Devise with LDAP auth problems

Question

I'm currently trying to implement Devise with LDAP Authentication on RAILS3. I've got it setup and it appears to connect and try to auth, but appears to fail. I don't seem to get any sort of real error messages to work with so its very difficult to take it any further.

Log of login session:

Started POST "/users/sign_in" for 192.168.160.1 at Tue Dec 06 05:20:16 +0000 2011
  Processing by Devise::SessionsController#create as HTML
  Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond@email.com"}}
  User Load (0.1ms)  SELECT `users`.* FROM `users` WHERE `users`.`login` = 'richmond@email.com' LIMIT 1
  LDAP: LDAP dn lookup: mail=richmond@email.com
  LDAP: LDAP search for login: mail=richmond@email.com
  LDAP: Authorizing user mail=richmond@email.com,ou=groupxx,o=company.com
  LDAP: LDAP dn lookup: mail=richmond@email.com
  LDAP: LDAP search for login: mail=richmond@email.com
Completed 401 Unauthorized in 7147ms
  Processing by Devise::SessionsController#new as HTML
  Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond@email.com"}}
Rendered devise/shared/_links.erb (0.1ms)
Rendered devise/sessions/new.html.erb within layouts/application (5.0ms)
Completed 200 OK in 23ms (Views: 21.4ms | ActiveRecord: 0.0ms)


Started GET "/assets/defaults.js" for 192.168.160.1 at Tue Dec 06 05:20:23 +0000 2011
Served asset /defaults.js - 404 Not Found (3ms)

ActionController::RoutingError (No route matches [GET] "/assets/defaults.js"):


Rendered /usr/local/lib/ruby/gems/1.8/gems/actionpack-3.1.0/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)

ldap config:

development:
  host: ldap.company.com
  port: 636
  attribute: mail
  base: ou=groupxx,o=company.com
  #admin_user: cn=admin,dc=test,dc=com
  #admin_password: admin_password
  ssl: true
  # <<: *AUTHORIZATIONS

I don't have access to the LDAP server so I cannot confirm anything from that end. The main issue I have is that I cannot get any error messages out of the login process - Is it not able to find the user? Does it find the user but fail login? Why does it do 2 LDAP searches?

Answer 1

I found out the problem I had was that the LDAP server my company (IBM) uses was using a different protocol standard to the ones officially supported by NET-LDAP. You simply need to change the PagedResults Control Type to a slightly different standard:

#PagedResults = "1.2.840.113556.1.4.319" # Microsoft evil from RFC 2696
PagedResults = "2.16.840.1.113730.3.4.2" # IBM Bluepages compatible ControlType

Full code change details here.

I forked it and fixed it over here on GitHub.

Answer 2

I did encounter the same problem on my ActiveDirectory. I tried using the bind user but it didn´t help either. I changed devise according to screencast 210 to use the username field. Here´s my ldap.yml

  development:
  host: dcburda0
  port: 636
  attribute: cn
  base: OU=Organisation,DC=mydomain,DC=com
  admin_user: CN=username,OU=Support Center Muenchen,OU=name GmbH,OU=Organisation,DC=mydomain,DC=com
  admin_password: password
  ssl: true

Answer 3

same issue here. Did a ldapsearch, which works however. Company is running an ActiveDirectory server here:

ldapsearch -Z -h ldap.company.com -p 389 -s sub -D
"cn=somebody,ou=my_ou,dc=ldap,dc=company,dc=com" -W -b
"dc=ldap,dc=company,dc=com" "(&(cn=somebody))" mail

Solution:

I have found the solution: In config/initializers/devise.rb I missed to activate config.ldap_use_admin_to_bind = true. Only with this flag, devise_ldap_authenticatable really uses the BindDN (i.e. admin_user, admin_password which both have to be uncommented) defined at config/ldap.yml.