cschiewek / devise_ldap_authenticatable Goto Github PK

ldap_authenticatable doesn't seem to play nicely with Mongoid. I get an "undefined local variable or method scoped' for User:Class" error in "devise_ldap_authenticatable (0.4.6) lib/devise_ldap_authenticatable/model.rb:57:inauthenticate_with_ldap'
"
Seems that "scoped" is an ActiveRecord call, which Mongoid doesn't support.

Hi,

I'm not sure it's an issue with devise_ldap_authenticatable as such but I thought it would be worth sharing here in case anyone else runs in to this problem:

After upgrading to 0.4.9 I started getting the following exception when authenticating against LDAP:

Net::BER::BerError in Devise::SessionsController#create

Unsupported object type: id=139

with the following in the Terminal window:

Started POST "/d/users/sign_in" for 127.0.0.1 at 2011-07-11 11:58:45 +0100 Processing by ?>Devise::SessionsController#create as HTML Parameters: {"utf8"=>"✓", >"authenticity_token"=>"T+ttL/6YPK1A/HE4XRukI7SKHDTVr553/hOD+5UyYUk=", "user"=>{"username"=>"admin", >"password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Sign in"} SQL (0.4ms) SELECT name FROM sqlite_master >WHERE type = 'table' AND NOT name = 'sqlite_sequence'

User Load (1.3ms) SELECT "users".* FROM "users" WHERE "users"."username" = 'admin' LIMIT 1 LDAP: LDAP search: >uid=admin Completed 500 Internal Server Error in 659ms

Net::BER::BerError (Unsupported object type: id=139)

After a bit of digging the problem seems to be related to net-ldap 0.2.2, so I've created a fork to restore the old 0.1.1 dependency. I'm sure this fork will break at some point in the future (but it seems OK for my basic usage at the moment).

If there's anything I can do to help come up with a more permanent fix then I'm happy to help.

-Ash

I've got:

devise_ldap_authenticatable (0.5.1)
devise (> 1.5.0)
net-ldap (> 0.2.2)

Hmm, seems to be more than arrays i have problems with:

Getting displayname works:
Devise::LdapAdapter.get_ldap_param('jbloggs','displayname')
LDAP: Requested param displayname has value ["Bloggs, Joe"]
=> "Bloggs, Joe"

Might be that my groups/dn have a "," in them causing it to blow up, you can see in the debug log it gets the value, but it returns nil

Fail:
Devise::LdapAdapter.get_ldap_param('jbloggs','dn')
LDAP: Requested param dn has value CN=Bloggs, Joe,OU=Dev,OU=Euro,DC=example,DC=com
=> nil

and its not the same as getting an invalid attribute...

Devise::LdapAdapter.get_ldap_param('jbloggs','invalidfakething')
NoMethodError: undefined method `invalidfakething' for #Net::LDAP::Entry:0x000000036d57b0

The way we're overriding valid? and authenticate! is preventing rememberable, http_auth and param_auth from working.

I've followed the tutorial in the README.md (http://github.com/cschiewek/devise_ldap_authenticatable/tree/rails2) and when I tried to configure the parameters, I get:

undefined method `ldap_host=' for Devise:Module (NoMethodError)

Note that I had to copy and paste the config statements into the devise.rb file.

I am using Rails 2.3.8 with devise_ldap_authenticatable 0.4.2

Any ideas?

steven-spriggss-macbook-pro:slate3 spspriggs$ rails generate devise_ldap_authenticatable:install
   create  config/ldap.yml
      inject  config/initializers/devise.rb
/Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/actions/inject_into_file.rb:94:in `binread': No such file or directory - /Users/spspriggs/Sites/rails3/slate3/config/initializers/devise.rb (Errno::ENOENT)
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/actions/inject_into_file.rb:94:in `replace!'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/actions/inject_into_file.rb:59:in `invoke!'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/actions.rb:93:in `action'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/actions/inject_into_file.rb:31:in `inject_into_file'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/devise_ldap_authenticatable-0.4.4/lib/generators/devise_ldap_authenticatable/install_generator.rb:16:in `create_default_devise_settings'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/task.rb:22:in `run'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/invocation.rb:118:in `invoke_task'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/invocation.rb:124:in `block in invoke_all'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/invocation.rb:124:in `each'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/invocation.rb:124:in `map'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/invocation.rb:124:in `invoke_all'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/group.rb:226:in `dispatch'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/thor-0.14.0/lib/thor/base.rb:389:in `start'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/generators.rb:163:in `invoke'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands/generate.rb:10:in `'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:239:in `require'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:239:in `block in require'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:225:in `block in load_dependency'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:591:in `new_constants_in'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:225:in `load_dependency'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:239:in `require'
    from /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands.rb:17:in `'
    from script/rails:6:in `require'
    from script/rails:6:in `'

Hello,

At line 97 in lib/devise_ldap_authenticatable/ldap_adapter.rb their is a to_s on the LDAP attribute (v. 0.4.9 and master branch):

ldap_entry.send(param).to_s

However, when the attribute is multiple, send(param) returns an array:

ruby-1.9.2-p136 :032 > Devise::LdapAdapter.get_ldap_param('dominique.broeglin',"mail")
=> "["[email protected]"]"

which is not the result I expected. I would gladly have provided a patch but I'm really not sure how to solve the issue. May be just not do the to_s ?

