omniauth
Can I bind against the current user
We would like to use the user which is trying to login for the bind.
We tried this:
bind_dn: 'Foobar\%{username}'
password: '%{password}'
It is not working.
If I hard code my user and password, it does work.
Hi!
I had a bit of trouble gettting this thing to work myself. LDAP isn't the most popular way to log in but once you get it going it looks like it will work nicely with OmniAuth.
First, get a service account to bind to the LDAP server. The LDAP server si like a database so unless you are accessing it via anonymous you will need to have access to query it...Check with the LDAP admin to get this.
Once you have access, do a small test to see if you can bind to the LDAP server (like below)
require 'rubygems' require 'net/ldap'
ldap = Net::LDAP.new ldap.host = 'LDAPAD.SOMEWHERE.ORG' ldap.port = 389 ldap.auth "service_account_user_name", "service_account_password" if ldap.bind #puts ldap.methods(:instance) puts "authentication succeeded" else puts "authentication failed" end
filter = Net::LDAP::Filter.eq( "cn", "[email protected]" ) treebase = "dc=some_dc,dc=org"
ldap.search( :base => treebase, :filter => filter ) do |entry| puts "DN: #{entry.dn}" entry.each do |attribute, values| puts " #{attribute}:" values.each do |value| puts " --->#{value}" end end end
p ldap.get_operation_result
-------------- If that binds ok then add an initializer for oauth
Rails.application.config.middleware.use OmniAuth::Builder do provider :ldap, :title => "WAHTEVER YOU WANT TO CALL THIS LDAP LOGIN", :host => HOST_SERVERs.IP_OR_DOMAINNAME.ORG', :port => 389, :uid => 'cn', # this might be different --- might want to try to connect with a small script to try to bind... :bind_dn => '[email protected]', :password => 'the_password_for_the_service_account_used_to_query_ldap', :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}, :base => 'OU=SOME_FOLDER,OU=IN_LDAP,DC=SOMEPLACE,DC=ORG' end
This worked for me. Hopefully this helps!
--mark
I added the following lines to omniauth-ldap-*/lib/omniauth/strategies/ldpa.rb at the top of method "callback_phase"
@options[:password] = @options[:password].sub('%{password}', request['password'])
@options[:bind_dn] = @options[:bind_dn].sub('%{username}', request['username'])
to be able to use %{password} and %{username} in the LDAP omniauth initializer
Sorry, no, the code is inelegent – should be more general
Von: Alexander Menk [mailto:[email protected]] Gesendet: Montag, 18. April 2016 17:21 An: intridea/omniauth-ldap [email protected] Cc: Dodd, Paul Sutton (UB) [email protected] Betreff: Re: [intridea/omniauth-ldap] Can I bind against the current user (#59)
Cool, thanks. Will you make a pull request?
— You are receiving this because you commented. Reply to this email directly or view it on GitHubhttps://github.com/intridea/omniauth-ldap/issues/59#issuecomment-211428036
@pscdodd i guess code can always be made better once there is some base? ;) would you mind to share your version so we could potentially generalize it?
Here is the diff of the hack:
/srv/home/rubyadmin/development/gem_patches/2.4.0/gems/omniauth-ldap-2.0.0/lib/omniauth/strategies$ diff -u ldap.rb.orig ldap.rb --- ldap.rb.orig 2018-01-31 11:31:11.753568066 +0100 +++ ldap.rb 2016-04-20 15:46:06.557739400 +0200 @@ -35,6 +35,8 @@ end
def callback_phase
-
@options[:password] = @options[:password].sub('%{password}', request['password']) unless request['password'].nil? -
@options[:bind_dn] = @options[:bind_dn].sub('%{username}', request['username']) unless request['username'].nil? @adaptor = OmniAuth::LDAP::Adaptor.new @options return fail!(:missing_credentials) if missing_credentials?
Gesendet von Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 für Windows 10
Von: Christoph Loeschmailto:[email protected] Gesendet: Montag, 12. März 2018 04:46 An: omniauth/omniauth-ldapmailto:[email protected] Cc: Dodd, Paul Sutton (UB)mailto:[email protected]; Mentionmailto:[email protected] Betreff: Re: [omniauth/omniauth-ldap] Can I bind against the current user (#59)
@pscdoddhttps://github.com/pscdodd i guess code can always be made better once there is some base? ;) would you mind to share your version so we could potentially generalize it?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/omniauth/omniauth-ldap/issues/59#issuecomment-372186476, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFmRUzqqv5XRufkJ943qH1Tl7mNrHLZSks5tde-fgaJpZM4Fl-2t.
thanks!
@amenk: can you work with this? would be great if there is some progress :)
@vchrizz Currently it does not have priority in our project any more .. But still it is nice to have and a clean solution for future projects.
