I am using exim4. I have a Wordpress installation with a contact form. My hostname -f is mydomain.com.
The form is sending an email to info#mydomain.com. However it never reaches my "off site" email. How can I set this up so the email does not get stuck on the webserver?
Exim should forward (route) the email to the off site email info#mydomain.com. When I send from, for example, gmail to that address it gets delivered right away.
I have followed this guide: https://library.linode.com/email/exim/send-only-mta-debian-6-squeeze but it didnt help with this issue.
mydomain:/var/mail# exim -bt -d info#mydomain.com 2>&1
Exim version 4.80 uid=0 gid=0 pid=23864 D=fbb95cfd
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.7.2]
Library version: GnuTLS: Compile: 2.12.20
Runtime: 2.12.20
Library version: PCRE: Compile: 8.31
Runtime: 8.30 2012-02-04
Total 13 lookups
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=23864
auxiliary group list: <none>
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
changed uid/gid: calling tls_validate_require_cipher
uid=106 gid=109 pid=23865
auxiliary group list: <none>
tls_validate_require_cipher child 23865 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00612001
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root#mydomain.com
Address testing: uid=0 gid=109 euid=0 egid=109
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Testing info#mydomain.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Considering info#mydomain.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
routing info#mydomain.com
--------> hubbed_hosts router <--------
local_part=info domain=mydomain.com
checking domains
expansion of "${if exists{/etc/exim4/hubbed_hosts}{partial-lsearch;/etc/exim4/hubbed_hosts}fail}" forced failure: assume not in this list
hubbed_hosts router skipped: domains mismatch
--------> dnslookup_relay_to_domains router <--------
local_part=info domain=mydomain.com
checking domains
mydomain.com in "#:localhost:localhost:localhost.localdomain:mydomain.com"? yes (matched "#")
mydomain.com in "! +local_domains : +relay_to_domains"? no (matched "! +local_domains")
dnslookup_relay_to_domains router skipped: domains mismatch
--------> dnslookup router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "! +local_domains"? no (matched "! +local_domains" - cached)
dnslookup router skipped: domains mismatch
--------> real_local router <--------
local_part=info domain=mydomain.com
real_local router skipped: prefix mismatch
--------> system_aliases router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
R: system_aliases for info#mydomain.com
calling system_aliases router
rda_interpret (string): ${lookup{$local_part}lsearch{/etc/aliases}}
search_open: lsearch "/etc/aliases"
search_find: file="/etc/aliases"
key="info" partial=-1 affix=NULL starflags=0
LRU list:
7/etc/aliases
End
internal_search_find: file="/etc/aliases"
type=lsearch key="info"
file lookup required for info
in /etc/aliases
lookup failed
expanded:
file is not a filter file
parse_forward_list:
system_aliases router declined for info#mydomain.com
--------> userforward router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "info": cache not available
getpwnam() returned NULL (user not found)
userforward router skipped: info is not a local user
--------> procmail router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "info": using cached result
getpwnam() returned NULL (user not found)
procmail router skipped: info is not a local user
--------> maildrop router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "info": using cached result
getpwnam() returned NULL (user not found)
maildrop router skipped: info is not a local user
--------> lowuid_aliases router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "info": using cached result
getpwnam() returned NULL (user not found)
lowuid_aliases router skipped: info is not a local user
--------> local_user router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
info in "! root"? yes (end of list)
checking for local user
seeking password data for user "info": using cached result
getpwnam() returned NULL (user not found)
local_user router skipped: info is not a local user
--------> mail4root router <--------
local_part=info domain=mydomain.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
mydomain.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
info in "root"? no (end of list)
mail4root router skipped: local_parts mismatch
no more routers
info#mydomain.com is undeliverable: Unrouteable address
search_tidyup called
>>>>>>>>>>>>>>>> Exim pid=23864 terminating with rc=2 >>>>>>>>>>>>>>>>
According to the Testing Exim wiki you can check the routing of an address by using:
exim -bt name#example.org
This will give you information about if exim4 recognises this address.
Did you tried this from your server
echo "test mail." | mail -s Test name#mydomain.com
Also make sure that your hostname is a fully qualified domain.
try
hostname
hostname -i
hostname should resolve or point correctly to IP shown by hostname -i(main IP)
Also check that the MX record of mydomain.com and make sure that its using local mail server.
Related
Server is a RHEL7, Kerberos is AD (Windows). I'm only client of KDC.
Arcfour-hmac works fine but when I change encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user seems to have a valid ticket (in klist) he is not able to start services anymore.
I don't have access to the Kerberos AD, but it seems properly configured to use aes-256, because end users (on Windows computers) already request tickets in this encryption type.
My krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
And here the errors I got when I try to acquire a ticket with kvno :
[2477332] 1493147723.961912: Getting credentials myuser#TOTO.NET -> nn/myserver#TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser#TOTO.NET -> nn/myserver#TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver#TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01#TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02#TOTO.NET (aes256-cts-hmac-sha1-96)
Thanks for your help
Ask your AD administrator to enable support for AES-256 encryption types on the AD account associated with the keytab. To find that account, run this command:
setspn -Q nn/myserver01#TOTO.NET
the output will tell you the name of the account. It will start with CN=xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types on the AD account, tell your AD admin that the checkbox "This account supports Kerberos AES 256 bit encryption" must be checked, and that is found under Account tab, all the way at the bottom.
I just recently encountered this problem and was able to solve it.
for us, it was that AD was using a different salt than what the Kerberos client used by default.
That is, when using ktutil:
addent -password -p servicepuppetnp#AMER.EXAMPLE.COM -k 4 -e arcfour-hmac
Password for admspike_white#AMER.EXAMPLE.COM:
produces a keytab file that I could use to kinit as that principal. Whereas:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for admspike_white#AMER.EXAMPLE.COM:
did not produce a keytab file that would allow successful kinit. (pre-auth failure).
I had to do this:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 -f
Password for admspike_white#AMER.EXAMPLE.COM:
which tells ktutil to get the salt info from the AD DC. then it uses the correct salt. That produces a keytab file that allows successful kinit.
We're hosting a WordPress website with a Contact Form 7 contactform.
The e-mails doesn't arrive at the customers e-mail.
The customer uses Google apps for work so the MX is remote.
Only the domain.com and the www records are pointing to our server.
In the Exim logs I see this:
2016-02-28 17:04:14 1aa3pO-0005gk-Ty <= username#hostname.com U=username P=local S=824 id=a8eb50f3ba273b9275bb8a2197e63eca#www.domain.com T="Contact form" from for info#domain.com
2016-02-28 17:04:14 1aa3pO-0005gk-Ty remote host address is the local host: domain.com
2016-02-28 17:04:14 1aa3pO-0005gk-Ty == info#domain.com R=lookuphost defer (-1): remote host address is the local host
2016-02-28 17:04:14 1aa3pO-0005gk-Ty ** info#domain.com: retry timeout exceeded
2016-02-28 17:04:15 1aa3pO-0005gr-VZ => username F=<> R=localuser T=local_delivery S=1730
2016-02-28 17:04:15 1aa3pO-0005gr-VZ Completed
The local mailserver option in DirectAdmin is off.
I hope someone can help.
Your hosts/DNS point domain.com to local host
If it was example - remove example "domain.com" from Exim local domains
or bad hosts/DNS entry
I'm not succeeding in LDAP authentication with Redmine. Here follows the description of what I've done:
I've installed Bitnami Redmine on Centos 6.7 and trying to authenticate against AD on MS Windows server 2012.
Environment: Redmine version 3.1.1.stable
Ruby version 2.0.0-p647 (2015-08-18) [x86_64-linux]
Rails version 4.2.4
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Git 1.7.1
Filesystem
Redmine plugins:
no plugin installed
This is my LDAP configuration on Redmine:
Name: geo-AD
Host: geo-dc.geo.net
Port 389 LDAPS: No
User: ldapuser
DN Base: DC=geo-dc,DC=geo,DC=net
LDAP filter: (objectClass=*)
on the fly: yes
Connection attribute: sAMAccontName
Name: givenName
Surname: sn
Mail: mail
The test is working fine, but when I try to authenticate I always get
invalid password
I traced the authentication phase with Wireshark and I've seen the following:
There is a request from the redmine host to the AD server asking for the following attributes:
dn
givenName
sn
mail
The AD server answer with "no such object" and the authentication stops. I've removed givenName, sn and mail from the LDAP configuration window and the request for DN is still there and cause the failure.
I've checked the AD schema and there is no attribute named "dn".
Any idea why Redmine ask for this during authentication and if there is a way to change this behaviour?
Here follows the LDAP query and LDAP response.
192.168.1.244 is the Centos server with Redmine, 192.168.1.240 is MS Server 2012 with AD.