Cheers,
Dominique

We are seeing an issue when multiple requests (threads?) that are accessing the ldap.yml file. Looking at the stack trace, the problem occurs in ldap_adapter.rb--in the initializer of LdapConnect where it performs the YAML.load() call. Not sure if an ldap connection pool is needed, or more protection around the loading of the YAML file?

This can be replicated by using the following test in a rails console:
threads = []
100.times {threads << Thread.new {p YAML.load(ERB.new(File.read(::Devise.ldap_config || "#{Rails.root}/config/ldap.yml")).result)[Rails.env]}}

Running ruby 1.9.2, rails 3.0.9 on Jruby 1.6.6 (same result on 1.6.7); Devise ldap authenticatable 0.4.9.

Pull request forthcoming.

Hi guys,

When I sign in the first time (my user doesn't exist yet) the system redirects to next page but doesn't sign me in. So I come back to login page and need to fill the information again. Then it starts to work.

I am using the devise_ldap_authenticatable's rails3 version.

Does it happen for you?

Hi,

I am a new user of the module. I am able to successfully sign in and jump from page to page as usual. When I sign out and then try to sign in again though, I would get the following exception:

NoMethodError (undefined method `eq' for nil:NilClass): 
activesupport (3.0.3) lib/active_support/whiny_nil.rb:48:in`method_missing'
activerecord (3.0.3) lib/active_record/persistence.rb:255:in `update'
activerecord (3.0.3) lib/active_record/locking/optimistic.rb:77:in`update'
activerecord (3.0.3) lib/active_record/attribute_methods/dirty.rb:68:in `update'
activerecord (3.0.3) lib/active_record/timestamp.rb:60:in`update'
activerecord (3.0.3) lib/active_record/callbacks.rb:285:in `update'
activesupport (3.0.3) lib/active_support/callbacks.rb:413:in`_run_update_callbacks'
activerecord (3.0.3) lib/active_record/callbacks.rb:285:in `update'
activerecord (3.0.3) lib/active_record/persistence.rb:246:in`create_or_update'
activerecord (3.0.3) lib/active_record/callbacks.rb:277:in `create_or_update'
activesupport (3.0.3) lib/active_support/callbacks.rb:413:in`_run_save_callbacks'
activerecord (3.0.3) lib/active_record/callbacks.rb:277:in `create_or_update'
activerecord (3.0.3) lib/active_record/persistence.rb:39:in`save'
activerecord (3.0.3) lib/active_record/validations.rb:43:in `save'
activerecord (3.0.3) lib/active_record/attribute_methods/dirty.rb:21:in`save'
activerecord (3.0.3) lib/active_record/transactions.rb:237:in `save'
activerecord (3.0.3) lib/active_record/transactions.rb:289:in`with_transaction_returning_status'
activerecord (3.0.3) lib/active_record/connection_adapters/abstract/database_statements.rb:139:in `transaction'
activerecord (3.0.3) lib/active_record/transactions.rb:204:in`transaction'
activerecord (3.0.3) lib/active_record/transactions.rb:287:in `with_transaction_returning_status'
activerecord (3.0.3) lib/active_record/transactions.rb:237:in`save'
activerecord (3.0.3) lib/active_record/transactions.rb:248:in `rollback_active_record_state!'
activerecord (3.0.3) lib/active_record/transactions.rb:236:in`save'
devise (1.1.2) lib/devise/models/trackable.rb:26:in `update_tracked_fields!'
devise (1.1.2) lib/devise/hooks/trackable.rb:7
....

Line 255 of persistence.rb is self.class.unscoped.where(self.class.arel_table[self.class.primary_key].eq(id)).arel.update(attributes_with_values)
. I put in a debugging output in persistence.rb's update method:
puts "update: #{self.class.inspect}; #{self.class.primary_key.inspect}; #{self.class.primary_key}"

and it turns out that at this point, the primary_key of User class is now 'userid', not 'id' as before. I tried using a different user_model name (such as 'member') and the same problem occurs. I could fix it by putting set_primary_key "id" explicitly in app/model/user.rb after devise :ldap_authenticatable, ... line, but this is just kludgy and looks to be a bug. (Am I the first one that runs into this bug?)

Thanks,
Philip

Not so much an issue as a plea for help... I have been able to get the authentication piece working well with AD 3.0. Users populate correctly into my table; however, I have added a few custom fields like mail, cn, title, phone, etc that I want to update upon account creation. After digging through the code (and bear with me, I'm a Ruby newbie... or nuby I suppose) I thought the best place to put this would be inside Model.rb in devise_ldap_authenticatable. I ended up adding a require 'net/ldap' and then adjusted authenticate_with_ldap as follows. I am still able to log in, but none of the values update in the user table. Any help?

    def authenticate_with_ldap(attributes={}) 
      @login_with = ::Devise.authentication_keys.first
      return nil unless attributes[@login_with].present? 

