Currently, this is hardcoded in /lib/omniauth/strategies/ldap.rb to a few default values. Please add some way to make this configurable.

Hi,

When using a SSL/TLS connection to a Novell based OES server, there are errors regarding BER
E, [2017-04-28T12:50:19.116147 #1] ERROR -- : [26d8d722-10b4-47ed-8d91-1540eb45dfc8] Error authenticating via omniauth: undefined method `/' for "[USER_FROM_LDAP]":Net::BER::BerIdentifiedString

Any thoughts,
THanks
Kristof

rubyntlm 0.6.1 is now available. Please test with this, update the gemspec and make a new release. This gem is the only gem holding back upgrading the package in Debian.

Currently, in the callback_phase, none of the exceptions raised by the initialization of OmniAuth::LDAP::Adaptor are captured and derived to the fail!() method, giving no opportunity to be handled by the application.

The initialization is being done outside the begin-rescue block.

def callback_phase
  @adaptor = OmniAuth::LDAP::Adaptor.new @options

  return fail!(:missing_credentials) if missing_credentials?
  begin
    @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
    return fail!(:invalid_credentials) if !@ldap_user_info

    @user_info = self.class.map_user(@@config, @ldap_user_info)
    super
  rescue Exception => e
    return fail!(:ldap_error, e)
  end
end

Now that Omniauth 2.0 support has been implemented can we have the update gem published to Rubygems.org.

We would like to use the user which is trying to login for the bind.

We tried this:

bind_dn: 'Foobar\%{username}'
password: '%{password}'

It is not working.

If I hard code my user and password, it does work.

How am I supposed to edit the default login page when using this gem?

I couldn't find the place where I'm supposed to change the default html

Given the following parameters:

{:title=>"My LDAP",
 :host=>"1.2.3.4",
 :port=>636,
 :method=>"ssl",
 :base=>"ou=snip,dc=snip,dc=example,dc=com",
 :uid=>"sAMAccountName",
 :bind_dn=>"snip",
 :password=>"snip"}

I expect my UID to be equal to the sAMAccountName provided by my LDAP server. However, the UID is always the DN.

Hey

if I use danish letters in my password i get
Could not authenticate you from Ldap because "Ldap error".
and the following line in the server log:
Authentication failure! ldap_error: Encoding::CompatibilityError, incompatible character encodings: ASCII-8BIT and UTF-8

after a bit of debugging its seems that the problem lies within net-ldap's String#to_bar method which in net-ldap version 0.2.2 doesn't support utf-8

however it seems that in version 0.3.1 of net-ldap that utf-8 support have been added so maybe an upgrade to net-ldap 0.3.1 might solve this issue

We try to ship only one version of a library in debian and we already updated net-ldap to 0.8.0 and
rubyntlm to 0.3.4

We try to ship only one version of a library in debian and we already updated net-ldap to 0.8.0 and
rubyntlm to 0.3.4

I was wondering why I couldn't actually require "omniauth-ldap", and decided to poke around the installed gem. Observe:

mayonaise:tmp gabriel$ wget --quiet 'http://rubygems.org/downloads/omniauth-ldap-1.0.1.gem'
mayonaise:tmp gabriel$ gem unpack omniauth-ldap-1.0.1.gem 
Unpacked gem: '/private/tmp/omniauth-ldap-1.0.1'
mayonaise:tmp gabriel$ tree omniauth-ldap-1.0.1
omniauth-ldap-1.0.1
├── omniauth-ldap-1.0.0.rc1.gem
└── omniauth-ldap-1.0.0.rc2.gem

0 directories, 2 files
mayonaise:tmp gabriel$ 

It looks like a busted gem got pushed to rubygems.org.

I want wiki sub-directory, e.g. http://localhost:4567/wiki/Home, /wiki/ is the sub-directory.

