We Keep Coding

rails 4 devise ldap_authenticatable current_user not set

I'm fairly new to Rails 4 and am experimenting with Devise and ldap_authenticatable and I see something that I'm not sure is right. When I authenticate to my Active Directory Devise works fine and stores the user in the MySQL database as expected. However, I seem to lose the user params and can't tell which user just authenticated. user_signed_in? returns false but if I hit the login link I get the message "already signed in" current_user is nil and set_user fails because params(:id) is nil. Seems like something is broken here but I'm not sure what the norm is as far as Devise setting or keeping user params alive.
Any ideas or helpful information?
User Model:
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :ldap_authenticatable, :trackable, :validatable
before_save :get_ldap_attrs
def get_ldap_attrs
self.firstname = Devise::LDAP::Adapter.get_ldap_param(self.email, 'givenName')
self.lastname = Devise::LDAP::Adapter.get_ldap_param(self.email, 'sn')
self.login = Devise::LDAP::Adapter.get_ldap_param(self.email, 'sAMAccountName')
self.email = Devise::LDAP::Adapter.get_ldap_param(self.email,'mail').first
self.studentid = Devise::LDAP::Adapter.get_ldap_param(self.email, 'title')
end
end
----
ldap.yaml
## Authorizations
# Uncomment out the merging for each environment that you'd like to include.
# You can also just copy and paste the tree (do not include the "authorizations") to each
# environment if you need something different per enviornment.
authorizations: &AUTHORIZATIONS
allow_unauthenticated_bind: false
group_base: ou=groups,dc=kentshill,dc=org
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
# If only a group name is given, membership will be checked against "uniqueMember"
#- ########################
#- #######################
# If an array is given, the first element will be the attribute to check against, the second the group name
#- ["moreMembers", "cn=users,ou=groups,dc=test,dc=com"]
## Requires config.ldap_check_attributes in devise.rb to be true
## Can have multiple attributes and values, must match all to be authorized
require_attribute:
objectClass: inetOrgPerson
authorizationRole: postsAdmin
## Environment
development:
host: address
port: 636
attribute: mail
base: DN
admin_user: fqn user with privs
admin_password: password
ssl: true
# <<: *AUTHORIZATIONS
test:
host: localhost
port: 3389
attribute: cn
base: ou=people,dc=test,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: simple_tls
# <<: *AUTHORIZATIONS
production:
host: localhost
port: 636
attribute: cn
base: ou=people,dc=test,dc=com
admin_user: cn=admin,dc=test,dc=com
admin_password: admin_password
ssl: start_tls
# <<: *AUTHORIZATIONS
----------------
Devise initializer
# Use this hook to configure devise mailer, warden hooks and so forth.
# Many of these configuration options can be set straight in your model.
Devise.setup do |config|
# ==> LDAP Configuration
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_update_password = true
#config.ldap_config = "#{Rails.root}/config/ldap.yml"
config.ldap_check_group_membership = false
#config.ldap_check_group_membership_without_admin = false
config.ldap_check_attributes = false
config.ldap_use_admin_to_bind = true
config.ldap_ad_group_check = false
# The secret key used by Devise. Devise uses this key to generate
# random tokens. Changing this key will render invalid all existing
# confirmation, reset password and unlock tokens in the database.
# Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`
# by default. You can change it below and use your own secret key.
# config.secret_key = 'ead157a98cc1402f93c717c537225a807971f381bdb51063b22d9979b39e0db385493e0d392999152597ce52baf327d97ffc9a59371ea3258cd8f5fc6d158b75'
# ==> Mailer Configuration
# Configure the e-mail address which will be shown in Devise::Mailer,
# note that it will be overwritten if you use your own mailer class
# with default "from" parameter.
config.mailer_sender = 'please-change-me-at-config-initializers-devise#example.com'
# Configure the class responsible to send e-mails.
# config.mailer = 'Devise::Mailer'
# ==> ORM configuration
# Load and configure the ORM. Supports :active_record (default) and
# :mongoid (bson_ext recommended) by default. Other ORMs may be
# available as additional gems.
require 'devise/orm/active_record'
config.ldap_auth_username_builder = Proc.new() { |attribute, login, ldap| login }
# config.warden do |manager|
# manager.default_strategies(:scope => :user).unshift :ldap_authenticatable
# end
# ==> Configuration for any authentication mechanism
# Configure which keys are used when authenticating a user. The default is
# just :email. You can configure it to use [:username, :subdomain], so for
# authenticating a user, both parameters are required. Remember that those
# parameters are used only when authenticating and not when retrieving from
# session. If you need permissions, you should implement that in a before filter.
# You can also supply a hash where the value is a boolean determining whether
# or not authentication should be aborted when the value is not present.
config.authentication_keys = [:email]
# Configure parameters from the request object used for authentication. Each entry
# given should be a request method and it will automatically be passed to the
# find_for_authentication method and considered in your model lookup. For instance,
# if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
# The same considerations mentioned for authentication_keys also apply to request_keys.
# config.request_keys = []
# Configure which authentication keys should be case-insensitive.
# These keys will be downcased upon creating or modifying a user and when used
# to authenticate or find a user. Default is :email.
config.case_insensitive_keys = [:email]
"config/initializers/devise.rb" 280L, 13721C