      # resource = find_for_ldap_authentication(conditions)
      resource = scoped.where(@login_with => attributes[@login_with]).first

      if (resource.blank? and ::Devise.ldap_create_user)
        resource = new
        resource[@login_with] = attributes[@login_with]
        resource.password = attributes[:password]
      end

      if resource.try(:valid_ldap_authentication?, attributes[:password])
        ldap = Net::LDAP.new
        ldap.host = "satdc01.corp.2wire.com"
        ldap.auth = "ldap_query_cn", "password"
        treebase = "OU=San Antonio,DC=corp,DC=domain,DC=com"
        filter = Net::LDAP::Filter.eq("samaccountname", attributes[@login_with])
        attrs = ["cn", "title", "mail", "phone"]
        ldap.search( :base => treebase, :filter => filter, :attributes => attrs ) do |entry|
          resource.name = entry.cn
          resource.title = entry.title
          resource.mail = entry.mail
          resource.phone = entry.phone
        end
        resource.save!
        return resource
      else
        return nil
      end
    end

If i use a ldap configuration with

# config/ldap.yml
development:
  base: ou=people,dc=test,dc=com 
  attribute: uid
  group_base: ou=groups,dc=test,dc=com
  required_groups:    
    - ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]

and I have my dn like

 uid=gmgp,ou=developpers,ou=people,dc=test,dc=com 

in the log the LDAPLogger write

  LDAP: LDAP search: uid=gmgp
  LDAP: Authorizing user uid=gmgp,ou=developpers,ou=people,dc=test,dc=com
  LDAP: LDAP search: uid=gmgp
  LDAP: LDAP search: uid=gmgp
  LDAP: LDAP search: uid=gmgp
  LDAP: User uid=gmgp,ou=people,dc=test,dc=com is not in group: cn=users,ou=groups,dc=test,dc=com

my simple workaround is to create a local attribute

#devise_ldap_authenticatable-0.4.6/lib/devise_ldap_authenticatable/ldap_adapter.rb

27  class LdapConnect
28  
29        attr_reader :ldap, :login, :login_dn

54      def dn
55        DeviseLdapAuthenticatable::Logger.send("LDAP search: #{@attribute}=#{@login}")
56        filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
57        ldap_entry = nil
58        @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
59        if ldap_entry.nil?
60          @ldap_auth_username_builder.call(@attribute,@login,@ldap)
61        else       
62          @login_dn = ldap_entry.dn
63        end
64      end

84      def in_required_groups?     
85        return true unless ::Devise.ldap_check_group_membership
86        
      ... 
 99         admin_ldap.search(:base => group_name, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
100            unless entry[group_attribute].include? @login_dn
101              DeviseLdapAuthenticatable::Logger.send("User #{@login_dn} is not in group: #{group_name }")
102              return false
103            end
104          end
105        end

This workaround works even if it does not solve the underlying problem
I prepare a commit as it should if I find a moment of time

So I'm trying to update to devise ~>1.5.0 and so I thought I'd clone the repo, make the changes, run the tests and submit a pull request for the change.

Then i entered dependency hell. Using Ubuntu I'm having problems getting the specific version of gherkin to compile, and rbx-require-relative isn't needed for 1.9.x rubies. I use the gem just fine with 1.9.3 on Ubuntu.

Getting it to run for me is going to mean updating the Gemfile.lock in test/rails_app so I can install tools that actually work on Ubuntu. And I'm more than a little afraid of going through that work to find the tests not passing because there's other hidden gotchas when I'm not testing using REE and OSX.

I don't mind doing the work, but wanted to check in and see if you had any concerns with me making those kind of changes. I'm a very long way from being an expert in TDD, but I'm also trying to jump in contribute more to the gems I use.

Hi there,

I am building a wrapper gem to integrate devise_ldap_authenticatable with a Rails 3 application, and need to use the Devise::LdapAdapter.get_ldap_param() method. This method is not available in the current version on rubygems.org.
During development, I can tell bundler to get the gem from github, but rubygems doesn't support that.
Would you please be able to release a new version soon?

Cheers

I am interested to have database authentication with LDAP fall back (if database auth fails try LDAP).

Currently, from the README, simultaneous usage is not supported.

Anyone else interested in making it work?
Is it feasible to try and push this feature?
Any major impediments that had made it not supported in the first place?
I am willing to contribute work on this, with a little help.

How should this be approached better?

1. Shove code from database_authenticatable in ldap_authenticatable and use only the later strategy.
2. Have database_authenticatable cascade to ldap_authenticatable somehow.
   I would prefer the latter.

Hey,

Having some trouble understanding how this is supposed to work. I have the user authenticating against AD as discussed in #40 & #57 but I cannot get the ldap to perform a search. When I attempt to perform a search through the console it is returning false or nil, depending on how I perform the search. Below is what i think should be working:

@login = "#{login}@#{ldap.base.gsub('dc=', '').gsub(',', '.')}"
filter = Net::LDAP::Filter.eq('dn', @login)
ldap_entry = nil
@ldap.search(:filter => filter) {|entry| ldap_entry = entry}

ldap_entry is nil after doing this.

Any ideas?

I have in ldap user with two 'mail' attribute

When I try to search it using get_ldap_param I get nil. When user has only one attribute all ok.

Here is a little test i wrote in irb:

irb(main):006:0> a = [1,2]
=> [1, 2]
irb(main):007:0> a = a.first if false
=> nil
irb(main):008:0> a
=> [1, 2]

So 'a' got a right result but return result is 'nil'.
File: ldap_adapter.rb, line: 103

@gamafranco @cairo140

Thought I would create a separate issue to resolve my problem.

I modified my connection to match what i thought should be right. When i run the following command in rails console it returns true.