Gollum support --base-path option in Rack way, please check the wiki tips.
The omnigollum support it by the pull.
However, omniauth-ldap has Sign In problem, i.e. always return to Home page once submit.
Look around the LDAP Authentication html source:

      <body>
      <h1>LDAP Authentication</h1>
      <form method='post' action='/__omnigollum__/auth/ldap/callback' noValidate='noValidate'>

<label for='username'>Login:</label>
<input type='text' id='username' name='username'/>
<label for='password'>Password:</label>
<input type='password' id='password' name='password'/>
<button type='submit'>Sign In</button>      </form>
      </body>

I doubted on this line:

action='/__omnigollum__/auth/ldap/callback'

should write:

action='/wiki/__omnigollum__/auth/ldap/callback'

Not sure. How to resolve this problem, thanks.

Issue

Setup

1. Initialize a new adaptor with method = 'plain', try_sasl = true, and sasl_mechanisms = ['DIGEST-MD5']
2. Start wireshark tshark -i any -f "tcp port 389" -Y "ldap" -T text
3. Call bind_as with filter = '...', size = 1, and password = '...'

Expected

Wireshark shows SASL bind in progress, followed by success. Digest sent over network instead of clear text password.

Actual

Wireshark shows a simple bind being performed. Password sent in clear text.

More details

I describe my workaround for this issue here. Note that this is slightly more involved because I am patching the forked version used by GitLab.

I'm not familiar with Ruby, and I'm having trouble reading through the net/ldap documentation. But I think the issue is that net/ldap seems to use 'method' for two different things: simple/anonymous when part of the auth parameter, or simple_tls/start_tls when part of the encryption parameter.

In initialize, it looks like :method is mapped to encryption[:method] and stored under @method. For validation, ensure_method restricts :method to 'ssl', 'tls', or 'plain'.

Whereas :try_sasl is mapped to auth[:method] and stored under @bind_method.

However, in bind_as, @method is used instead of @bind_method. So net/ldap sees auth[:method] = nil instead of auth[:method] = :sasl.

Hi,

I set up my ruby environment using rbenv, select 2.1.6 as my ruby version:

$ ruby -v
ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]

I want building the gem from master branch, but failed on my set up.

$ git clone https://github.com/intridea/omniauth-ldap.git
$ cd omniauth-ldap
$ bundle install

The full trace was as followings:

mytest@debian7vm64:~/Downloads/omniauth-ldap$ bundle install
Fetching gem metadata from http://rubygems.org/.........
Fetching version metadata from http://rubygems.org/...
Fetching dependency metadata from http://rubygems.org/..
Resolving dependencies...
Installing archive-tar-minitar 0.5.2
Using bundler 1.10.3
with native extensions Installing hitimes 1.2.2
Installing timers 4.0.1
Installing celluloid 0.16.0
Installing coderay 1.1.0
Installing columnize 0.9.0
Using diff-lcs 1.2.5
Installing docile 1.1.5
with native extensions Installing ffi 1.9.8
Installing formatador 0.2.5
Installing growl 1.0.3
Installing rb-fsevent 0.9.5
Installing rb-inotify 0.9.5
Installing listen 2.10.0
Installing lumberjack 1.0.9
Installing nenv 0.2.0
Installing shellany 0.0.1
Installing notiffany 0.0.6
Installing method_source 0.8.2
Installing slop 3.6.0
Installing pry 0.10.1
Installing thor 0.19.1
Installing guard 2.12.5
Installing guard-compat 1.2.1
Installing guard-bundler 2.1.0
Installing rspec-core 2.99.2
Installing rspec-expectations 2.99.2
Installing rspec-mocks 2.99.3
Installing rspec 2.99.0
Installing guard-rspec 4.5.2
Using hashie 3.4.2
with native extensions Installing json 1.8.3
Installing libnotify 0.9.1
Installing ruby_core_source 0.1.5
with native extensions 
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    /home/mytest/.rbenv/versions/2.1.6/bin/ruby extconf.rb
checking for vm_core.h... no
/home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/ruby_core_source.rb:39:in `create_makefile_with_core': Use RbConfig instead of obsolete and deprecated Config.
/home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/ruby_core_source.rb:39:in `create_makefile_with_core': Use RbConfig instead of obsolete and deprecated Config.
checking for vm_core.h... no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
        --with-opt-dir
        --without-opt-dir
        --with-opt-include
        --without-opt-include=${opt-dir}/include
        --with-opt-lib
        --without-opt-lib=${opt-dir}/lib
        --with-make-prog
        --without-make-prog
        --srcdir=.
        --curdir
        --ruby=/home/mytest/.rbenv/versions/2.1.6/bin/ruby
        --with-ruby-dir
        --without-ruby-dir
        --with-ruby-include
        --without-ruby-include=${ruby-dir}/include
        --with-ruby-lib
        --without-ruby-lib=${ruby-dir}/lib
/home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/contrib/uri_ext.rb:268:in `block (2 levels) in read': Looking for http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-2.1.6-p336.tar.gz and all I got was a 404! (URI::NotFoundError)
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1421:in `block (2 levels) in transport_request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http/response.rb:162:in `reading_body'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1420:in `block in transport_request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1411:in `catch'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1411:in `transport_request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1384:in `request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1377:in `block in request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:853:in `start'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:1375:in `request'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/contrib/uri_ext.rb:239:in `block in read'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/contrib/uri_ext.rb:286:in `connect'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/contrib/uri_ext.rb:234:in `read'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/contrib/uri_ext.rb:128:in `download'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/ruby_core_source.rb:55:in `block in create_makefile_with_core'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/2.1.0/tempfile.rb:324:in `open'
        from /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/ruby_core_source-0.1.5/lib/ruby_core_source.rb:51:in `create_makefile_with_core'
        from extconf.rb:19:in `<main>'
Requesting http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-2.1.6-p336.tar.gz

extconf failed, exit code 1

Gem files will remain installed in /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/linecache19-0.5.12 for inspection.
Results logged to /home/mytest/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/extensions/x86_64-linux/2.1.0-static/linecache19-0.5.12/gem_make.out
An error occurred while installing linecache19 (0.5.12), and Bundler cannot continue.
Make sure that `gem install linecache19 -v '0.5.12'` succeeds before bundling.

I'm looking to upgrade omniauth to 2.0, but the gemspec for this strategy is major version locked at 1.

Are there internal plans to update omniauth-ldap, or are you looking for a champion?

Hi!
I am student from salzburg.
I am trying to creat a login possibility via ldap with omnitauth-ldap, when I enter username and password it is redirecting to /auth/failure with message=invalid_credentials and i don't know why.
Has somebody a hint for me?
Thank you very much!
Best regards - Lukas

#### omniauth.rb-file

Rails.application.config.middleware.use OmniAuth::Builder do
provider :browser_id
provider :facebook, '34234234234', '23423421234123412342134'
provider :twitter, 'dfgsdfgsdfg', '2334sadfasdfasdf'
provider :ldap, :title => 'FH-Authentifizierung',
:host => 'denise.core.fh-salzburg.ac.at',
:port => 636,
:method => :plain,
:base => 'o=fh-salzburg.ac.at,o=FHS',
:uid => 'uid',
:password => "password",
:try_sasl => false,
:bind_dn => "anonymous"
end

#### users_controller.rb:

class UsersController < ApplicationController
def create
auth = request.env["omniauth.auth"]
user = User.find_by_provider_and_uid(auth["provider"], auth["uid"]) || User.create_with_omniauth(auth)
session[:user_id] = user.id
redirect_to request.referer, :notice => "Herzlich Willkommen!"
end

def destroy
session[:user_id] = nil
redirect_to request.referer, :notice => "Du wurdest erfolgreich abgemeldet!"
end
end

