i have a problems to restirct access from a member of a group. My application are a Rails 5 app with devise and devise_ldap_authenticatable gems installed.
this my ldap.yml
authorizations: &AUTHORIZATIONS
allow_unauthenticated_bind: false
group_base: "CN=Domain Admins,CN=Users,DC=XXX,DC=XX"
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
- CN=Domain Admins,CN=Users,DC=xxx,DC=xx
my devise.rb
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_update_password = true
#config.ldap_config = "#{Rails.root}/config/ldap.yml"
config.ldap_check_group_membership = true
config.ldap_ad_group_check = true
##config.ldap_check_attributes = true
config.ldap_use_admin_to_bind = true
i try all combination but nothing works. I changed the line 174 of connection.rb
filter = Net::LDAP::Filter.eq("uniqueMember", dn)
with
filter = Net::LDAP::Filter.eq("member", dn)
OR
filter = Net::LDAP::Filter.eq("memberOf", dn)
but nothing happens please i need to solve this!
thanks for all reply
UPDATE
check the # <<: *AUTHORIZATIONS at bottom of authentication Ldap and uncomment it <<: *AUTHORIZATIONS
this put the group check into ldap auth.
bye!!!
Related
I have installed gitlab-ce 13.2.0 on my server and the container-registry was immediately available.
from a other sever (or my local machine) I can login, but when pushing a image to the container-registry I get a 404-error: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE html>\n<html>\n<head>...
in my gitlab.rb I have:
external_url 'https://git.xxxxxxxx.com'
nginx['enable'] = true
nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/trusted-certs/xxxxxxxx.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/trusted-certs/xxxxxxxx.com.key"
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
registry_external_url 'https://git.xxxxxxxx.com'
what is confusing, is that the registry_external_url is the same as the external_url. There are those lines in the gitlab.rb:
### Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "git.xxxxxxxx.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
But when I uncomment this, I cannot login.
what can be the problem here?
This is actually because you are using https port without proxying the registry in nginx.
Fix these lines according to the following in gitlab.rb:
registry_nginx['enable'] = true
registry_nginx['listen_https'] = true
registry_nginx['redirect_http_to_https'] = true
registry_external_url 'https://registry.YOUR_DOMAIN.gtld'
You don't need to touch nginx['ssl_*] parameters when you are using letsencrypt since the chef would take care.
How is your image named? Your image name must match exactly not only the registry URL, but project too.
You can't just build "myimage:latest" and push it. It must be like git.xxxxxxxx.com/mygroup/myproject:latest. You can obtain correct name from $CI_REGISTRY_IMAGE predefined variable.
I have configured Ldap with zeppelin with Shiro configuration.now, everything works fine.but, I am able to login with my ldap user with suffix the domain(#company.org).
Is there a possibility to login only with username without suffix.
below is my shiro.ini,
ldapRealm=org.apache.zeppelin.realm.LdapRealm
ldapRealm.contextFactory.systemUsername=cn=hosting,dc=company,dc=org
ldapRealm.contextFactory.systemPassword=secretpassword
ldapRealm.contextFactory.authenticationMechanism=simple
ldapRealm.contextFactory.url=ldap://ldap.user.base:389
ldapRealm.pagingSize = 200
ldapRealm.authorizationEnabled = true
ldapRealm.searchBase=OU=Users,DC=company,DC=org
ldapRealm.userSearchBase=OU=Users,DC=company,DC=org
ldapRealm.groupSearchBase=OU=Groups,DC=company,DC=org
ldapRealm.memberAttributeValueTemplate=CN={0},OU=Users,DC=company,DC=org
ldapRealm.rolesByGroup = "QC":admin_role
ldapRealm.userLowerCase = true
ldapRealm.groupSearchEnableMatchingRuleInChain = true
The "principalSuffix" is in ActiveDirectoryGroupRealm [1] and is not present in LdapRealm [2].