Devise::LdapAdapter.valid_credentials?('myusername', 'mypassword')

However, when i attempt to put these details in the login page of my application it does not log in. When I look at the rails server log it doesn't seem to be doing anything against LDAP. See the POST action below.

Started POST "/users/sign_in" for 127.0.0.1 at 2011-10-20 08:46:25 +1000
  Processing by Devise::SessionsController#create as HTML
  Parameters: {"utf8"=>"Γ£ô", "authenticity_token"=>"u86KVD938HZreSoF2UJHW5A+M/U
kRh/1fKHEaQI28o8=", "user"=>{"username"=>"stittc", "password"=>"[FILTERED]", "re
member_me"=>"0"}, "commit"=>"Sign in"}
  ←[1m←[35mUser Load (1.2ms)←[0m  EXEC sp_executesql N'SELECT TOP (1) [users].*
FROM [users] WHERE [users].[username] = N''stittc'''
Completed   in 124ms
  Processing by Devise::SessionsController#new as HTML
  Parameters: {"utf8"=>"Γ£ô", "authenticity_token"=>"u86KVD938HZreSoF2UJHW5A+M/U
kRh/1fKHEaQI28o8=", "user"=>{"username"=>"stittc", "password"=>"[FILTERED]", "re
member_me"=>"0"}, "commit"=>"Sign in"}
Rendered devise/shared/_links.erb (0.0ms)
Rendered devise/sessions/new.html.erb within layouts/application (16.7ms)
Completed 200 OK in 29ms (Views: 17.8ms | ActiveRecord: 3.6ms)

Should it be showing a line or 2 where it checks against LDAP?

Thanks in advance.

Please tag the commit from which you built the 0.4.5 gem. The others are tagged and it makes debugging a lot easier.

Thx

Change the gemspec/Gemfile line from:
gem 'devise', '~> 1.5.0'
to:
gem 'devise', '>= 1.5.0'

Devise 2 should mantain retro-compatiblity so I don't think there are too many problems (from the devise homepage => "be sure that your application is fine running on Devise 1.5.x and that you are running on at least Rails 3.1")

thanks

Encountered this error with the following ldap.yml:

production:
  ssl: true

Here's the error:

undefined method `to_sym' for true:TrueClass

/Users/cairo140/.rvm/gems/ruby-1.9.2-p290/bundler/gems/devise_ldap_authenticatable-87b47c5fe0bc/lib/devise_ldap_authenticatable/ldap_adapter.rb:67:in `initialize'

It's obviously expecting something like ssl: simple_tls, since that's the only acceptable argument to the :encryption option. I'll put in a fix.

In our AD database, the user DNs have the format "Surname, Firstname", by the time it makes it through devise_ldap_authenticatable its got an extra \ escape.

eg:

ruby-1.9.3-p0 :001 > Devise::LdapAdapter.get_ldap_entry('jbloggs')['dn']
LDAP: LDAP search for login: sAMAccountName=jbloggs
=> ["CN=Bloggs\, Joe,OU=Dev,OU=Euro,DC=sample,DC=com"]

its actually two blackslashes here, but github is unescaping them... so i've put four in this comment

Hello,

Just a quick note about a typo in the documentation: ./run_server.sh should be ./run-server.sh
Also you might add that all this happens in the ./test/ldap directory (saves 15s ;-)

And BTW, devise_ldap_authenticatable is a great plugin. Good work !

Best regards,
Dominique

devise_ldap_authenticatable supports authorization by existing Active Directory groups (see authorization section in ldap.yml). This way, I have successful restricted access to my whole Rails app to users which are member of (a) certain AD group(s). This far, this good.

But can I use devise_ldap_authenticatable to do a more finegrained authorization?

For example:
Members of AD group foo are allowed to access the route foo#index, while members of AD group bar are allowed to access bar#index.

If the answer is 'No': What might be a more appropriate gem?

Hi,

using your querying function in my user model for retrieving the surname

before_save :get_ldap_sn

def get_ldap_sn
  self.sn = Devise::LdapAdapter.get_ldap_param(self.email, "sn")
end

results in an error:

NoMethodError in Devise::SessionsController#create

undefined method `sn' for #<Net::LDAP::Entry:0x103b483c8>

probably due to the search restriction on the LDAP Server. Maybe an authentication to bind before the search query could fix the problem like bobek suggested in his commit.

Thank you for your work with this plugin.

Here's a minor issue: devise_ldap_authenticatable does not check for blank passwords. This is usually not a problem, because you would do that validation in your model, but the LDAP specification authenticates users with blank passwords as anonymous, and thus a user with a blank password will authenticate, even though it has a password set.

