I am new to LDAP and been playing around with this for a while now. I have a rails app where I need to authenticate a user if he is from a group. I tried few params but got nothing to work. Any help would be appreciated. Thanks in advance.
Here is the devise_ldap settings and terminal output.
devise_ldap settings - ldap.yml
authorizations: &AUTHORIZATIONS
group_base: dc=skcript,dc=com
required_groups:
- ou=try1,dc=skcript,dc=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
development:
host: localhost
port: 389
attribute: "uid"
base: ou=try1,dc=skcript,dc=com
admin_user: cn=admin,dc=skcript,dc=com
admin_password: password
ssl: false
<<: *AUTHORIZATIONS
This should work :
authorizations: &AUTHORIZATIONS
group_base: dc=skcript,dc=com
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
uniqueMember: ou=try1,dc=skcript,dc=com
required_groups checks your group dn against the uniqueMember attribute by default.
Check that the attribute storing group data in your LDAP server has the same name.
Don't forget to set this in your devise.rb :
config.ldap_check_attributes = true
For more information : https://github.com/cschiewek/devise_ldap_authenticatable/issues/96
Related
I'm on Rails 5.2 and I have devise with LDAP setup and working in Development. Deploying to prod with capistrano though it errors out when put my username and password in. I get a nomethod error in devise::sessions::create. undefined method `[]' for nil:NilClass. This is the section that errors out:
end
ldap_options = params
ldap_config["ssl"] = :simple_tls if ldap_config["ssl"] === true
ldap_options[:encryption] = ldap_config["ssl"].to_sym if ldap_config["ssl"]
#ldap = Net::LDAP.new(ldap_options)
Here is my LDAP config:
authorizations: &AUTHORIZATIONS
required_groups:
- CN=GROUP1,OU=Users,OU=mysite,DC=ad,DC=com
## Environment
development:
host: mysite.com
port: 389
attribute: sAMAccountName
base: dc=ad,dc=com
admin_user: user
admin_password: password
ssl: false
<<: *AUTHORIZATIONS
production:
host: mysite.com
port: 389
attribute: sAMAccountName
base: dc=ad,dc=com
admin_user: user
admin_password: password
ssl: false
<<: *AUTHORIZATIONS
Any thoughts on why this only does this in production?
I figured it out! In my LDAP.yml file the production connection section was indented by one space. This was causing it to not load the config correctly. Aligning the productions ection to the left all the way fixed it. Everything is working now.
I am trying to use thise gem according base documentation (https://github.com/cschiewek/devise_ldap_authenticatable)
this is my devise.rb config
# ==> LDAP Configuration
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_config = "#{Rails.root}/config/ldap.yml"
and this is my ldap.yml
authorizations: &AUTHORIZATIONS
allow_unauthenticated_bind: true
group_base: ou=groups,dc=test,dc=com
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
# If only a group name is given, membership will be checked against "uniqueMember"
- cn=admins,ou=groups,dc=test,dc=com
- cn=users,ou=groups,dc=test,dc=com
# If an array is given, the first element will be the attribute to check against, the second the group name
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
## Requires config.ldap_check_attributes in devise.rb to be true
## Can have multiple attributes and values, must match all to be authorized
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Environment
development:
host: myACtiveDirectory.server
port: 389
attribute: userPrincipalName
base: dc=mycompanydomain,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: false
# <<: *AUTHORIZATIONS
when I try to login, what I want to achieve is login with email and pass and if user is not present in local DB, create record.
In logs I see that LDAP cannot find user according userPrincipalName and it is always twice (is it trying twice before it fails?)
LDAP: LDAP dn lookup: userPrincipalName=mirob#mycompanydomain.com
LDAP: LDAP search for login: userPrincipalName=mirob#mycompanydomain.com
LDAP: LDAP search yielded 0 matches
LDAP: Authorizing user userPrincipalName=mirob#mycompanydomain.com,dc=mycompanydomain,dc=com
LDAP: Not authorized because not authenticated.
LDAP: LDAP dn lookup: userPrincipalName=mirob#mycompanydomain.com
LDAP: LDAP search for login: userPrincipalName=mirob#mycompanydomain.com
LDAP: LDAP search yielded 0 matches
LDAP: Authorizing user userPrincipalName=mirob#mycompanydomain.com,dc=mycompanydomain,dc=com
LDAP: Not authorized because not authenticated.