#### server-output:

Started POST "/auth/ldap/callback" for 127.0.0.1 at 2012-01-03 21:59:35 +0100
Started GET "/auth/failure?message=ldap_error" for 127.0.0.1 at 2012-01-03 21:59:35 +0100
Started GET "/auth/failure?message=invalid_credentials" for 127.0.0.1 at 2012-01-03 21:59:35 +0100
Started GET "/auth/failure?message=invalid_credentials" for 127.0.0.1 at 2012-01-03 21:59:35 +0100

We are using your gem and having a problem with an older dependency of it.
We need the 'rubyntlm', in '~> 0.3.2'
I saw that you already updated the .gemspec file accoringly but you did not create a new version in rubygems.
Could you please do so??

Currently, providing a bad username or password in the configuration and a user submitting invalid credentials both redirect to auth/failure with invalid_credentials as the failure message. There is no way to distinguish between the two cases.

Other LDAP connection errors cause the failure message ldap_error, which makes more sense if there is a problem with the configuration.

In omniauth-ldap/lib/omniauth/strategies/ldap.rb on line 60 extra information for auth_hash is provided.

In my case, and I would guess in general, it doesn't work since the @ldap_user_info is an instance of the Net::LDAP::Entry and doesn't fit in omniauth expectations from the return value.

I fixed it by simply wrapping it in a hash. Providing the pull request together with the issue.

Thanks for a great addition to omniauth. I have a question about using the Rails.logger for debugging output. I'm working with an LDAP server that requires an SSL connection. When I try to authenticate, I get to my devise callback controller, but there is no omniauth.auth field in my env variable, and there is also no indication of an error, in env or in the callback request params. I'm passing Rails.logger in as a :logger in my config, and everything starts up correctly, but when I put a @logger.debug statement in the top of def callback_phase in strategies/ldap.rb, I don't get the output. How can I determine what's going on? Thanks for any help.

Hello everyone,

I am using the discourse ldap plugin: https://github.com/jonmbake/discourse-ldap-auth
This plugins provides :filter argument in it's configuration. It says: LDAP filter (for group based authentication)
I assume that you can define the users with this filter, which should be able to login to discourse (the forum).

But your documentation says: :filter is the LDAP filter used to search the user entry. It can be used in place of :uid for more flexibility. %{username} will be replaced by the user name processed by :name_proc.
I don't really understand the essence of this description.

Could you please explain this to me?
I am asking, because we REALLY need a way to limit the users which should be allowed to login to our disocurse forum.

If I misunderstood the filter attribute please let me know so I have the possibility to look for an alternative!

Thanks for your help!

Modern LDAP directory servers can implement sophisticated password policies, some of which can return extended error codes when authenticating a user. These error codes address conditions such as administrator lockout, too many failed authentications, password expired, and password reset required. This behavior is described in the draft RFC http://tools.ietf.org/html/draft-behera-ldap-password-policy-09, which has become a de facto standard in the LDAP community. Adding optional support for password policies would be a great help to folks using LDAP services for authentication.

I am the maintainer of the plugin to add LDAP Authentication to Discourse. I have a dependency on omniauth-ldap 1.0.5 and am trying to update to 2.0.0.

However, I am getting the error:

`check_version_conflict': can't activate omniauth-1.8.1, already activated omniauth-1.6.1 (Gem::LoadError)

The reason being Discourse has a dependency on 1.6.1 and omniauth-ldap is dependent on '~> 1.8.1'

Would it be possible to update https://github.com/omniauth/omniauth-ldap/blob/master/omniauth-ldap.gemspec from gem.add_runtime_dependency 'omniauth', '~> 1.8.1' to gem.add_runtime_dependency 'omniauth', '>= 1.6.0'?