I discovered this while fiddling around with making devise_ldap_authenticatable http_authenticatable.

devise.rb:
  config.ldap_use_admin_to_bind = false
  config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{login}"}

curl tests:

# first, with an invalid password
ezri:~ kn$ curl -v -u 'domain\myuser:invalid' http://localhost:3000/posts
* About to connect() to localhost port 3000 (#0)
*   Trying ::1... Connection refused
*   Trying fe80::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 3000 (#0)
* Server auth using Basic with user 'domain\myuser'
> GET /posts HTTP/1.1
> Authorization: Basic dGRjaFxrbjppbnZhbGlk
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: localhost:3000
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized 
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Application"
< Content-Type: */*; charset=utf-8
< Cache-Control: no-cache
< X-Ua-Compatible: IE=Edge
< X-Runtime: 0.155226
< Server: WEBrick/1.3.1 (Ruby/1.9.2/2010-12-25)
< Date: Thu, 03 Feb 2011 19:58:55 GMT
< Content-Length: 26
< Connection: Keep-Alive
< 
* Connection #0 to host localhost left intact
* Closing connection #0

# then, with an empty password
ezri:~ kn$ curl -v -u 'domain\myuser:' http://localhost:3000/posts
* About to connect() to localhost port 3000 (#0)
*   Trying ::1... Connection refused
*   Trying fe80::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 3000 (#0)
* Server auth using Basic with user 'domain\myuser'
> GET /posts HTTP/1.1
> Authorization: Basic dGRjaFxrbjo=
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: localhost:3000
> Accept: */*
> 
< HTTP/1.1 200 OK 
< Content-Type: text/html; charset=utf-8
< Etag: "3de62547f5190f1209c2f2245ad1e824"
< Cache-Control: max-age=0, private, must-revalidate
< X-Ua-Compatible: IE=Edge
< X-Runtime: 0.201555
< Server: WEBrick/1.3.1 (Ruby/1.9.2/2010-12-25)
< Date: Thu, 03 Feb 2011 20:00:25 GMT
< Content-Length: 1257
< Connection: Keep-Alive
< Set-Cookie: _authtest_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRiIlNzkyZTg1MTJmZGYxZTI0OTIwYTNlZGMwMzYwM2VhYWNJIhl3YXJkZW4udXNlci51c2VyLmtleQY7AFRbB0kiCVVzZXIGOwBGaQhJIhBfY3NyZl90b2tlbgY7AEZJIjFzVCtBamx5MDhqUEF6SWxJVkhreEttR2s4NW5uNGR0MXlSVkFLcFQ2MEpFPQY7AEY%3D--3636f25afabd175878325309971123449eda33dc; path=/; HttpOnly

# finally, with the correct password
ezri:~ kn$ curl -v -u 'domain\myuser:mypass' http://localhost:3000/posts
* About to connect() to localhost port 3000 (#0)
*   Trying ::1... Connection refused
*   Trying fe80::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 3000 (#0)
* Server auth using Basic with user 'domain\myuser'
> GET /posts HTTP/1.1
> Authorization: Basic dGRjaFxrbjo=
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: localhost:3000
> Accept: */*
> 
< HTTP/1.1 200 OK 
< Content-Type: text/html; charset=utf-8
< Etag: "3de62547f5190f1209c2f2245ad1e824"
< Cache-Control: max-age=0, private, must-revalidate
< X-Ua-Compatible: IE=Edge
< X-Runtime: 0.201555
< Server: WEBrick/1.3.1 (Ruby/1.9.2/2010-12-25)
< Date: Thu, 03 Feb 2011 20:00:25 GMT
< Content-Length: 1257
< Connection: Keep-Alive
< Set-Cookie: _authtest_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRiIlNzkyZTg1MTJmZGYxZTI0OTIwYTNlZGMwMzYwM2VhYWNJIhl3YXJkZW4udXNlci51c2VyLmtleQY7AFRbB0kiCVVzZXIGOwBGaQhJIhBfY3NyZl90b2tlbgY7AEZJIjFzVCtBamx5MDhqUEF6SWxJVkhreEttR2s4NW5uNGR0MXlSVkFLcFQ2MEpFPQY7AEY%3D--3636f25afabd175878325309971123449eda33dc; path=/; HttpOnly

Naturally one could ague that validation belongs elsewhere, but I would say that an authentication module should at least make sure that one cannot authenticate simply by using a blank password :)

Hello,

uniqueMember attribute doesn't exist in my ldap repository for group, also I propose to add an extra parameter into the ldap config yaml file. It should be an array of attribute names in order to specify a different attribute for each group. The current in_required_groups method should be modified accordingly
here is a possible implementation

....
@required_groups.each_with_index do |group,index|
admin_ldap.search(:base => group, :scope => Net::LDAP::SearchScope_BaseObject) do |entry|
unless entry[@attribute_group_required[index]].include? dn
DeviseLdapAuthenticatable::Logger.send("User #{dn} is not in group: #{group}")
return false
end
end
end
....

Thanks

Is there a way to do this?

Is anyone willing to share the ldap.yml configuration they use to authenticate against Active Directory? I have tried to configure devise_ldap_authenticatable with the same configuration that works for me in omniauth-ldap, but I am getting nowhere.

This is what I am using right now:

development:
  host: IP ADDRESS
  port: 389 
  attribute: sAMAccountName 
  base: dc=domain,dc=example,dc=com
  admin_user: cn=User\, Name,cn=Users,dc=domain,dc=example,dc=com 
  admin_password: Password
  ssl: false
  # <<: *AUTHORIZATIONS

Right now I just want to allow any user to log in. I'll worry about group membership after I get over this hurdle. Also, is there any way to put devise_ldap_authenticatable into a debug mode so I can get more detailed logging?

This patch to strategy.rb might be a solution:

9c9
<         (valid_for_http_auth? || (valid_controller? && valid_for_params_auth?)) && mapping.to.respond_to?(:authenticate_with_ldap)

---
>         valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate_with_ldap)
16c16
<         if resource = mapping.to.authenticate_with_ldap(authentication_hash.merge(:password => password))

---
>         if resource = mapping.to.authenticate_with_ldap(params[scope])

Hi,

I'm currently integrating with AD, and I need to login a user in a specific domain.