When I use script from this question to test (I changed sAMAccountName to principal name and I dont merge username with domain) I can login to LDAP so connection is working
Ldap is not working with Devise
any idea what is wrong with my devise ldap setup?
EDIT:
ok I found that ldap_authenticable is searching for DN what in my case (Active Directory setup) is CN=Complete Name,CN=Users,CN=mydomain,CN=com
The question is how can I search for email instead of Complete Name as I cant update AD for all users to put email into name field?
ok I found this answer and it helped me
Correct configuration for devise_ldap_authenticatable
I just needed to add this line to devise.rb and I can simple authenticate according to userPrincipalName
config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| login}
My team has setup my ruby on rails app to work with devise ldap. Whenever a user logs in for the first time, it creates a new entry in the Users model and works completely fine. But whenever a user that already exist in the Users database tries to login it gives the following error:
NoMethodError in Devise::SessionsController#create
undefined method `to' for nil:NilClass
From looking at the server console, it seems like it is failing on this SQL statement:
SELECT `users`.* FROM `users` WHERE `users`.`username` = 'jDoe' LIMIT 1
I think the server is getting no results from that query.
But whenever I run that same sql statement in the ruby console, it gives the correct result (the record of the user attempting to login)
Here are some of my devise configs. I am new to devise and ruby (and I also didn't install the devise) so let me know if you need other config files to debug this problem.
initializers/devise.rb
Devise.setup do |config|
config.ldap_create_user = true
config.ldap_update_password = false
config.mailer_sender = "****"
require 'devise/orm/active_record'
config.authentication_keys = [ :username ]
config.case_insensitive_keys = [ :email ]
config.strip_whitespace_keys = [ :email ]
config.skip_session_storage = [:http_auth]
config.stretches = Rails.env.test? ? 1 : 10
config.reconfirmable = true
config.password_length = 8..128
config.sign_out_via = :delete
end
ldap.yml
authorizations: &AUTHORIZATIONS
group_base: ou=groups,dc=test,dc=com
required_groups:
- cn=admins,ou=groups,dc=test,dc=com
- cn=users,ou=groups,dc=test,dc=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
development:
host: ****
port: 636
attribute: uid
base: ou=People,dc=***,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: true
test:
host: localhost
port: 3389
attribute: cn
base: ou=people,dc=test,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: simple_tls
production:
host: localhost
port: 636
attribute: cn
base: ou=people,dc=test,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: start_tls
user.rb
class User < ActiveRecord::Base
devise :ldap_authenticatable, :rememberable, :trackable
attr_accessible :name, :cell, :email, :pref, :type, :username, :password, :password_confirmation, :remember_me
end
My problem happened because I had 2 tables that inherited from User (Client, and Runner) and they both tried to authenticate with the same ldap. When I took out the single table inheritance everything worked fine.
I can sign in using test code provided from net-ldap gem website, but same setting to login doesn't work with devise on Rails.
This is the server log when I try to log in on Rails using devise.
