I'm trying to connect to an existing LDAP server to authenticate users trying to use my app – I'm having trouble figuring out where to start.
I've read about LDAP, understand how it works, and have looks at libs like ActiveLdap.
I'm just not sure where to start from here: I have the hostname of the server I was to authenticate against (bind with), but I don't know how to go about doing it.
(The answers on SO are quite, quite old, and links are broken!)
Thanks!
You will need, in addition to the hostname (and port, if non-standard), a DN to authenticate against (look at it as the DN identifying your "user", e.g. cn=BillG,ou=engineering,o=microsoft) as well as the corresponding password.
See LDAP::Conn.bind (assuming not using SSL, in which case you'd use LDAP::SSLConn); please read through this tutorial for full examples.
Related
For my JSF/TomEE application, I have a NoSQL database with users and roles that specifies how users can access resources (basically, IDs in a url parameter) either read-only or write.
I want to implement security and this post gave me some ideas but I am keen to try a 3rd party library - probably Shiro or PicketLink. The rule is that users will authenticate themselves with a client certificate, and if that is not provided, they will be authenticated as a default guest user.
Surprisingly, I am having a bit of trouble finding some information on how to do this in Shiro, it doesn't look straight forward. It is a bit of a surprise to me that there is nothing "out of the box" in Shiro to implement client certificate authentication.
So I think I have to create a Realm to "connect" Shiro with my database. Then I read I might need to extend org.apache.shiro.authc.UsernamePasswordToken to read the certificate and pass it to Shiro. Then I suppose I have to restrict access to content in JSF xhtml pages (using the rendered attribute for example) and I suppose that even in all methods of the Named Managed beans I will need to check the permissions.
Also, It is not clear to me how I can assign the guest user when a certificate is not provided, since apparently it is TomEE the one who validates the client, so if no certificate is provided, my code will not get executed to assign the guest user. I could open two different ports in TomEE, but then the access will not be unified, since I want to treat the guest user uniformely, as any other user in the system. How can this be done?
Is this implemented in a easier way in PicketLink? (which is also better prepared for JSF)
OK, it took me a while and a lot of research, so I will summarise my findings dramatically. I documented everything but do not want to create a book chapter.
So I decided to go with Shiro, and everything I describe works and can be done. This X509certificate project for Shiro was quite useful. Basically, you need to implement a Realm overriding two methods (one for authentication and another for authorisation) - there is a class to extend in the code I mentioned before.
The distiction of a user not providing a cert can be done in the Shiro Filter, so when no token (certificate) is provided, one can be created on the fly or read from a keystore.
For restricting access in JSF there are some shiro tags that can help, no need to use rendered. I have checked permissions also in the beans or other classes accessing the database. This works once the permissions have been established in the authorisation method.
The issue with Tomcat can be solved by using <Connector port="..." ClientAuth="want" ... which will ask for a certificate but will not stop the user if no certificate is provided.
I have following configuration in java file. I m trying to convert to equivalent configuration in RAILS
How do I convert it RAILS configuration for SMTP
Thanks
There is no equivalent in Rails for the SmtpClient.UseDefaultCredentials feature. If I understand the docs correctly, this property makes the SMTP client send the username and password of the user currently logged into the system. This is only applicable when NTLM, negotiate or Kerberos-based authentication is used in the system (as documented here) and all of this is .NET and Windows-related only. Windows server keeps the credentials of the currently logged in users in a credentials cache and can provide them e.g. when sending email.
There is nothing similar available in the Rails environment. Usually, a Rails application has its own single credentials for sending mails, configured in the settings (see the Rails Guides for more info).
If you indeed need separate credentials per each user logged in into the application, you would have to keep the credentials somewhere (e.g. a database) in a way that would allow you to get the cleartext password when sending the email. This of course has many security consequences, is generally hard to accomplish securely and thus is not the preferred way (you'd probably have to encrypt the credentials somehow with a per-user key, but I don't know for sure of a best way).
Adding on #BoraMa answer, By default If we dont give any authentication related keys, Then the logged in user details are sent by Default similar to function
SmtpClient.UseDefaultCredentials
config.action_mailer.smtp_settings = {
address: 'xx.xxx.x.xxx',
port: 25,
ssl: false,
enable_starttls_auto: false }
Above configuration worked for me and I was able send emails.
Thanks
If I have a single server with multiple domains, what is the preferred method for implementing a single-sign-on solution on the same domain. I am currently using devise, have a few million cookies in place on separate domains, and am stuck. On top of just implementing SSO, I also need to migrate the various cookies to a central domain. Regarding the various servers, they only have one single page that requires me to show different states depending on whether or not the user is logged in.