I had to put this in the devise.rb:

config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{login}@imaginarycloud.lab.local" }

It would be nice for the domain to be supported in ldap.yml.

Does it make sense? I can make a pull request to support this.

Thanks.

Hello..

I just tried out your ldap gem. using the version from your git repo.

Using it against my AD i needed the ldap_use_admin_to_bind
It did not work however, until i did the following in ldap_adapter.rb

Added :admin => true manually
options = {:login => login, :password => password_plaintext, :admin => true}
and removed the line:
options.merge({ :admin => true }) if ::Devise.ldap_use_admin_to_bind

I am no ruby-programmer but i think you need to look at the line i commented out...

https://github.com/cschiewek/devise_ldap_authenticatable/blob/master/test/rails_app/test/unit/user_test.rb#L108

It's making a test fail:

Steven-Xus-Macbook-Pro:rails_app sxu$ rake test
(in /Users/sxu/Sites/devise_ldap_authenticatable/test/rails_app)
Loaded suite /Users/sxu/.rvm/gems/ruby-1.8.7-p352/gems/rake-0.8.7/lib/rake/rake_test_loader
Started
............/ldap/delete_authorization_role.ldif: No such file or directory
F.......
Finished in 20.142101 seconds.

  1) Failure:
test: With default settings use groups for authorization should not be validated if group with different attribute is removed. (UserTest)
    [/test/unit/user_test.rb:10:in `should_not_be_validated'
     /test/unit/user_test.rb:109:in `__bind_1317766759_810311']:
Password is not properly set.
<false> is not true.

18 tests, 32 assertions, 1 failures, 0 errors
Loaded suite /Users/sxu/.rvm/gems/ruby-1.8.7-p352/gems/rake-0.8.7/lib/rake/rake_test_loader
Started
....
Finished in 0.079987 seconds.

4 tests, 6 assertions, 0 failures, 0 errors

Hi guys,

On my application, I just can use the gem with cn (not really working with other attributes).

When it looks up for my attribute (such as "mail") it doesn't find cause it doesn't sign in as admin before search (and I think it is required by my ldap server).

I've done this change:

http://github.com/BrunoGrasselli/devise_ldap_authenticatable/commit/f0c599aec598f7d218e6016fe81c06a3f49c4128

But as I couldn't run the tests (the ldap server didn't run on my pc for some reason), I don't know if it breaks the tests. Even tough works pretty well on my application.

I have followed the instructions as per the screencast and the Readme of version 0.4.0 and so far I did not manage to validate against our LDAP server. I suspect some problem with the devise_ldap_authenticatable gem as I tried the following order of steps:

• created a new prestine Rails3 application (simple blog/notebook containing one model with title:string and body:text) and verified that it is working
• added devise (version 1.1.rc2) to that app and got it working according to its Readme and Railscast #209
• replaced email with login column in devise as a preparation to LDAP, analogous to the instructions in Railscast #210 and got that working
• added devise_ldap_authenticatable (either version 0.4.0 or by tracking the rails3 branch, which currently gives the same version)
• ran rails generate devise_ldap_authenticatable:install
• verified that :database_authenticatable got replaced by :ldap_authenticatable in the user model
• configured config/ldap.yaml to use our LDAP server
• started the rails application and ran a tcpdump for LDAP requests
• tcpdump observed a request to modify the password with an blank user
• if I choose config.ldap_update_password = false in config/initializers/devise.rb then tcpdump observes no LDAP connection at all

At this point I have no clue what the problem might be. Obviously I got the configuration right at least as far as it connects to our LDAP server even though it's a password change request when signing in. Any clue which configuration parameter I should look at?

I did start the debugger and added a break point in Devise::LdapAdapter::LdapConnect.initialize. When allowing password changes this break point triggers just before the password change request is sent to the LDAP server. Without allowing password changes the break point is never triggered.

Hi,

as of Devise 1.2 there is an option for case insensitive user input which works fine by enabling

config.case_insensitive_keys = [:email]

in config/initializers/devise.rb which doesn't seem work with devise_ldap_authenticatable, when creating new users with the

config.ldap_create_user = true

option. Using the same username with different capital letters ends up creating a new user. I tried using the .downcase method on the login variable, which doesn't seem to have any effect.

LDAP Authenticatable does not seem to work when non-default SessionsController is used.

Steps to reproduce:

• Create a controller (i.e., sessions_controller.rb)

• Make controller inherit from Devise::SessionsController

  class SessionsController < Devise::SessionsController
  

• Update devise_for entry in routes.rb to specify the new controller

  devise_for :users, :controllers => { :sessions => "sessions" }
  

• Attempt to authenticate a user

These seem to be the offending lines:
strategy.rb#L26

devise_ldap_authenticatable.rb#L44

Previous use of Devise database_authenticable, after successful login, pushed the user to the root page I defined in Devise.

I installed 1.0.6 for Rails 2 - Got it to Auth after some mods to remove the ldap_authenticable requirement from the handler (no need to create the field in my db then)
I have it set to create the user, it gets created fine. but now it will not go to the root page on success.

Devise/Warden updates the flash notice to say success, but still on the login page.
If I login after the user is created the first time, I get pushed to the root I expect.