offline authentication with ldap, pam-ccreds and nss_updatedb

I've setup a linux machine (debian 6.0.7) with ldap authentication with the following configurations:
/etc/nsswitch.conf
passwd: compat ldap [NOTFOUND=return UNAVAIL=continue] db
group: compat ldap [NOTFOUND=return UNAVAIL=continue] db
shadow: compat ldap
/etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
account [success=ok user_unknown=ignore authinfo_unavail=ignore default=ignore] pam_succeed_if.so uid < 1000 debug
account [success=done default=ignore authinfo_unavail=1] pam_ldap.so debug
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
/etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth [success=done default=ignore] pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth requisite pam_succeed_if.so gid >= 1000 quiet
auth requisite pam_succeed_if.so user notingroup root
auth requisite pam_succeed_if.so user notingroup wheel
auth [success=3 default=2 authinfo_unavail=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ccreds.so minimum_uid=1000 action=store
# end of pam-auth-update config
/etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die authinfo_unavail=ignore] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_ldap.so
# end of pam-auth-update config
in common-account I had to jump to pam_permit if ldap server is unavailable otherwise users with cached credentials can't authenticate, but I think this is not a good idea.
I'm also running nss_updatedb ldap to cache passwd and groups.
Everything is working fine, even offline authentication. The problem is when I disable a user on ldap (setting shadowexpire to 1). When the machine is online authentication system notify that the account is disabled but when the machine is offline a disabled user can login using cached credentials. I believe it's because shadow infos aren't cached.
Is it a way to cache shadow informations about disabled users so they can't log in even when the machine is offline?

pam_ccreds README says this isn't currently supported. You could reset the user's password instead of using shadowexpire.

Thank you for sharing your config! I changed /etc/pam.d/common-account from
account [user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
to
account [success=done user_unknown=ignore authinfo_unavail=ignore default=ok] pam_unix.so
The problem was that when the LDAP server was not available a local user was turned down even with a good password. success=done terminates the chain once pam_unix.so says it is ok.

setting up gitlab LDAP-authentication without special gitlab user

I want to set up Gitlab with our company's LDAP as a demo. But unfortunately I have to put in an admin password in gitlab.yml to make gitlab access the LDAP service. The problem actually is the administration, as they don't want to setup another account just for Gitlab. Is there any way to circumvent this without filling in my own password? Is there a way to make Gitlab establish the LDAP connection with only the provided user credentials?
Any ideas beside logging in as anonymous?
Already posted here.

I haven't tried it yet, but from the things I've build so far authenticating against LDAP and the informations from the config-file this user-account seems only to be needed when your LDAP does not support anonymous binding and searching.
So I would leave the two entries bind_dn and password commented out and try whether it works or not.
UPDATE
I've implemented LDAP-Autehntication in Gitlab and it's fairly easy.
In the gitlab.yml-file there is a section called ldap.
There you have to provide the informations to connect to your LDAP. It seems that all fields have to be given, there seems to be no fallback default! If you want to use anonymous binding for retrieval of the users DN supply an empty string for bind_dn and password. Commenting them out seems not to work! At least I got a 501 Error message.
More information can be found at https://github.com/patthoyts/gitlabhq/wiki/Setting-up-ldap-auth and (more outdated but still helpful) https://github.com/intridea/omniauth-ldap