I have tried the following:
CORS: pick one domain as the central auth hub. From all other domains make cross domain checks to see if the user is logged in. For migrating cookies, detect if there's a "current_user" object, send it to the client, make a CORS request, sign the user in and kill the token. Works Great! BUT... After building it for 2-3 weeks, it TOTALLY FAILS in IE. Even IE11, I'm noticing the default setting is disabling this behavior.
tried tinkering with the session store at
Rails.application.config.session_store
with no luck.
I am currently experimenting with the following:
JSONP: I have someone right now trying to convert the above to JSONP instead while I try some other options:
Set up a custom OAUTH provider. Like before, it will be the "central domain" if the person is signed in, return to the requested domain with a token from which the users can make requests. https://github.com/songkick/oauth2-provider
Looking at this but it looks outdated? https://github.com/rubycas/rubycas-client. I also get the feeling this could have been a solution if I rolled this out from the get-go, but given how far we are into the project, it's unclear to me how I'd transfer the existing cookies. Also it's unclear if this requires two applications for me to get up and running ( one for client(s), one for auth server)
As I go through each of these possibilities, if anyone has had any experience doing what I'm doing, please do inform me and save me a whole lot of work :)
The best way unless this is a toy app is probably to set up an oauth provider.
We use Doorkeeper with Devise for this and it works great. It will be worth your time to set a little time aside to read through the documentation and watch a talk or two on youtube if you're not already familiar with the strategy but once you understand the core concepts its actually pretty simple to set up with the help of this gem.
There is a quick video run down on http://railscasts.com/episodes/353-oauth-with-doorkeeper
PS:- please dont say use this devise, omniauth or any other plugin/gem you know.
I am looking for some example code for google login using authlogic for ruby on rails 3.
Here is what i have tried/checked:-
authlogic-google-account-oauth --- This is sample code for twitter, not google (One of the top rated google result. )
http://www.manu-j.com/blog/add-google-oauth-ruby-on-rails-sites/214/ --> generating keys for google login? There was nothing like this while implementing facebook / twitter or linkedin login. All I need is secret key and application id from the respective sites.
Tons of links on stackoverflow, No-one is giving the solution just recommending other gems/ outdated blog posts like
Ruby on Rails: Best way to add Facebook login, Twitter login, OpenID login, etc
Configuring authlogic-oauth with google and many more.
Anybody knows any running example/ sample code for google login with authlogic in rail 3
EDIT
Have you noticed these warnings, this is from your code. The code you provided is running on my local machine:--
Attempting discovery to verify endpoint
Performing discovery on https://www.google.com/accounts /o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk
WARNING: making https request to https://www.google.com/accounts/o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk without verifying server certificate; no CA path was specified.
Using 'check_authentication' with https://www.google.com/accounts/o8/ud
WARNING: making https request to https://www.google.com/accounts/o8/ud without verifying server certificate; no CA path was specified.
You inspired me to hack away at this.
This blog basically worked for me http://blog.sethladd.com/2010/09/ruby-rails-openid-and-google.html
My code is extra ugly though, because it wasn't the first one I tried.
Other resources:
Ruby open_id_authentication with Google OpenID
http://toddsedano.blogspot.com/search?updated-max=2010-05-29T11%3A59%3A00-07%3A00&max-results=7
http://railscasts.com/episodes/170-openid-with-authlogic
Anywho, the rough code that is working for me is here:
https://github.com/softwaregravy/google_authlogic
and here is the running code
It's still very much a prototype. Hope it helps.
Is it possible to use kerberos to authenticate a user under rails? Are there any existing plugins (preferably which extend authlogic's functionality) to do this?
I'm hoping someone else will come around and show us a pure Rails way of doing this. But until then, the easiest way to get things going is by letting your web server handle it.
On that note, I'm going to assume Apache. If this is not the case, please tell us a bit more about your set-up.
Proper Kerberos authentication in browsers is done in the HTTP protocol itself, much like Basic or Digest authentication. In Apache, this can be done with mod_kerb_auth.
Then the next step is to find out how to retrieve the username. It depends a bit on the interface you're using between the web-server and your Rails app. This could be Passenger, FastCGI, mod_proxy, etc.
Many will follow the original CGI standard to some degree, passing along a bunch of environment variables with the request. Try the following in your controller:
username = request.env['REMOTE_USER']
That's as far as I can take you. I've never used authlogic. Though, by the looks of it, it supports plugins. Perhaps you can create a new one that blindly trusts REMOTE_USER if it is set?
If you wanto to switch from authlogic to Omniauth for your authentication there's a module for it:
https://github.com/jgraichen/omniauth-kerberos