Your strategy is the same as Devise's - success! to Warden

   # to sign in page.
  def authenticate!
    if resource = mapping.to.authenticate_with_ldap(params[scope])
      success!(resource)
    else
      fail(:invalid)
    end

I know Devise uses this after sign-in:

def after_sign_in_path_for(resource_or_scope)
scope = Devise::Mapping.find_scope!(resource_or_scope)
home_path = "#{scope}_root_path"
respond_to?(home_path, true) ? send(home_path) : root_path
end

is there something you have seen blocking this to progress thru to the root known by Devise?

Thanks!

Currently, devise_ldap_authenticatable overwrites the #password= method that mixes into the class that calls Devise::Models.devise (usually something like User).

In devise:

def password=(new_password)
  @password = new_password
  self.encrypted_password = password_digest(@password) if @password.present?
end

In devise_ldap_authenticatable:

def password=(new_password)
  @password = new_password
end

Taking out that line allows devise_ldap_authenticatable to (as expected) run even if the models don't respond to #encrypted_password=.

However, this change prevents devise_ldap_authenticatable from layering on top of database_authenticatable. While this gem is explicitly designed to replace database_authenticatable, I found that adding the call back in allows it to work, at least in my (fairly vanilla) use of the two strategies.

Something like this seems like it'd do fine (I'm currently doing this on my model class itself):

def password=(new_password)
  @password = new_password
  self.encrypted_password = password_digest(@password) if @password.present? && respond_to?(:encrypted_password=)
end

Is there a reason it was implemented as is? If there's interest, I can prepare a patch and test.

The current Devise::LdapAdapter::LdapConnect#dn method conducts a search and returns a dn that depends on whether the attribute search yielded any results:

def dn
  DeviseLdapAuthenticatable::Logger.send("LDAP search: #{@attribute}=#{@login}")
  filter = Net::LDAP::Filter.eq(@attribute.to_s, @login.to_s)
  ldap_entry = nil
  @ldap.search(:filter => filter) {|entry| ldap_entry = entry}
  if ldap_entry.nil?
    @ldap_auth_username_builder.call(@attribute,@login,@ldap)
  else
    ldap_entry.dn
  end
end

Would it be advisable to split it up so that we could have a simple way to find whether the search yielded a result?

The specific user case I'm working through is one in which I'm layering LDAP auth on top of Database auth, and I need to check whether a user exists through LDAP before allowing someone to register using the database method.

Why devise_ldap_authenticatable is still depending on an old version of devise?

I'm trying to log use our LDAP server as authentication for my RAILS app, however it is not working and Devise provides no logging to help me troubleshoot.
The LDAP connection is SSL+anon auth.
The below config works perfectly with a PHP LDAP auth lib as well as an LDAP explorer tool I've tested it with.

ldap.yml:
development:
host: ldap.company.com
port: 636
attribute: mail
base: ou=ldap,o=company.com
ssl: simple_tls

Log:
LDAP: LDAP dn lookup: mail=[email protected]
LDAP: LDAP search for login: mail=[email protected]
LDAP: Authorizing user mail=[email protected],ou=ldap,o=company.com
LDAP: LDAP dn lookup: mail=[email protected]
LDAP: LDAP search for login: mail=[email protected]
Completed 401 Unauthorized in 4043ms

Whats not working? Is search returning nothing? The dn lookup?

Error:
NoMethodError (undefined method ldap_attributes' for #<User:0x4608198>): c:/Ruby187/lib/ruby/gems/1.8/gems/devise_ldap_authenticatable-0.1.6/lib/devise _ldap_authenticatable/model.rb:28:invalid_ldap_authentication?'
c:/Ruby187/lib/ruby/gems/1.8/gems/devise_ldap_authenticatable-0.1.6/lib/devise
_ldap_authenticatable/model.rb:45:in try' c:/Ruby187/lib/ruby/gems/1.8/gems/devise_ldap_authenticatable-0.1.6/lib/devise _ldap_authenticatable/model.rb:45:inauthenticate_with_ldap'
c:/Ruby187/lib/ruby/gems/1.8/gems/devise_ldap_authenticatable-0.1.6/lib/devise
_ldap_authenticatable/strategy.rb:16:in authenticate!' warden (0.10.7) lib/warden/strategies/base.rb:53:in_run!'
warden (0.10.7) lib/warden/proxy.rb:286:in _run_strategies_for' warden (0.10.7) lib/warden/proxy.rb:281:ineach'
warden (0.10.7) lib/warden/proxy.rb:281:in _run_strategies_for' warden (0.10.7) lib/warden/proxy.rb:258:in_perform_authentication'
warden (0.10.7) lib/warden/proxy.rb:82:in authenticate' devise (1.0.8) lib/devise/controllers/helpers.rb:36:inauthenticate'
devise (1.0.8) app/controllers/sessions_controller.rb:19:in create' warden (0.10.7) lib/warden/manager.rb:35:incall'
warden (0.10.7) lib/warden/manager.rb:34:in `catch'

Offending portion in model.rb
def valid_ldap_authentication?(password)
Devise::LdapAdapter.valid_credentials?(self.login, self.ldap_attributes, password)
end

Any ideas?

hi,

I'm using version 0.4.6 and I may have found an issue about overriding devise/sessions controller for a specific project. When doing it, it's no more possible to auth.