[1] https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/realm/ActiveDirectoryGroupRealm.java
[2] https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
I am very confused with how to provide the default_url_options. I am getting this error
Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true
I am using spreecommerce which uses devise for authentication. This error is occurring durring password reset on my development environment. I have not tested it in a production environment yet.
I am using this in my environments/development
config.default_url_options = { host: 'localhost:3000' }
Rails.application.routes.default_url_options[:host] = 'localhost:3000'
in my rails console when I do Rails.application.routes.default_url_options I get {:host => Rails.application.config.domain}. The same thing happends when I do Rails.applicaiton.default_url_options
None of the solutions I have found have worked.
TL;DR In my case Spree::Store.current vanished - I had to recreate it.
I tried set default_url_options for routes and into environments. But with no luck.
So I got into spree_auth_devise-3.1.0 gem source code:
#confirmation_url = spree.spree_user_confirmation_url(:confirmation_token => token, :host => Spree::Store.current.url)
So for the host, it's using Spree::Store. Then I went into console and got that my Spree::Store.current is empty:
(byebug) Spree::Store.current.url
nil
So simply creating a store with dummy data resolved my problem.
store = Spree::Store.new
store.name = 'test'
store.url = 'http://localhost:3000'
store.code = 'spree'
store.default = true
store.save
Right!
I am getting ldap to work with GitLab 7.2.1. I have the correct LDAP connection details posted below:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = '## company url ##'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'mail'
gitlab_rails['ldap_method'] = 'plain' # 'ssl' or 'plain'
gitlab_rails['ldap_bind_dn'] = ''
gitlab_rails['ldap_password'] = ''
gitlab_rails['ldap_allow_username_or_email_login'] = false
gitlab_rails['ldap_base'] = '## company bind ##'
gitlab_rails['gitlab_signup_enabled'] = 'true'
gitlab_rails['gitlab_default_projects_limit'] = 0
gitlab_rails['gitlab_default_can_create_group'] = false
I have the right username and password tested with others in my team. I have tried ssl and plain ldap on ports 389 & 636.
After wiresharking the traffic I found this:
However it returns:
Could not authorize you from LDAP because "Invalid credentials".
At the login page. which is a 49 response.
Any ideas?
I'm running a rather large project in Development and its just too slow. I believe the reason is because on each request Rails reloads every class. This project literally has hundreds of classes so the response time is too slow.
How can I speed up my development environment?
I'm running Apache server, the latest version of Passenger, RVM ruby 1.9.2-p180 (which I'm more or less locked into the ruby version).
development.rb:
# (Development-only) what is our localhost called?
LOCALDOMAIN = File.read("/etc/context_dev_host").strip
# Don't verify SSL connections.
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
SMSAdmin::Application.configure do
config.cache_classes = false # reload on every request
config.whiny_nils = true # Log error messages when you accidentally call methods on nil.
config.consider_all_requests_local = true # Show full error reports and disable caching
config.action_controller.perform_caching = false # Show full error reports and disable caching
config.action_mailer.raise_delivery_errors = false # Don't care if the mailer can't send
config.action_mailer.default_url_options = { :host => "#{APP_HOSTNAME}" } # default url_for :host
config.action_mailer.raise_delivery_errors = false
# Distributed Assets will expect an asset host for path resolution:
config.action_controller.asset_host = Proc.new do |source, request|
ssl = request && request.ssl?
hash = false
subd = true
host = ( hash ? "a#{source.hash % 4}." : "" ) + ( subd && request && request.host || APP_HOSTNAME )
( ssl ? "https://" : "http://" ) + host
end
ActionMailer::Base.delivery_method = :sendmail
config.after_initialize do
# Custom developer files (generally to support Rake tasks, where we don't have a request to determine the FB API Key)
dh = File.read("/etc/context_dev_host").strip.split(".").first
df = File.expand_path("../#{dh}.rb", __FILE__)
if File.exists?(df) then
silence_warnings do
require(df)
end
end
end
# Do not compress assets
config.assets.compress = false
# Expands the lines which load the assets
config.assets.debug = false
config.assets.digest = false
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
end