Hello,
I'm migrating from devise_ldap_authenticatable and I'm encountering Net::LDAP error in the callback phase: ldap_error: Net::BER::BerError, Unsupported object type: id=21

The only difference in my config from devise_ldap is I changedsimple_tls to just tls for the method:

  config.omniauth :ldap,
                  title: 'LDAP',
                  host: ENV['LDAP_SERVER'],
                  port: ENV['LDAP_PORT'],
                  base: ENV['LDAP_BASE'],
                  method: :tls,
                  attrs: 'uid',
                  name_proc: Proc.new {|name| name.gsub(/@.*$/,'')},
                  uid: 'uid'

Anyone else encounter this error?
Should I open a cross-issue @ net-ldap ?

I would like to allow only a subset of the people from the directory to access an application. Not everyone. As far as I know the only option is to specify the :uid and :password, nothing is available to have more complex filters.

Typically, having the ability to filter according to the memberOf attribute would be nice.

I set up omniauth-ldap in my Rails app, but many people are having problems authenticating using Active Directory. I've tested my current setup with OpenLDAP and it works as expected.

Here is my configuration (where the values are supplied through ENV variables):

provider :ldap,
    host: ENV['LDAP_SERVER'],
    port: ENV['LDAP_PORT'],
    method: ENV['LDAP_METHOD'].present? ? ENV['LDAP_METHOD'].to_sym : :plain,
    allow_username_or_email_login: true,
    uid: ENV['LDAP_UID'],
    base: ENV['LDAP_BASE'],
    bind_dn: ENV['LDAP_BIND_DN'],
    password: ENV['LDAP_PASSWORD']

The message in the auth failure is ''invalid_credentials'', even though the credentials appear to be valid. Am I missing some sort of configuration? Is this a common problem?

It might also be worth noting that I'm using this workaround the change the callback path because my rails app is deployed at a sub-directory.

# Redirect back to login in development mode.
OmniAuth.config.on_failure = Proc.new { |env|
  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}

# Work around beacuse callback_url option causes
# omniauth.auth to be nil in the authhash when
# authenticating with LDAP.
module OmniAuthLDAPExt
    def request_phase
      
        rel_root = ENV['RELATIVE_URL_ROOT'].present? ? ENV['RELATIVE_URL_ROOT'] : '/b'
        rel_root = '' if Rails.env == 'development'
      
        @callback_path = nil
        path = options[:callback_path]
        options[:callback_path] = "#{rel_root}/auth/ldap/callback"
        form = super
        options[:callback_path] = path
        form
    end
end

module OmniAuth
    module Strategies
        class LDAP
            prepend OmniAuthLDAPExt
        end
    end
end

I am trying to get GitLab to work with my school's LDAP server, but I am encountering an issue where one type of account works, while another does not. There are two types of accounts, Student and Service. Service accounts work fine, but Student accounts do not. I believe this issue stems from the amount of data returned for Student Accounts.

Here is a dump from both types of accounts (using a python script) to the actual returned data.
Student account:
{'uniEduStudent': ['0000-XXXX-000-000', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', '0000-XXXX-000-00', 'registered:current'], 'uniEduVanityName': ['colum'], 'displayName': ['Colum Mcgaley (Student)'], 'uid': ['uid0000'], 'uniEduAccountType': ['Student'], 'title': ['Student'], 'objectClass': ['uniObject', 'uniEduIdentity', 'inetOrgPerson', 'person', 'organizationalPerson', 'uniEduEnrollment', 'uniEduOrganization', 'posixAccount', 'uniEduAuth'], 'loginShell': ['/bin/tcsh'], 'uniEduAffiliation': ['XXXXXXXXX', XXXXXXXXX', 'XXXXX', 'XXXXXXXX', 'XXXXX', 'XXXXXXXXXXXXXXXXX', 'Student', 'XXXXXXXX', 'XXXXXXXX'], 'uniEduPrimaryAffiliation': ['Student'], 'uidNumber': ['00000'], 'initials': ['CM'], 'mobile': ['900-5555-0000'], 'gidNumber': ['0000'], 'sn': ['Mcgaley'], 'homeDirectory': ['/home/uid0000'], 'mail': ['[email protected]'], 'ou': ['Student'], 'givenName': ['Colum'], 'cn': ['Colum Mcgaley']}

