devise_ldap_authenticatable
devise_ldap_authenticatable copied to clipboard
cschiewek
No user creation in ldap with config.ldap_create_user = true in the Devise Initializer
On a clean Rails 4 install I am testing out Devise with devise_ldap_authenticatable.
With config.ldap_create_user = true set in the Devise initializer, when I signup a new user no entry is created in the ldap. While tailing the ldap logs I see no request being made to create the user. While observing the development log output in Rails it looks as if it is just querying the Rails relational database instead of calling out to the LDAP.
As well as the user not getting created, the user is "Logged In" anyway even though no ldap entry was created. After logging out and attempting to login again with the credentials that the user used to signup, the user is unable to login.
It seems that if this config.ldap_create_user is set to true that if no entry is created in the ldap for whatever reason the user should not be logged in anyway.
Is there some other configuration that I may be missing?
Hey, check the documentation again. ldap_create_user works on creating users in the DB. When user tires to log in, its first authenticated on LDAP server. If authentication passes, devise search for user record in DB. If you have ldap_create_user set to false, you need to manage your DB records manually. If you have it set to true, devise will automatically create appropriate user records in your DB.
I'm in proces of creating users from Rails.app back into ldap. I may write here once I will find some normal solution. What's your progress?
Hi @jozefvaclavik , Does devise_ldap_authenticatable not provide create new entries in LDAP server?
@ymhuang0808 Nope. To create user in LDAP server you have to use LDAP::Adapter to add record. I think this is little bit off topic, but I've struggled with it for some time, so here is my sample. We use it with Active Directory:
dn = "CN=#{@user.short_name},OU=member,DC=example,DC=com"
attrs = {
cn: @user.short_name,
givenName: @user.first_name,
sn: @user.last_name,
name: @user.short_name,
displayName: @user.short_name,
objectClass: "organizationPerson",
objectClass: "person",
objectClass: "top",
objectClass: "user",
instanceType: "4",
objectCategory: "CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com",
distinguishedName: "CN=#{@user.short_name},OU=member,DC=example,DC=com",
info: "OK",
mail: @user.email,
postOfficeBox: "#{@user.login}@example.com",
sAMAccountName: @user.login,
userAccountControl: "512",
userPrincipalName: "#{@user.login}@example.com",
pwdLastSet: "0"
}
ldap = Devise::LDAP::Adapter.ldap_connect(current_user.login).ldap
ldap.add(dn: dn, attributes: attrs)
if ldap.get_operation_result.code == 0
# things are OK, redirrect
else
# things are not OK, display error
end
Hi @jozefvaclavik , May I ask the issues about creating users on LDAP server?
It was more then 1/2 year ago, so I don't remember how things went back then. I remember that Active Directory server refused to create users with long usernames. I think the rest depends on your setup.. If you wanna add users to already established userbase, try checking old user records through Apache Directory Studio to see what parameters you need to set up.
Even if this is off-topic, I've been looking for this too ! This should be added to the gem if someone's willing to code it.
@Startouf I think the main issue here is that different servers have different requirements. Eventually you would have to get down to the code and figure out what attributes you need to set up for your server.. If you ignore all attributes from the sample, it is 3 lines of code anyway. Seems already pretty simple..
@jozefvaclavik Yes you're right, sorry. I didn't think it was possible to add entries to the ldap using this gem. I thought I had to fall back to Net::Ldap to do this (though it's most likely not that much more difficult)
EDIT : just realized Devise::LDAP::Adapter.ldap_connect(current_user.login).ldap returned a Net::Ldap object. >_<
