search

cschiewek / devise_ldap_authenticatable

Devise Module for LDAP
MIT License
593 stars 359 forks source link

Not authenticating yet log says it is? #208

Closed tonydm closed 8 years ago

tonydm commented 9 years ago

I'm having an issue handling usernames. A username John McGradey is being passed to the config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" } as john mcgradey. Even attempting to upcase the first letter of each name will fail in these cases. One will never be able to know if a camelcased lastname is being passed. How can I override the behavior or what is being passed in? Thank you

tonydm commented 9 years ago

Attempting to further work this issue, I hard coded the username using the ldap_auth_username_builder to at least verify that aside from the camelcase challenge, I could authenticate. No success, auth still fails. So my AD Admin suggested I try the sAMAccountName attribute. Two things occur now. 1) I don't see any log output which I did before. 2) I get an exception error in the application_controller from the set_current_user method. A google search hasn't turned up any results.

Psych::SyntaxError in Devise::SessionsController#create (<unknown>): mapping values are not allowed in this context at line 35 column 7

def set_current_user User.current = current_user <---

tonydm commented 9 years ago

Ok, I've worked out these issues and am successfully authenticating the Admin user against AD as well as the user. However, Devise is not seeing the user as authenticated even though it appears that the user is authenticated from the log output from the AD auth process.

Before

  LDAP: LDAP dn lookup: cn=test user
  LDAP: LDAP search for login: cn=test user
  LDAP: LDAP search yielded 1 matches
  LDAP: Authorizing user CN=Test User,CN=Users,DC=mydomain,DC=local
  LDAP: Not authorized because not authenticated.
Completed 401 Unauthorized in 74ms (ActiveRecord: 42.0ms)

After

  LDAP: LDAP dn lookup: cn=test user
  LDAP: LDAP search for login: cn=test user
  LDAP: LDAP search yielded 1 matches
  LDAP: Authorizing user CN=Test User,CN=Users,DC=mydomain,DC=local
Completed 401 Unauthorized in 35ms (ActiveRecord: 0.6ms)
tonydm commented 9 years ago

Not fully understanding the deviseldap... process, I changed config.ldap_create_user = false to true. Now devise attempts to create the user (confirming to me that AD authentication succeeded) but fails because an email address isn't passed/provided)

LDAP: LDAP dn lookup: cn=test user
LDAP: LDAP search for login: cn=test user
LDAP: LDAP search yielded 1 matches
LDAP: Authorizing user CN=Test User,CN=Users,DC=speedconnect,DC=local

 (0.7ms)  BEGIN
 (0.4ms)  ROLLBACK

Completed 422 Unprocessable Entity in 1050ms (ActiveRecord: 19.5ms)

ActiveRecord::RecordInvalid (Validation failed: Email can't be blank):
   app/controllers/application_controller.rb:30:in `set_current_user'

I'm using username as the device authentication key..

config.authentication_keys = [ :username ]

bobleaux commented 8 years ago

Any luck with this? I am having the same issue.

tonydm commented 8 years ago

bobleaux, The problem was that LDAP Auth was "creating" the user in the user table, but requires an email address validation. I added a method to my User model to pull the LDAP email address from AD. Here's what it looks like

  before_validation :get_ldap_email, :get_real_name

  def set_attrs
    @attrs ||= nil
  end

  def get_ldap_email
    @email ||= Devise::LDAP::Adapter.get_ldap_param(self.username,"userprincipalname").first.gsub(/local/,'com')
    self.email = @email
  end

  def get_real_name
    @name ||= Devise::LDAP::Adapter.get_ldap_param(self.username,"cn").first
    self.name = @name
  end
bobleaux commented 8 years ago

Fantastic! This worked for me. Thank you.

ghost commented 5 years ago

Perfect! Works! :-D