Started POST "/users/sign_in" for 127.0.0.1 at Fri Mar 22 10:53:39 -0700 2013
Processing by Devise::SessionsController#create as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"bEmEPHuI8ob+O67hy0mpgGm12KzFnBNwRuhALAJzmCg=", "user"=>{"remember_me"=>"1", "email"=>"somerandomeusername#corp.bigasscorporation.com", "password"=>"[FILTERED]"}, "utf8"=>"✓"}
User Load (0.5ms) SELECT `users`.* FROM `users` WHERE `users`.`email` = 'somerandomeusername#corp.bigasscorporation.com' LIMIT 1
LDAP: LDAP dn lookup: mail=somerandomeusername#corp.bigasscorporation.com
LDAP: LDAP search for login: mail=somerandomeusername#corp.bigasscorporation.com
LDAP: Authorizing user mail=somerandomeusername#corp.bigasscorporation.com,OU=Users,OU=Users_and_Groups,DC=corp,DC=bigasscorporation,DC=com
LDAP: LDAP dn lookup: mail=somerandomeusername#corp.bigasscorporation.com
LDAP: LDAP search for login: mail=somerandomeusername#corp.bigasscorporation.com
DEPRECATION WARNING: an empty resource was given to Devise::Strategies::LdapAuthenticatable#validate. Please ensure the resource is not nil. (called from require at script/rails:6)
Completed 401 Unauthorized in 64ms
The below is some information about my environment
Ruby 1.8.7
Rails 3.2.13
Gems used
gem "devise", "~> 2.2.2"
gem "net-ldap", '~> 0.2.2'
gem "devise_ldap_authenticatable", '~> 0.6.1'
LDAP configs
config/ldap.yml
authorizations: &AUTHORIZATIONS
group_base: OU=Users,OU=Users_and_Groups,DC=corp,DC=somebigasscorporation,DC=com
required_groups:
- cn=Users,OU=Users_and_Groups,DC=corp,DC=somebigasscorporation,DC=com
- OU=Users,OU=Users_and_Groups,DC=corp,DC=somebigasscorporation,DC=com
- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Enviornments
development:
host: xxx.corp.somebigasscorporation.com
port: 3268
attribute: mail
base: OU=Users,OU=Users_and_Groups,DC=corp,DC=somebigasscorporation,DC=com
# admin_user: cn=admin,dc=test,dc=com
# admin_password: admin_password
ssl: false
# <<: *AUTHORIZATIONS
config/initializers/devise.rb
Devise.setup do |config|
config.ldap_create_user = true
...
The test code that works
require 'rubygems'
require 'net/ldap'
require 'highline/import'
ldap = Net::LDAP.new
ldap.host = "xxx.corp.bigasscorporation.com"
ldap.port = "3268"
ldap.base = "OU=Users,OU=Users_and_Groups,DC=corp,DC=bigasscorporation,DC=com"
ldap.auth "somerandomuser#corp.bigasscorporation.com", "xxxXXXyyy"
if ldap.bind
p "Success!!"
p ldap
p ldap.base
p ldap.get_operation_result
else
p "Failed!"
p ldap.get_operation_result
end
# => "Success!!"
#<Net::LDAP:0x007fc393a22660 #host="xxx.corp.bigasscorporation.com", #port="3268", #verbose=false, #auth={:method=>:simple, :username=>"somerandomuser#corp.bigasscorporation.com", :password=>"xxxXXXyyy"}, #base="OU=Users,OU=Users_and_Groups,DC=corp,DC=bigasscorporation,DC=com", #encryption=nil, #open_connection=nil, #result=0>
"OU=Users,OU=Users_and_Groups,DC=corp,DC=bigasscorporation,DC=com"
#<OpenStruct code=0, message="Success">
I needed this in devise.rb
config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{login}" }
In case anyone else has this same issue, I found a slight problem with the ldap_auth_username_builder fix. I was also trying to set some authorizations on required attributes in the .yml file, and I was getting a lot of strange errors after ldap.search methods were being called by the gem. In particular, a lot of calling .try(:first) on a search that returned nil.
I ended up digging around in the gem's lib directory and tweaked some code for better logging. Turns out, when I added config.ldap_auth_username_builder, I was actually tricking the system to believe it found a record when it really wasn't. I wasn't able to specify attributes for these records because there was no record to begin with. If you guys are trying to do something similar, like check group membership or the like, I would suggest triple-checking that your attribute value in the ldap.yml file is set to a valid attr and that you're giving it the right information, so it can find what you need on the LDAP end.
Im trying to set up a Devise Authenticable LDAP login system. Right now, I can get it to work using all users. However, i would like to only use users within a certain group. To illustrate, as of now, using all users, the code looks like this:
production:
host: my.host.domain.com
port: 389
attribute: AccountName
base: cn=users,dc=my,dc=con,dc=to,dc=host
admin_user: adminuser
admin_password: password
ssl: false
So the following is the code i wrote to make it only work within the group "demo2" located within users. However, now it doesnt work with ANY user... Any suggestions?
production:
host: my.host.domain.com
port: 389
attribute: AccountName
base: cn=demo2,cn=users,dc=my,dc=con,dc=to,dc=host
admin_user: adminuser
admin_password: password
ssl: false
I believe you want to use required_groups in your ldap.yml. If you look at the template file you can see the example:
group_base: ou=groups,dc=test,dc=com
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized required_groups:
# If only a group name is given, membership will be checked against "uniqueMember"
- cn=admins,ou=groups,dc=test,dc=com