devise_ldap_authenticatable icon indicating copy to clipboard operation
devise_ldap_authenticatable copied to clipboard

Published 20 hours ago verified publisher icon cschiewek

Checking if user is part of group in ldap

Open jperry opened this issue 13 years ago • 6 comments

Hi,

I was able to get the authentication working against a user in ldap but then I wanted to also verify the user is part of a particular group. I looked at the ldap.yml file and looked at the authorizations part and configured to what I think is correct. Here is a sample of what I have:

authorizations: &AUTHORIZATIONS
  group_base: ou=Groups,dc=company,dc=com
  ## Requires config.ldap_check_group_membership in devise.rb be true
  # Can have multiple values, must match all to be authorized
  required_groups:
    # If an array is given, the first element will be the attribute to check against, the second the group name
    - ["memberuid", "cn=devsupport,ou=Groups,dc=company,dc=com"]

The "memberuid" is an attribute under the devsupport group. I was able to find my user when grouping these two seaches and an ldap.search using the net/ldap gem. See below:

filter_group = Net::LDAP::Filter.eq("cn", "devsupport")
filter_user = Net::LDAP::Filter.contains("memberuid", "jperry")
# Combine the filters into one
filter = filter_group & filter_user
treebase = "dc=company,dc=com"

The output looks something like this:

DN: cn=devsupport,ou=Groups,dc=company,dc=com
   dn:
      --->cn=devsupport,ou=Groups,dc=company,dc=com
   gidnumber:
      --->2001
   objectclass:
      --->posixGroup
      --->top
   cn:
      --->devsupport
   memberuid:
      --->jperry
      --->jsmith

Am I doing something wrong here as I'm getting the failure below when I try to login using devise ldap. Apologies if any of this is confusing.

Completed 500 Internal Server Error in 1806ms

Net::LDAP::LdapError (Invalid binding information):
  net-ldap (0.2.2) lib/net/ldap.rb:1224:in `bind_simple'
  net-ldap (0.2.2) lib/net/ldap.rb:1203:in `bind'
  net-ldap (0.2.2) lib/net/ldap.rb:712:in `bind'

Thanks, Jay

jperry avatar Oct 30 '12 20:10 jperry

I dug a little further to understand what might be happening and I think it's because when checking if a user belongs to a group you are connecting as an admin user.

https://github.com/cschiewek/devise_ldap_authenticatable/blob/master/lib/devise_ldap_authenticatable/ldap_adapter.rb#L248

Our ldap system doesn't require an admin user to do a search which is what is being used to confirm a user is part of a group. Any other approach I can take instead of using the required_groups to tell if a user is part of a group? Maybe I need to fork this code so that it doesn't use the admin user if it is left blank? Thoughts?

Thanks, Jay

jperry avatar Oct 30 '12 21:10 jperry

I forked the repo and added a switch to use the admin or not. Now it can't find the user since the user is "jperry" not "cn=jperry,ou=groups,dc=company,dc=com" which is returned from the "dn" method.

jperry avatar Oct 31 '12 15:10 jperry

@jperry did you find a workaround or solution to this? I am also having the same issue (no admin user).

pwnela avatar Dec 14 '12 17:12 pwnela

Hi @pwnela, I ended up forking the code and making it so you can tell the library to not use an admin. See my change here:

https://github.com/jperry/devise_ldap_authenticatable/commit/813f7ee52f0b68f520c383e448021edf578d5e51

Feel free to pull my code or fork it and make the same change.

jperry avatar Dec 14 '12 18:12 jperry

@jperry any chance of a pull request with tests?!

cschiewek avatar Jul 02 '13 22:07 cschiewek

Hi @cschiewek, if I have some time I'll write some tests and send a pull request. I'll be going on vacation soon so it may not be for a week or so. I'll add a reminder.

jperry avatar Jul 03 '13 12:07 jperry