Here is what I've found :
file strategy.rb => valid_controller? validates only "devise/sessions" so returns false when we use another controller.

Maybe it's possible to check if params[:controller] references a subclass of Devise::SessionsController ?

I'm new to ror so I may be wrong ... "monkey hacking" this point resolves my issue.

Regards,

Yoann

Hello,

I needed to specify how the username used for ldap.auth(username, password) is built to allow my users to sign in with my compagny's LDAP server.

The username has to be "#{compagnyname}#{username}" instead of "#{attribute}=#{login},#{ldap.base}"

so I forked the project, added an optionnal config param named "ldap_auth_username_builder" that takes a proc that construct the username.

it goes like this in the devise config file :

config.ldap_auth_username_builder = Proc.new(){ |attribute ,login, ldap| "compagnyname\\#{login}" }

Unfortunately I haven't been able to run the test app because it depends on a version of linecache that is not ruby 1.9.2 ready.

Devise depends crucially on the resource being saved correctly in order to work. resource.save allows it to fail silently, causing Devise to be unable to set the session properly. Took me a couple hours of poking around to find it, so it might save some time for others to fix it.

I'm trying to set this module up with AD auth, per Dan's famous HOWTO video. I tried using both the DNS name and IP address of the LDAP server with Wireshark running, but I'm not even seeing LDAP traffic going out to the LDAP server.

In addition, I have ldap_logging enabled, but it's not printing out anything. What gives?

I've followed the instructions to install as best as I can an I must be missing something.

Any ideas?

NoMethodError (undefined method `new_user_session_path' for Devise::FailureApp:0x14bb878):
  

Rendered /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/actionpack-3.0.0/lib/action_dispatch/middleware/templates/rescues/_trace.erb (1.4ms)
Rendered /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/actionpack-3.0.0/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (45.8ms)
Rendered /Users/spspriggs/.rvm/gems/ruby-1.9.2-p0/gems/actionpack-3.0.0/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (72.0ms)

Full Trace

devise (1.1.1) lib/devise/failure_app.rb:67:in `redirect_url'
devise (1.1.1) lib/devise/failure_app.rb:50:in `redirect'
devise (1.1.1) lib/devise/failure_app.rb:30:in `respond'
actionpack (3.0.0) lib/abstract_controller/base.rb:150:in `process_action'
actionpack (3.0.0) lib/abstract_controller/base.rb:119:in `process'
actionpack (3.0.0) lib/action_controller/metal.rb:133:in `dispatch'
actionpack (3.0.0) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
actionpack (3.0.0) lib/action_controller/metal.rb:173:in `block in action'
devise (1.1.1) lib/devise/failure_app.rb:17:in `call'
devise (1.1.1) lib/devise/failure_app.rb:17:in `call'
warden (0.10.7) lib/warden/manager.rb:114:in `call_failure_app'
warden (0.10.7) lib/warden/manager.rb:100:in `process_unauthenticated'
warden (0.10.7) lib/warden/manager.rb:47:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/head.rb:14:in `call'
rack (1.2.1) lib/rack/methodoverride.rb:24:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/flash.rb:182:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/session/abstract_store.rb:149:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/cookies.rb:287:in `call'
activerecord (3.0.0) lib/active_record/query_cache.rb:32:in `block in call'
activerecord (3.0.0) lib/active_record/connection_adapters/abstract/query_cache.rb:28:in `cache'
activerecord (3.0.0) lib/active_record/query_cache.rb:12:in `cache'
activerecord (3.0.0) lib/active_record/query_cache.rb:31:in `call'
activerecord (3.0.0) lib/active_record/connection_adapters/abstract/connection_pool.rb:355:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/callbacks.rb:46:in `block in call'
activesupport (3.0.0) lib/active_support/callbacks.rb:415:in `_run_call_callbacks'
actionpack (3.0.0) lib/action_dispatch/middleware/callbacks.rb:44:in `call'
rack (1.2.1) lib/rack/sendfile.rb:107:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/remote_ip.rb:48:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/show_exceptions.rb:46:in `call'
railties (3.0.0) lib/rails/rack/logger.rb:13:in `call'
rack (1.2.1) lib/rack/runtime.rb:17:in `call'
activesupport (3.0.0) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.2.1) lib/rack/lock.rb:11:in `block in call'
:10:in `synchronize'
rack (1.2.1) lib/rack/lock.rb:11:in `call'
actionpack (3.0.0) lib/action_dispatch/middleware/static.rb:30:in `call'
railties (3.0.0) lib/rails/application.rb:168:in `call'
railties (3.0.0) lib/rails/application.rb:77:in `method_missing'
railties (3.0.0) lib/rails/rack/log_tailer.rb:14:in `call'
rack (1.2.1) lib/rack/content_length.rb:13:in `call'
rack (1.2.1) lib/rack/handler/webrick.rb:52:in `service'
/Users/spspriggs/.rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/webrick/httpserver.rb:111:in `service'
/Users/spspriggs/.rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/webrick/httpserver.rb:70:in `run'
/Users/spspriggs/.rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread'

hi,

it would be nice if the user could change between sha1 and md5, should not be a big change because the net-ldap function you use, does already support it. it would just be a new configuration option and a little change in ldap_adapter.rb, where you did hardcode it to sha1.

best regards