3

Question I am having issues connecting to my Microsoft Active Directory using the devise_ldap_authentication. For some reason I keep getting LDAP search yielded 0 matches when using it with devise and I am 100% certain I am using the correct credentials, so I wrote a test class using 'net/ldap' to see if I could yeild a correct match and presto it works with my test class but, I still can't authenticate with devise_ldap_auth. Any help would be greatly appreciated or help with setting up my config/ldap.yml to match my test class.

Here is my config/ldap.yml

#Environment
development:
  host: myldap.mydomain.com
  port: 389
  attribute: sAMAccountname
  base: dc=mydomain, dc=com
  admin_user: cn=admin,dc=mydomain,dc=com
  admin_password: password
  #ssl: false

Here is my devise.rb 

Devise.setup do |config|
  # ==> LDAP Configuration
  config.ldap_logger = true
  # config.ldap_create_user = false
  # config.ldap_update_password = true
  config.ldap_config = "#{Rails.root}/config/ldap.yml"
  # config.ldap_check_group_membership = false
  # config.ldap_check_group_membership_without_admin = false
  config.ldap_check_attributes = true
  #config.ldap_use_admin_to_bind = true
  # config.ldap_ad_group_check = false

this is what I get back when using ldap with devise.

D, [2016-06-24T07:01:30.558440 #42760] DEBUG -- :   LDAP: LDAP dn lookup: sAMAccountName=snow
D, [2016-06-24T07:01:30.558507 #42760] DEBUG -- :   LDAP: LDAP dn lookup: sAMAccountName=snow
D, [2016-06-24T07:01:30.558549 #42760] DEBUG -- :   LDAP: LDAP search for login: sAMAccountName=snow
D, [2016-06-24T07:01:30.558579 #42760] DEBUG -- :   LDAP: LDAP search for login: sAMAccountName=snow
D, [2016-06-24T07:01:30.594029 #42760] DEBUG -- :   LDAP: LDAP search yielded 0 matches
D, [2016-06-24T07:01:30.594099 #42760] DEBUG -- :   LDAP: LDAP search yielded 0 matches
D, [2016-06-24T07:01:30.594146 #42760] DEBUG -- :   LDAP: Authorizing user sAMAccountName=snow,dc=mydomain, dc=com
D, [2016-06-24T07:01:30.594180 #42760] DEBUG -- :   LDAP: Authorizing user sAMAccountName=snow,dc=mydomain, dc=com
D, [2016-06-24T07:01:30.611308 #42760] DEBUG -- :   LDAP: Not authorized because not authenticated.
D, [2016-06-24T07:01:30.611377 #42760] DEBUG -- :   LDAP: Not authorized because not authenticated.

Here is my test class that works to authenticate with ldap on my microsoft AD

require 'net/ldap' # gem install ruby-net-ldap
module Test
  class PutAd
    SERVER = 'myldap.mydomain.com'
    PORT = 389
    BASE = 'DC=mydomain,DC=com'
    DOMAIN = 'mydomain.com'

    ATTR_SV = {
                :login => :samaccountname,
                :first_name => :givenname,
                :last_name => :sn,
                :email => :mail
              }


    def self.authenticate(login, pass)
      return nil if login.empty? or pass.empty?

      conn = Net::LDAP.new :host => SERVER,
                           :port => PORT,
                           :base => BASE,
                           :auth => { :username => "#{login}@#{DOMAIN}",
                                      :password => pass,
                                      :method => :simple }
      if conn.bind and user = conn.search(:filter => "sAMAccountName=#{login}").first
        return self.new(user)
      else
        return nil
      end
    rescue Net::LDAP::LdapError => e
      return nil
    end
  end 
end

^This will return my account information if it matches if not it will return nil.

Improve this question

1 Answer 1

Reset to default
2

Turns out my company has a different way of authorizing a user. I added the advanced flag to my devise ldap install, and set this accordingly and presto it worked.

==> Advanced LDAP Configuration

config.ldap_auth_username_builder = Proc.new() {|attribute, login, ldap| "#{login}@mydomain.com"}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That looks like you are building the UPN which is found on the user's account tab in active directory users and computers. I needed this for my little project. In your code above you mention SAMAccount which is the domain\user found on the same tab.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.