Service Account
{'departmentNumber': ['undefined'], 'displayName': ['Colum McGaley'], 'cn': ['Colum McGaley'], 'uniEduAccountType': ['Studemp'], 'uniEduPrimaryAffiliation': ['Student'], 'objectClass': ['uniObject', 'uniEduIdentity', 'inetOrgPerson', 'person', 'organizationalPerson', 'uniEduEnrollment', 'posixAccount', 'uniEduAuth', 'uniEduOrganization'], 'uniEduAffiliation': ['Admissions', XXXXXXXX', 'XXXXX', 'XXXXXXXX', 'XXXXXX', 'XXXXXXXXXXXXXXXXX', 'XXXXXXX', 'XXXXXXXX', 'XXXXXXXX'], 'uidNumber': ['0000'], 'initials': ['CM'], 'mobile': ['000-000-0000'], 'gidNumber': ['0000'], 'sn': ['McGaley'], 'homeDirectory': ['/home/xxxxxx'], 'mail': ['[email protected]'], 'ou': ['Studemp'], 'givenName': ['Colum'], 'uid': ['something']}

As you can see, there is a lot more data returned for the Student accounts, but they both have the same attributes.

Here is what omniauth-ldap returns:

Service Account:

<omniauth::authhash credentials=#<omniauth::authhash> extra=#<omniauth::authhash raw info=#<net::ldap::entry:0x007fede156a050 @myhash={:dn=>["uid=username,ou=people,dc=uni,dc=edu"], :objectclass=>["uniobject", "unieduidentity", "inetorgperson", "person", "organizationalperson", "unieduenrollment", "posixaccount", "unieduauth", "unieduorganization"], :uid=>["username"], :mobile=>["000-700-0000"], :givenname=>["colum"], :sn=>["mcgaley"], :cn=>["colum mcgaley"], :displayname=>["colum mcgaley"], :mail=>["[email protected]"], :departmentnumber=>["undefined"], :homedirectory=>["/home/username"], :unieduaccounttype=>["studemp"], :ou=>["studemp"], :initials=>["cm"], :uidnumber=>["9104"], :gidnumber=>["5006"]}>> info=#<omniauth::authhash::infohash description=nil email="[email protected]" first name="colum" image=nil last name="mcgaley" location=", , , " mobile="000-000-0000" name="colum mcgaley" nickname="username" phone=nil title=nil uid="uid=username,ou=people,dc=uni,dc=edu" url=nil> provider="ldap" uid="uid=username,ou=people,dc=uni,dc=edu">".

Student:

<omniauth::authhash credentials=#<omniauth::authhash> extra=#<omniauth::authhash raw info=#<net::ldap::entry:0x007fede16b7a48 @myhash={:dn=>["uid=uid0000,ou=people,dc=uni,dc=edu"], :objectclass=>["uniobject", "unieduidentity", "inetorgperson", "person", "organizationalperson", "unieduenrollment", "unieduorganization", "posixaccount", "unieduauth"], :uid=>["uid0000"], :uidnumber=>["33000"], :gidnumber=>["0000"], :cn=>["colum mcgaley"], :ou=>["student"], :loginshell=>["/bin/tcsh"], :homedirectory=>["/home/uid0000"], :unieduaccounttype=>["student"]}>> info=#<omniauth::authhash::infohash description=nil email=nil first name=nil image=nil last name=nil location=", , , " mobile=nil name="colum mcgaley" nickname="uid0000" phone=nil title=nil uid="uid=uid0000,ou=people,dc=uni,dc=edu" url=nil> provider="ldap" uid="uid=uid0000,ou=people,dc=uni,dc=edu">".

On the Service accounts, this gem returns an email address along with some other attributes, while on Student accounts, it returns nil. This is the issue I am encountering.