I have patched gitlab to work this way and documented the process in https://foivos.zakkak.net/tutorials/gitlab_ldap_auth_without_querying_account/
I shamelessly copy the instructions here for self-completeness.
Note: This tutorial was last tested with gitlab 8.2 installed from source.
This tutorial aims to describe how to modify a Gitlab installation to
use the users credentials to authenticate with the LDAP server. By
default Gitlab relies on anonymous binding or a special querying user
to ask the LDAP server about the existence of a user before
authenticating her with her own credentials. For security reasons,
however, many administrators disable anonymous binding and forbid the
creation of special querying LDAP users.
In this tutorial we assume that we have a gitlab setup at
gitlab.example.com and an LDAP server running on ldap.example.com, and
users have a DN of the following form:
CN=username,OU=Users,OU=division,OU=department,DC=example,DC=com.
Patching
To make Gitlab work in such cases we need to partly modify its
authentication mechanism regarding LDAP.
First, we replace the omniauth-ldap module with this derivation. To
achieve this we apply the following patch to gitlab/Gemfile:
diff --git a/Gemfile b/Gemfile
index 1171eeb..f25bc60 100644
--- a/Gemfile
+++ b/Gemfile
## -44,4 +44,5 ## gem 'gitlab-grack', '~> 2.0.2', require: 'grack'
# LDAP Auth
# GitLab fork with several improvements to original library. For full list of changes
# see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master
-gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+#gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+gem 'gitlab_omniauth-ldap', :git => 'https://github.com/zakkak/omniauth-ldap.git', require: 'net-ldap', require: "omniauth-ldap"
Now, we need to perform the following actions:
sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment
sudo -u git -H bundle install --deployment --without development test mysql aws
These commands will fetch the modified omniauth-ldap module in
gitlab/vendor/bundle/ruby/2.x.x/bundler/gems. Now that the module is
fetched, we need to modify it to use the DN our LDAP server expects. We
achieve this by patching lib/omniauth/strategies/ldap.rb in
gitlab/vendor/bundle/ruby/2.x.x/bundler/gems/omniauth-ldap with:
diff --git a/lib/omniauth/strategies/ldap.rb b/lib/omniauth/strategies/ldap.rb
index 9ea62b4..da5e648 100644
--- a/lib/omniauth/strategies/ldap.rb
+++ b/lib/omniauth/strategies/ldap.rb
## -39,7 +39,7 ## module OmniAuth
return fail!(:missing_credentials) if missing_credentials?
# The HACK! FIXME: do it in a more generic/configurable way
- #options[:bind_dn] = "CN=#{request['username']},OU=Test,DC=my,DC=example,DC=com"
+ #options[:bind_dn] = "CN=#{request['username']},OU=Users,OU=division,OU=department,DC=example,DC=com"
#options[:password] = request['password']
#adaptor = OmniAuth::LDAP::Adaptor.new #options
With this module, gitlab uses the user's credentials to bind to the LDAP
server and query it, as well as, to authenticate the user herself.
This however will only work as long as the users do not use ssh-keys to
authenticate with Gitlab. When authenticating through an ssh-key, by
default Gitlab queries the LDAP server to find out whether the
corresponding user is (still) a valid user or not. At this point, we
cannot use the user credentials to query the LDAP server, since the user
did not provide them to us. As a result we disable this mechanism,
essentially allowing users with registered ssh-keys but removed from the
LDAP server to still use our Gitlab setup. To prevent such users from
being able to still use your Gitlab setup, you will have to manually
delete their ssh-keys from any accounts in your setup.
To disable this mechanism we patch gitlab/lib/gitlab/ldap/access.rb
with:
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 16ff03c..9ebaeb6 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
## -14,15 +14,16 ## module Gitlab
end
def self.allowed?(user)
- self.open(user) do |access|
- if access.allowed?
- user.last_credential_check_at = Time.now
- user.save
- true
- else
- false
- end
- end
+ true
+ # self.open(user) do |access|
+ # if access.allowed?
+ # user.last_credential_check_at = Time.now
+ # user.save
+ # true
+ # else
+ # false
+ # end
+ # end
end
def initialize(user, adapter=nil)
## -32,20 +33,21 ## module Gitlab
end
def allowed?
- if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
- return true unless ldap_config.active_directory
+ true
+ # if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
+ # return true unless ldap_config.active_directory
- # Block user in GitLab if he/she was blocked in AD
- if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
- user.block unless user.blocked?
- false
- else
- user.activate if user.blocked? && !ldap_config.block_auto_created_users
- true
- end
- else
- false
- end
+ # # Block user in GitLab if he/she was blocked in AD
+ # if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+ # user.block unless user.blocked?
+ # false
+ # else
+ # user.activate if user.blocked? && !ldap_config.block_auto_created_users
+ # true
+ # end
+ # else
+ # false
+ # end
rescue
false
end
Configuration
In gitlab.yml use something like the following (modify to your needs):
#
# 2. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: true
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP_EXAMPLE_COM'
host: ldap.example.com
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: ''
password: ''
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '#' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe#example.com' and 'p#ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p#ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '#'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: 'OU=Users,OU=division,OU=department,DC=example,DC=com'
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: '(&(objectclass=user)(objectclass=person))'

