simple LDAP authentication could be a bit improved

[GoogleCodeExporter]

What steps will reproduce the problem?

Add a user:

dn: cn=user,dc=localhost
cn: user
objectClass: person
sn: John

to your ldap server with:

ldapadd -x -D "cn=admin,dc=localhost" -W -f file-with-lines-above

add:

authenticator:
  class: CASServer::Authenticators::ActiveDirectoryLDAP
  ldap:
    server: localhost
    port: 389
    base: dc=localhost
    filter: (objectClass=person)

as your authenticator. Set a password for the manager user.

Authentication seems to be failing. I can't even authenticate with my admin
user (i thought it was because it's of the wrong objectClass, but
objectClass is actually ignored).

From my peek at the code (haven't ever seen ruby before) it seems that
filter and base parameters from configuration are being ignored when doing
basic authentication, and my LDAP server allows anyone to authenticate, so
I do not have a separate "authentication" account credentials of which i
could enter for auth_user and auth_password.

I am not sure what the right solution would be ... but either the example
config should get filter and base removed (they are not being used in the
original code) or the code of the bind_directly should be changed to
something like this:

    def bind_directly
      # When no auth_user is specified, we will try to connect directly as
the user
      # who is trying to authenticate. Note that for this to work, the
username must
      # be equivalent to the user's CN, and this is often not the case (for
example,
      # in Active Directory, the username is the 'sAMAccountName'
attribute, while the
      # user's CN is generally their full name.)

      filter = Net::LDAP::Filter.construct(@options[:ldap][:filter]) if
        @options[:ldap][:filter] && !@options[:ldap][:filter].blank?
      # use "cn" as the username_attribute
      username_filter = Net::LDAP::Filter.eq("cn", @username)
      if filter
        filter &= username_filter
      else
        filter = username_filter
      end

      @ldap.bind_as(:base => @options[:ldap][:base], :password =>
@password, :filter => filter)
    end

maybe username_attribute support could be added in as well just defaulting
to "cn" instead of "uid" if none is provided in the config.

What version of RubyCAS-Server are you using? How is it installed (rubygem,
manual install)? How are you running it (webrick, mongrel, cgi, etc.)? 

Installed with gem install following instructions on the website

Original issue reported on code.google.com by ignas.mi...@gmail.com on 24 Oct 2007 at 4:12

[GoogleCodeExporter]

The problem might be your port number.  I believe active directory uses 3268.

Original comment by jzy...@gmail.com on 19 Nov 2007 at 2:41

[GoogleCodeExporter]

I would not be able to connect after the fixing the code if the port was wrong. 
And
this port number is set in my openldap configuration.

Original comment by ignas.mi...@gmail.com on 19 Nov 2007 at 3:48

[GoogleCodeExporter]

Sorry, I was thrown off by your use of the ActiveDirectoryLDAP authenticator.  
I'll
take a look at your code.  Thanks

Original comment by jzy...@gmail.com on 19 Nov 2007 at 4:57

[GoogleCodeExporter]

What kind of LDAP server are you authenticating against? It looks like you're 
using
the ActiveDirectory LDAP authenticator, but your use of 'ldapadd' suggests 
you're
actually connecting to an OpenLDAP server?

I suppose that either should work, since the only difference between the 
regular LDAP
authenticator and ActiveDirectoryLDAP is that the AD one has the default 
username
attribute set to 'sAMAccountName', while the regular one has 'uid'... but in 
your
configuration, you are not specifying an auth_username or auth_password, so the
authenticator will try to bind to the LDAP server directly using the 
credentials of
the user that's logging in, rather than as your 'cn=admin,dc=localhost' user. 
In this
case, the default username attribute doesn't matter at all -- it is never used.

By the way, i have it set to 'uid' instead of 'cn', since I was under the 
impression
that 'uid' is the standard username attribute in most LDAP servers.

Original comment by matt.zuk...@gmail.com on 29 Nov 2007 at 4:49

• Changed state: NeedMoreInfo

[GoogleCodeExporter]

Okay I think t his has been addressed as of revision 325 (this will be released 
in
the upcoming version 0.7.0 of the server).

Have a look at the solution to issue #57 here
http://code.google.com/p/rubycas-server/issues/detail?id=57&can=1&q=ldap

Original comment by matt.zuk...@gmail.com on 26 Sep 2008 at 6:36

• Changed state: Fixed