Can I bind against the current user

[amenk]

We would like to use the user which is trying to login for the bind.

We tried this:

bind_dn: 'Foobar\%{username}'
password: '%{password}'

It is not working.

If I hard code my user and password, it does work.

[markmcdonald51]

Hi!

I had a bit of trouble gettting this thing to work myself. LDAP isn't the most popular way to log in but once you get it going it looks like it will work nicely with OmniAuth.

First, get a service account to bind to the LDAP server. The LDAP server si like a database so unless you are accessing it via anonymous you will need to have access to query it...Check with the LDAP admin to get this.

Once you have access, do a small test to see if you can bind to the LDAP server (like below)

require 'rubygems'
require 'net/ldap'

ldap = Net::LDAP.new
ldap.host = 'LDAPAD.SOMEWHERE.ORG'
ldap.port = 389
ldap.auth "service_account_user_name", "service_account_password"
if ldap.bind
#puts ldap.methods(:instance)
puts "authentication succeeded"
else
puts "authentication failed"
end

filter = Net::LDAP::Filter.eq( "cn", "service_accountj@someagency.org" )
treebase = "dc=some_dc,dc=org"

ldap.search( :base => treebase, :filter => filter ) do |entry|
puts "DN: #{entry.dn}"
entry.each do |attribute, values|
puts " #{attribute}:"
values.each do |value|
puts " --->#{value}"
end
end
end

p ldap.get_operation_result

-------------- If that binds ok then add an initializer for oauth

Rails.application.config.middleware.use OmniAuth::Builder do
provider :ldap,
:title => "WAHTEVER YOU WANT TO CALL THIS LDAP LOGIN",
:host => HOST_SERVERs.IP_OR_DOMAINNAME.ORG',
:port => 389,
:uid => 'cn', # this might be different --- might want to try to connect with a small script to try to bind...
:bind_dn => 'the_service_account_email@some.org',
:password => 'the_password_for_the_service_account_used_to_query_ldap',
:name_proc => Proc.new {|name| name.gsub(/@.*$/,'')},
:base => 'OU=SOME_FOLDER,OU=IN_LDAP,DC=SOMEPLACE,DC=ORG'
end

This worked for me. Hopefully this helps!

--mark

[pscdodd]

I added the following lines to omniauth-ldap-*/lib/omniauth/strategies/ldpa.rb at the top of method "callback_phase"

       @options[:password] = @options[:password].sub('%{password}', request['password'])
       @options[:bind_dn] = @options[:bind_dn].sub('%{username}', request['username'])

to be able to use %{password} and %{username} in the LDAP omniauth initializer

[amenk]

Cool, thanks. Will you make a pull request?

[pscdodd]

Sorry, no, the code is inelegent – should be more general

Von: Alexander Menk [mailto:notifications@github.com]
Gesendet: Montag, 18. April 2016 17:21
An: intridea/omniauth-ldap omniauth-ldap@noreply.github.com
Cc: Dodd, Paul Sutton (UB) paul.dodd@ub.unibe.ch
Betreff: Re: [intridea/omniauth-ldap] Can I bind against the current user (#59)

Cool, thanks. Will you make a pull request?

—
You are receiving this because you commented.
Reply to this email directly or view it on GitHubhttps://github.com//issues/59#issuecomment-211428036

[vchrizz]

@pscdodd i guess code can always be made better once there is some base? ;)
would you mind to share your version so we could potentially generalize it?

[pscdodd]

Here is the diff of the hack: /srv/home/rubyadmin/development/gem_patches/2.4.0/gems/omniauth-ldap-2.0.0/lib/omniauth/strategies$ diff -u ldap.rb.orig ldap.rb --- ldap.rb.orig 2018-01-31 11:31:11.753568066 +0100 +++ ldap.rb 2016-04-20 15:46:06.557739400 +0200 @@ -35,6 +35,8 @@ end def callback_phase + @options[:password] = @options[:password].sub('%{password}', request['password']) unless request['password'].nil? + @options[:bind_dn] = @options[:bind_dn].sub('%{username}', request['username']) unless request['username'].nil? @adaptor = OmniAuth::LDAP::Adaptor.new @options return fail!(:missing_credentials) if missing_credentials? Gesendet von Mail<https://go.microsoft.com/fwlink/?LinkId=550986> für Windows 10 Von: Christoph Loesch<mailto:notifications@github.com> Gesendet: Montag, 12. März 2018 04:46 An: omniauth/omniauth-ldap<mailto:omniauth-ldap@noreply.github.com> Cc: Dodd, Paul Sutton (UB)<mailto:paul.dodd@ub.unibe.ch>; Mention<mailto:mention@noreply.github.com> Betreff: Re: [omniauth/omniauth-ldap] Can I bind against the current user (#59) @pscdodd<https://github.com/pscdodd> i guess code can always be made better once there is some base? ;) would you mind to share your version so we could potentially generalize it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#59 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AFmRUzqqv5XRufkJ943qH1Tl7mNrHLZSks5tde-fgaJpZM4Fl-2t>.

[vchrizz]

thanks!

@amenk: can you work with this? would be great if there is some progress :)

[amenk]

@vchrizz Currently it does not have priority in our project any more .. But still it is nice to have and a clean solution for future projects.

[vchrizz]

pull-request #81 created.

[Tom910]

Any updates?