I am trying to setup a simple rails 3.1 app with omniauth/ldap authentication. I have the following in my code:

in application.rb added:
require 'omniauth'
use OmniAuth::Strategies::LDAP,
:title => 'My LDAP AUTH',
:host => 'myhostname',
:port => 389,
:method => :plain,
:base => 'dc=hostnamepart1, dc=hostnamepart2, dc=edu',
:try_sasl => false,
:uid => 'uid',
:bind_dn => "anonymous",
:password => "let me in please"

Note: when aI try to require 'omniauth-ldap' I get a load error. Same for require 'omniauth/ldap'.

in Gemfile added:
gem 'omniauth', '> 1.0.1'
gem 'omniauth-ldap', '> 1.0.1'

(both gems are installed)

I must be missing something,but I don't know what.

When I start the server (in development mode) I get the following error in application.rb:

/Users/dauerbach/Dev/rails31apps/dodrc_photo_review/config/application.rb:17: uninitialized constant OmniAuth::Strategies::LDAP (NameError)

Any help MUCH appreciated...
dan

Hello there,

Some SSO providers — which can be LDAP-based — provide a REMOTE_USER HTTP header, after a user has authed on a given portal.

For example, Django provides two middlewares to plug into this system. Once a user has logged in, the LDAP app detects the username, and proceeds to the 1) user creation and/or 2) logs the user in the app.

Is there any chance this can be provided by omniauth-ldap?
Unless it is more relevant to request this in a more relevant repo.

Let me know, and thanks for providing this plugin :-)

I'm using the discourse-ldap-auth plugin for Discourse which is based on this plugin. We're binding to Active Directory. For the "filter" field, I'm using the following syntax:

memberOf=CN=Group,OU=Users,DC=Domain,DC=com

Authentication works for the user if that user is the only member of "Group". However, if more than one member is added to "Group", only the first user account on the group membership list is able to authenticate. Am I using the syntax for the 'filter' field incorrectly?

This actually came from gitlab-omniauth-ldap fork, so pardon me if it's their issue but you need to confirm this first, or else they probably wont accept this ticket in there..

I tried to authorize with my LDAP user and I've got this exception:
https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/auth.rb#L7

Then I've found this post:
https://groups.google.com/forum/#!topic/gitlabhq/cM1f-uifc1Q

I went here:
https://github.com/intridea/omniauth-ldap/blob/master/lib/omniauth/strategies/ldap.rb#L11

Changed this line to:

'email' => 'userPrincipalName',

and I'm able to login!!

So obviously it's doesn't rotate this array.
Would be nice to find out why and fix it.

I just stumbled on this when setting up a TLS secured LDAP connection in GitLab.

The LDAP connection does work without ever installing our self-signed CA on the GitLab server.

I think this is a big security issue, since centrally managed credentials are a potential target for MITM attacks.

The problem is Net::LDAP which does not activate certificate validation by default:

It's intended for cases where you have an implicit level of trust in the authenticity of the LDAP server. No validation of the LDAP server's SSL certificate is performed. This means that :simple_tls will not produce errors if the LDAP server's encryption certificate is not signed by a well-known Certification Authority. [...] In order to verify certificates and enable other TLS options, the :tls_options hash can be passed alongside :simple_tls or :start_tls.

(See http://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP#encryption-instance_method)

The problem with omniauth-ldap is that ensure_method (adaptor.rb line 90) does not allow to pass the :tls_options hash.

Also I think it would be much safer to validate by default and allow an extra parameter for ignoring validation.

I'm trying to use the :filter option to limit access to uniqueMember of a group. Here is my config:

  :host => 'escapemg.com',
  :port => 389,
  :method => :plain,
  :base => 'dc=escapemg,dc=com',
  :filter => '(&(cn=techdocs)(uniqueMember=uid=%{username},ou=ZimbraUsers,dc=escapemg,dc=com))',
  :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
  :bind_dn => 'cn=Directory Manager',
  :password => 'blahblahblah'

I tcpdumped what it was sending to the ldap server and it never sends the filter. It sends (objectclass=*) and then authentication fails. Am I doing something wrong or is this a bug?

