skull-squadron
commented
12 years ago Authorization is still very useful.
Open Wardrop opened 12 years ago
skull-squadron
commented
12 years ago Authorization is still very useful.
amw
commented
12 years ago Confirming the issue. No authentication is performed. All this gem does is confirming that the user (who the client claims to be) exists in AD.
@Wardrop Were you able to find some other gem to perform single sign on with active directory users?
@steakknife This gem doesn't provide any kind of authorization. Neither in theory nor in practice. I think you got this term mixed up.
Wardrop
commented
12 years ago @amw No, I didn't find any other gem that performs actual authentication. I decided to go down the path of letting Apache handle NTLM authentication before deciding to post-pone implementing single sign-on for the project I was working on.
elia
commented
12 years ago Just for information I got a decent setup in which the whole authentication is handled by IIS. Adapting from these instructions I got IIS to act as a reverse proxy for Rails server (thin, webrick, whatever…) on a *nix machine (a Mac with Pow! in development).
Here's the iirf.ini file that I used for development:
# NOTE: This file should be placed in the IIS document root for the application
# Put the following linw in windows etc/hosts file
#
# 172.18.27.252 intranet.dev
#
StatusInquiry ON
RewriteLogLevel 3
RewriteLog ..\..\TEMP\iirf
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^.*$ - [L]
ProxyPass ^/(.*)$ http://intranet.dev:80/$1
ProxyPassReverse / http://intranet.dev/
# Disable HTTPS
#
# RewriteCond %{HTTPS} on
# RewriteHeader X_FORWARDED_PROTO ^$ https
# With this setup you can rely on the fact that the authentication is performed by IIS and you only get authenticated request containing a Type-1 ntlm message (or Type-3, I'm not completely sure about this). I also removed rack-ntlm and kept only net-ntlm and used it to extract the username this way:
require 'kconv'
require 'net/ntlm'
if /^(NTLM|Negotiate) (.+)/ =~ env["HTTP_AUTHORIZATION"]
encoded_message = $2
message = Net::NTLM::Message.decode64(encoded_message)
user = Net::NTLM::decode_utf16le(message.user)
end+1 awesome for followup. :cake:
elia
commented
12 years ago @lukefx can we close this?
amw
commented
12 years ago I don't think we should. It should stay wide open as a warning and guide to other developers. I would go as far as suggesting to modify the project's README to say that this gem is broken and that your application will be unsecured if you decide to use it in production.
elia
commented
12 years ago @amw you right, fixing the README is the real issue.
amw
commented
12 years ago :-)
Well, that's not what I meant, but if no one is going to commit a real fix then it's the least we can do.
lukefx
commented
12 years ago ok guys, sorry for the long waited response. I'm full time on a project but I've created a branch and I'm trying to fix the authentication.
rhuanbarreto
commented
5 years ago Hi!
Years after, is there still a way to do authentication in this way?
By the looks of it, all this code is doing is getting the username out of the NTLM request and verifying it's existance in an LDAP directory. There is no actual authentication - anyone can spoof a username over ldap, in fact any browser that prompts for a username will allow a user to "authenticate" as anyone they want.
Am I missing something?