No. Time Source Destination Protocol Length Info
72 28.269126319 192.168.1.244 192.168.1.240 LDAP 237 searchRequest(2) "DC=geo-dc,DC=geo,DC=net" wholeSubtree
Frame 72: 237 bytes on wire (1896 bits), 237 bytes captured (1896 bits) on interface 0
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "DC=geo-dc,DC=geo,DC=net" wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: DC=geo-dc,DC=geo,DC=net
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(&(objectClass=*)(objectClass=*))
(sAMAccountName=mlavagna))
filter: and (0)
and: (&(&(objectClass=*)(objectClass=*))
(sAMAccountName=mlavagna))
and: 3 items
Filter: (objectClass=*)
and item: present (7)
present: objectClass
Filter: (objectClass=*)
and item: present (7)
present: objectClass
Filter: (sAMAccountName=mlavagna)
and item: equalityMatch (3)
equalityMatch
attributeDesc: sAMAccountName
assertionValue: mlavagna
attributes: 4 items
AttributeDescription: dn
AttributeDescription: givenName
AttributeDescription: sn
AttributeDescription: mail
[Response In: 73]
controls: 1 item
Control
controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)
criticality: False
SearchControlValue
size: 126
cookie: <MISSING>
No. Time Source Destination Protocol
74 28.269493413 192.168.1.244 192.168.1.240 TCP
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) noSuchObject (0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=geo,DC=net'
) [0 results]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: noSuchObject (32)
matchedDN: DC=geo,DC=net
errorMessage: 0000208D: NameErr: DSID-03100238, problem 2001
(NO_OBJECT), data 0, best match of:\n\t'DC=geo,DC=net'\n
[Response To: 72]
[Time: 0.000264030 seconds]
Do you have an "ou" (organizational unit) in LDAP? For example, if your users are under ou=People, your redmine DN Base might look like this:
DN Base: ou=People,DC=geo-dc,DC=geo,DC=net
I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin
You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.
I'm currently trying to implement Devise with LDAP Authentication on RAILS3. I've got it setup and it appears to connect and try to auth, but appears to fail. I don't seem to get any sort of real error messages to work with so its very difficult to take it any further.
Log of login session:
Started POST "/users/sign_in" for 192.168.160.1 at Tue Dec 06 05:20:16 +0000 2011
Processing by Devise::SessionsController#create as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = 'richmond#email.com' LIMIT 1
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
LDAP: Authorizing user mail=richmond#email.com,ou=groupxx,o=company.com
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
Completed 401 Unauthorized in 7147ms
Processing by Devise::SessionsController#new as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
Rendered devise/shared/_links.erb (0.1ms)
Rendered devise/sessions/new.html.erb within layouts/application (5.0ms)
Completed 200 OK in 23ms (Views: 21.4ms | ActiveRecord: 0.0ms)
Started GET "/assets/defaults.js" for 192.168.160.1 at Tue Dec 06 05:20:23 +0000 2011
Served asset /defaults.js - 404 Not Found (3ms)
ActionController::RoutingError (No route matches [GET] "/assets/defaults.js"):
Rendered /usr/local/lib/ruby/gems/1.8/gems/actionpack-3.1.0/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
ldap config:
development:
host: ldap.company.com
port: 636
attribute: mail
base: ou=groupxx,o=company.com
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: true
# <<: *AUTHORIZATIONS
I don't have access to the LDAP server so I cannot confirm anything from that end. The main issue I have is that I cannot get any error messages out of the login process - Is it not able to find the user? Does it find the user but fail login? Why does it do 2 LDAP searches?
same issue here. Did a ldapsearch, which works however. Company is running an ActiveDirectory server here:
ldapsearch -Z -h ldap.company.com -p 389 -s sub -D
"cn=somebody,ou=my_ou,dc=ldap,dc=company,dc=com" -W -b
"dc=ldap,dc=company,dc=com" "(&(cn=somebody))" mail
Solution:
I have found the solution: In config/initializers/devise.rb I missed to activate config.ldap_use_admin_to_bind = true. Only with this flag, devise_ldap_authenticatable really uses the BindDN (i.e. admin_user, admin_password which both have to be uncommented) defined at config/ldap.yml.
I found out the problem I had was that the LDAP server my company (IBM) uses was using a different protocol standard to the ones officially supported by NET-LDAP.
You simply need to change the PagedResults Control Type to a slightly different standard:
#PagedResults = "1.2.840.113556.1.4.319" # Microsoft evil from RFC 2696
PagedResults = "2.16.840.1.113730.3.4.2" # IBM Bluepages compatible ControlType
Full code change details here.
I forked it and fixed it over here on GitHub.
I did encounter the same problem on my ActiveDirectory. I tried using the bind user but it didn´t help either. I changed devise according to screencast 210 to use the username field. Here´s my ldap.yml
development:
host: dcburda0
port: 636
attribute: cn
base: OU=Organisation,DC=mydomain,DC=com
admin_user: CN=username,OU=Support Center Muenchen,OU=name GmbH,OU=Organisation,DC=mydomain,DC=com
admin_password: password
ssl: true