There's a bug in the current version of net-ldap that causes this exception if you're trying to use SASL authentication. The fix was just merged (ruby-ldap/ruby-net-ldap#281), but the maintainers are waiting to merge a few more PRs before releasing a new version.

I'm opening this issue for anyone else who might stumble across this error.

To the maintainer(s) of omniauth-ldap, once net-ldap gets a version bump, can we point the gemspec at the new version?

The omniauth-ldap login page contains two submit buttons - one labeled Sign In and the other Connect, which obviously looks weird and shouldn't be the case.

Is there a way to disable one or the other so that only one submit button is displayed?

Currently the last tag at github is 1.0.2 whereas rubygems.org has 1.0.4 release.

Is it possible to set a read timeout for this strategy? If for some reason the LDAP server becomes unresponsive the application currently just spins until the application itself times out.

Hi,

I just got this working but it seems to get an Routing Error exception and instead of going back to home when a user successfully authenticates it raises an exception and errors out as for some reason it is trying to post the callback.

Started POST "/auth/ldap/callback" for 128.xxx.xx.xx at 2015-11-05 16:29:22 -0500
I, [2015-11-05T16:29:22.700586 #6727] INFO -- omniauth: (ldap) Callback phase initiated.

ActionController::RoutingError (No route matches [POST] "/auth/ldap/callback"):
actionpack (4.2.4) lib/action_dispatch/middleware/debug_exceptions.rb:21:in call' actionpack (4.2.4) lib/action_dispatch/middleware/show_exceptions.rb:30:incall'

It also does this if there is an invalid credential instead of going back to the user form. Is this because it is in development mode?

Thanks in advance.
Mark

Hello,

I would like to know if this library works using a CA certificate and using TLS protocol.

Thanks!

I have LDAP authentication working against Active Directory. However, when we do "git clone http://.." the authentication didn't work. I check the workflow and didn't see the git clone hit ldap authentication. is this how it work ?

• Rails-3.1.3 | 3.2.0.rc1
• Devise-1.5.3
• Omniauth-LDAP-1.0.2

Is there any way to obtain real remote ip in callback phase?

As far as I dig I get following:

Outside of callback_phase:

request.env["REMOTE_ADDR"] == request.env["action_dispatch.remote_ip"] == 77.75.123.65 (my real client ip)

Inside of callback_phase:

request.env["REMOTE_ADDR"] == request.env["action_dispatch.remote_ip"] == 127.0.0.1

And there is no any proxy variables from NGINX in callback_phase, such as HTTP_X_FORWARDED_FOR and so on.

Code examples:

• https://gist.github.com/f0b0c2946e4bc94c4a3f#file_omniauth_callbacs_controller.rb
• https://gist.github.com/f0b0c2946e4bc94c4a3f#file_routes.rb

P.S. with oa-enterprise-0.3 and devise-1.4 request.env was unchanged in callback_phase.

Lastest version (1.0.5) gives following warning:

Deprecation warning: please give :encryption option as a Hash to Net::LDAP.new

This request originates from GitLab -- at present, the user names which I believe are provided by OmniAuth are coming into Gitlab using what appears to be the first cname= entry. (but I'm not sure how this is selected)

This means that in Gitlab, my name field ends up being of the form 'ROTH, STEVEN' (even though my email address is steve.roth@... and my Git name is 'Steve Roth') In our GitLab instance, we are seeing variances from user-to-user -- I see another user whose name is coming through in lowercase -- 'lastname, firstname', for example.

I think it would be very nice if OmniAuth/Gitlab supported specifying an arbitrary LDAP field to map to the 'Name' field. In our case, it seems the 'displayname' LDAP field would be the way to go, but I imagine that one might want to be able to customize this. Currently, I dont see any field in the OmniAuth LDAP readme by which this can be specified.

This would make the usernames more consistent and easier on the eyes.