", salt: nil, must_change_passwd: false, passwd_changed_on: nil>
user.nil? = true
user.new_record? =
user.active? =
Failed login for 'qwe' from xxx.xx.xxx.xxx at 2020-03-02 09:29:53 UTC
authenticate_user finished
Can you give me some help and advice please? Have no idea what is wrong

Found the solution, the issue was that login in Redmine wasnt the same in LDAP catalogues. I went through all login logic, and found that the entity returned required to login was empty due to login mismatch.

Related

Active model OTP not generating new secret key after 30 seconds sleep

I am trying implement active_model_otp on a sample rails application.
My user model has name and email columns. After following the necessary steps from the documentation I first created a user as follows on rails console:
User.create(name: "Abc", email: "example#email.com")
This created a record as follows:
<User id: 1, name: "Abc", email: "example#email.com", created_at: "2017-04-28 07:12:25", updated_at: "2017-04-28 07:12:25", otp_secret_key: "lol6rrtqppy46xfs">
Then I assigned:
user = User.last and
user.otp_secret_key gave the otp that was generated which is
=>"lol6rrtqppy46xfs"
Then I ran
sleep(2)
According to given documentation it supposed to generate a new otp after 2 seconds. But when I gave: user.otp_secret_key again in the console after 2 seconds it is returning the same old otp.
=>"lol6rrtqppy46xfs"
What am I missing ?
Twilio developer evangelist here.
The otp_secret_key is the string that is used to generate the actual OTP code that you send to the user. It is the secret that is shared to the user (via the QR code) and so it needs to match on both the user's auth app as well as your server.
The generated OTP should change every 30 seconds. As far as I can see it uses the default interval of the ROTP gem, which is 30 seconds.
The method to get the OTP is otp_code. So to check it's working, try:
user = User.last
puts user.otp_code
sleep(30)
puts user.otp_code
Let me know if that helps at all.

How to config phabricator login use ldap?

I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.

"The token is invalid" when trying to setup Paypal recurring payments with ActiveMerchant

I feel like a lot of the documentation on this is outdated, but this is what I have been trying so far:
I am using the ActiveMerchant::Billing::PaypalExpressGateway gateway.
First I setup the purchase and redirect the user to Paypal:
response = gateway.setup_purchase price,
return_url: <confirm url>,
cancel_return_url: <cancel url>,
items: [
{
name: 'My Item',
quantity: 1,
description: "My Item Description",
amount: price
}
]
redirect_to gateway.redirect_url_for(response.token)
This works, I can sign in as a sandboxed buyer and confirm the payment, which brings me back to <confirm url> from above. In the confirmation, I do:
response = gateway.recurring price, nil,
token: params[:token],
period: 'Year',
frequency: 1,
start_date: Time.now,
description: 'My Item Subscription'
When I do this, I receive an invalid token error from Paypal in the response variable. The token seems to be fine, it is present in the URL when I am brought back to the confirmation URL. I'm then taking it directly (params[:token]) and sending it back to Paypal.
Am I doing something completely wrong? Like I said, it seems like a lot of the documentation for this type of process is outdated (or maybe what I am trying is the stuff that is outdated...)
After looking through the source code for ActiveMerchant's Paypal express checkout gateway, I came to the conclusion that it's simply outdated when dealing with recurring payments. I switched to the paypal-recurring gem instead and everything worked fine.

Issues with extracting Facebook Omniauth Authentication uid on Rails 3.1

I'm trying to extract and save in my db, the uid of a Facebook user's Omniauth Authentication.
When I issue the command user.authentications, the resulting array is displayed:
[ < Authentication id: 3, user_id: 63, provider: "facebook", uid: "123456789", created_at: "2012-07-02 02:10:48", updated_at: "2012-07-02 02:10:48" > ]
But when I execute user.authentications.last, to get the above Authentication out of the 1 item array, I receive:
< Authentication:0x007f837d32e288 >
Why doesn't it display all the parameters, id, user_id, provider, uid, etc. I can't access and extract the uid this way. I'm trying to run user.authentications.last.uid.
Thank you
What you see here is simply different string representation of the objects. Array's to_s method gives you a nice printout, but Authentication's to_s does not. Try user.authentications.last.inspect if you just want to look at it.

OmniAuth - Facebook login not supplying email in user_info

I'm using OmniAuth, and after logging in via Facebook, I get my omniauth.auth key, which looks like this:
user_info:
name: Tim Sullivan
urls:
Facebook: http://www.facebook.com/...
Website:
nickname: ...
last_name: Sullivan
first_name: Tim
uid: "123456789"
credentials:
token: [some token]
extra:
user_hash:
name: Tim Sullivan
timezone: -5
gender: male
id: "123456789"
last_name: Sullivan
updated_time: 2010-12-30T00:52:39+0000
verified: true
locale: en_US
link: http://www.facebook.com/...
email: tim#myemailaddress.com
first_name: Tim
provider: facebook
Now, according to the docs, the email should be in the user_info section, but it isn't. It is, however, in the extra/user_hash section. Since I'm stripping extra, it's not getting stored, so later on down the pipe I'm having problems. I could add it myself, but that doesn't explain why it's not there in the first place.
Why isn't email being put into the user_info section? A bug? Undocumented change?
moved to
email = omniauth["extra"]["raw_info"]["email"]
The hash "info" contains all the information of the User:
email = omniauth["info"]["email"]
I think the doc is not up to date. I usually get it from the extra hash before removing it.
email = omniauth["extra"]["user_hash"]["email"]
While omniauth["info"] used to and should contain the information, I have noticed that facebook seems to be giving me errors with the email which is linked to a facebook bug/(feature?). So I get intermittent errors with this hash where the email is not present which breaks everything.
After much debugging I found that the safest way to not break my code is to call the FB API with Koala or just good ol REST and get the information needed for login if omniauth["info"] does not contain the information you need.
We are using omniauth with the FB JSDK and I couldn't get the email to come back because I had overlooked the fact that FB.login() requires a 'scope' opts.
FB.login(function(response) {
// handle the response
}, {scope: 'email,user_likes'});
After adding the opts (even though the scope was set up on the server) everything was fixed.
https://developers.facebook.com/docs/reference/javascript/FB.login/v2.2#permissions
Since you're using Rails and not JavaScript (another person answered but for JS), you need to specifically ask for email to be returned from the info field hash as it isn't by default. You set this up in your config/initializers/omniauth.rb file like so:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :facebook, Rails.application.secrets.omniauth_provider_key, Rails.application.secrets.omniauth_provider_secret,
:scope => 'email', :display => 'popup', :info_fields => 'name,email'
end
This info is kind of hidden at the very end of the Configuring section on the omniauth-facebook gem's GitHub readme.

Resources