GitLab uses omniauth to manage multiple login sources (including LDAP).
So if you can somehow extend omniauth in order to manage the LDAP connection differently, you could fetch the password from a different source.
That would allow you to avoid keeping said password in the ldap section of the gitlab.yml config file.

cap deploy:setup giving a (Errno::ETIMEDOUT: Operation timed out - connect(2))

I have been trying to deploy a simple rails3 app from my mac(os lion)to an amazon ec2 instance, using capistrano. When I do a cap deploy:setup, I get a connection failed for: http://ec2-xxx-xx-xx-xxx.compute-1.amazonaws.com/ (Errno::ETIMEDOUT: Operation timed out - connect(2))
Here is my config/deploy.rb
set :application, "paperclip_sample_app"
set :deploy_to, "/mnt/#{application}"
set :deploy_via, :copy
set :scm, :git
set :repository, "."
default_run_options[:pty] = true
set :location, "http://ec2-xxx-xx-xx-xxx.compute-1.amazonaws.com/"
role :web, location # Your HTTP server, Apache/etc
role :app, location # This may be the same as your `Web` server
role :db, location, :primary => true # This is where Rails migrations will run
#role :db, "your slave db-server here"
set :user, "root"
ssh_options[:keys] = [File.join(ENV["HOME"], ".ssh", "id_rsa")]
I have also enabled ssh on the mac by going to 'System Preferences'. Under ‘Internet & Networking’, ‘Sharing’ icon and checking the ‘Remote Login’ option.
Also the security groups on the ec2 instance has the port 22 enabled. As a result I am able to ssh into the instance.
Is there anything that I am missing? Any help would be greatly appreciated.
Thanks

I needed to change
set :location, "http://ec2-xxx-xx-xx-xxx.compute-1.amazonaws.com/"
to
set :location, "ec2-xxx-xx-xx-xxx.compute-1.amazonaws.com"
This fixed the problem.

Akephalos: How to ignore SSL warnings?

I'm trying to set up Akephalos for use with Capybara. I ran into this
message when trying to visit the page I am trying to test:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated (NativeException)
(druby://127.0.0.1:35580) org/jruby/RubyKernel.java:2042:in `send'
(druby://127.0.0.1:35580) org/jruby/RubyKernel.java:1417:in `loop'
(druby://127.0.0.1:35580) org/jruby/RubyProc.java:268:in `call'
(druby://127.0.0.1:35580) org/jruby/RubyProc.java:232:in `call'
I wonder if it has anything to do with the fact that we are using a
self-signed certificate. This is what my env.rb file looks like:
# Capybara configuration (using Akephalos)
require 'capybara'
require 'capybara/dsl'
require 'capybara/cucumber'
require 'akephalos'
Capybara.javascript_driver = :akephalos
Capybara.default_driver = :akephalos
Capybara.register_driver :akephalos do |app|
# available options:
# :ie6, :ie7, :ie8, :firefox_3, :firefox_3_6
Capybara::Driver::Akephalos.new(app, :browser => :firefox_3_6)
end
World(Capybara)

Yes, if the server is using a self-signed certificate, this can cause a warning/error such as 'peer not authenticated'.
The proper way around this problem is to specifically add the self-signed certificate to the trusted root store.
The wrong way around this problem is to turn off certificate verification.
I don't know the product you are using well enough to tell you how to do either of these things.