devise_ldap_authenticatable icon indicating copy to clipboard operation
devise_ldap_authenticatable copied to clipboard

Published 20 hours ago verified publisher icon cschiewek

Not authorized because not authenticated

Open ramidr opened this issue 10 years ago • 9 comments

I want that only shop administrators can login

In my devise.rb:

config.ldap_check_group_membership = true

And in my ldap.yml

authorizations: &AUTHORIZATIONS
  group_base: CN=Users,DC=LDAPTEST,DC=local
  ## Requires config.ldap_check_group_membership in devise.rb be true
  # Can have multiple values, must match all to be authorized
  required_groups:
    # If only a group name is given, membership will be checked against "uniqueMember"
    - CN=ShopAdministrators,CN=Users,DC=LDAPTEST,DC=local

But the rails log say me:

  [1m[36mUser Load (1.0ms)[0m  [1mEXEC sp_executesql N'SELECT TOP (1) [users].* FROM [users] WHERE [users].[login] = N''peter.anguille'''[0m
  [36mLDAP:[0m LDAP dn lookup: sAMAccountName=peter.anguille
  [36mLDAP:[0m LDAP search for login: sAMAccountName=peter.anguille
  [36mLDAP:[0m LDAP search yielded 1 matches
  [36mLDAP:[0m Authorizing user CN=David Ramírez,CN=Users,DC=LDAPTEST,DC=local
  [36mLDAP:[0m LDAP dn lookup: sAMAccountName=peter.anguille
  [36mLDAP:[0m LDAP search for login: sAMAccountName=peter.anguille
  [36mLDAP:[0m LDAP search yielded 1 matches
  [36mLDAP:[0m Not authorized because not in required groups.

With a LDAP explorer I check that this user is memberOf that group.

Other possible way, the same:

# If an array is given, the first element will be the attribute to check against, the second the group name
    - ["memberOf", "CN=ShopAdministrators,CN=Users,DC=LDAPTEST,DC=local"]

I try with this configuration too:

config.ldap_check_attributes = true

and in ldap.yml:

require_attribute:
   memberOf: CN=ShopAdministrators,CN=Users,DC=LDAPTEST,DC=local

Any ideas?

ramidr avatar Jun 17 '14 16:06 ramidr

Hello, ramidr! I actually have the same issue, did you resolve it??

ggnix avatar Feb 14 '15 06:02 ggnix

Hi ramidr and gleb93, moved into the same issue. Have any suggestions you could offer me?

PritiKumr avatar Feb 27 '15 23:02 PritiKumr

+1 Can't figure this out!!

dougfarre avatar Sep 29 '15 16:09 dougfarre

devise will use the database to authorize. So you need to have added the ldap user to the database allowing a token (in database) to be made for that user. In config/initializers/device.rb make sure
config.ldap_create_user = true default is false

gmaxwell94 avatar Oct 13 '15 21:10 gmaxwell94

I am stuck at the same issue. Not sure how the suggestion my gmaxwell would look in code form

b1nary avatar Dec 18 '16 22:12 b1nary

Hello,

I facing same issue.

iamtarun avatar Jan 13 '17 11:01 iamtarun

+1

a2f0 avatar Apr 10 '17 19:04 a2f0

Have you uncommented lines?

<<: *AUTHORIZATIONS

in your Environment sections of ldap.yml

pka23 avatar Oct 25 '17 07:10 pka23

devise.rb config.ldap_check_group_membership = true config.ldap_ad_group_check = true #both of them should be TRUE, otherwise it is not working

ldap.yml #group_base: should be like group_base: ou=groups,dc=test,dc=com required_groups: - cn=users,ou=groups,dc=test,dc=com <<: *AUTHORIZATIONS #should be uncomented

hexenus avatar May 22 '18 20:05 hexenus