Devise LDAP Authenticatable
Devise LDAP Authenticatable is a LDAP based authentication strategy for the Devise authentication framework.
If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.
Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.
For a screencast with an example application, please visit: http://corrupt.net/2010/07/05/LDAP-Authentication-With-Devise/
Prerequisites
- devise ~> 3.0.0 (which requires rails ~> 4.0)
- net-ldap ~> 0.6.0
Note: Rails 3.x / Devise 2.x has been moved to the 0.7 branch. All 0.7.x gems will support Rails 3, where as 0.8.x will support Rails 4.
If you are transitioning from having Devise manage your users' passwords in the database to using LDAP auth, you may have to update your users
table to make encrypted_password
nullable, or else the LDAP user insert will fail.
Usage
In the Gemfile for your application:
gem "devise_ldap_authenticatable"
To get the latest version, pull directly from github instead of the gem:
gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git"
Setup
Run the rails generators for devise (please check the devise documents for further instructions)
rails generate devise:install
rails generate devise MODEL_NAME
Run the rails generator for devise_ldap_authenticatable
rails generate devise_ldap_authenticatable:install [options]
This will install the ldap.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:
Options:
[--user-model=USER_MODEL] # Model to update
# Default: user
[--update-model] # Update model to change from database_authenticatable to ldap_authenticatable
# Default: true
[--add-rescue] # Update Application Controller with rescue_from for DeviseLdapAuthenticatable::LdapException
# Default: true
[--advanced] # Add advanced config options to the devise initializer
Querying LDAP
Given that ldap_create_user
is set to true and you are authenticating with username, you can query an LDAP server for other attributes.
in your user model you have to simply define ldap_before_save
method:
def ldap_before_save
self.email = Devise::LDAP::Adapter.get_ldap_param(self.username,"mail").first
end
Configuration
In initializer config/initializers/devise.rb
:
ldap_logger
(default: true)- If set to true, will log LDAP queries to the Rails logger.
ldap_create_user
(default: false)- If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created. If set to false, you will have to create the user record before they will be allowed to login.
ldap_config
(default: #{Rails.root}/config/ldap.yml)- Where to find the LDAP config file. Commented out to use the default, change if needed.
ldap_update_password
(default: true)- When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml
ldap_check_group_membership
(default: false)- When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.
ldap_check_attributes
(default: false)- When set to true, the user trying to login will be checked to make sure their attributes match those specified in the ldap.yml file.
ldap_check_attributes_presence
(default: false)- When set to true, the user trying to login will be checked against all
require_attribute_presence
attributes in the ldap.yml file, either present (attr: true),or not present (attr: false).
- When set to true, the user trying to login will be checked against all
ldap_use_admin_to_bind
(default: false)- When set to true, the admin user will be used to bind to the LDAP server during authentication.
ldap_check_group_membership_without_admin
(default: false)- When set to true, the group membership check is done with the user's own credentials rather than with admin credentials. Since these credentials are only available to the Devise user model during the login flow, the group check function will not work if a group check is performed when this option is true outside of the login flow (e.g., before particular actions).
Advanced Configuration
These parameters will be added to config/initializers/devise.rb
when you pass the --advanced
switch to the generator:
ldap_auth_username_builder
(default:Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" }
)- You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.
ldap_auth_password_build
(default:Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) }
)- Optionally you can define a proc to create custom password encrption when user reset password
Troubleshooting
Using a "username" instead of an "email": The field that is used for logins is the first key that's configured in the config/initializers/devise.rb
file under config.authentication_keys
, which by default is email. For help changing this, please see the Railscast that goes through how to customize Devise. Also, this documentation from Devise can be very helpful.
SSL certificate invalid: If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., /etc/openldap/ldap.conf
or /etc/ldap/ldap.conf
) to read TLS_REQCERT never
.
Discussion Group
For additional support, questions or discussions, please see the discussion forum on Google Groups
Development guide
Devise LDAP Authenticatable uses a running OpenLDAP server to do automated acceptance tests. You'll need the executables slapd
, ldapadd
, and ldapmodify
.
On OS X, this is available out of the box.
On Ubuntu, you can install OpenLDAP with sudo apt-get install slapd ldap-utils
. If slapd runs under AppArmor, add an exception like this to /etc/apparmor.d/local/usr.sbin.slapd
to let slapd read our configs (reload using sudo service apparmor reload
afterwards).
/path/to/devise_ldap_authenticatable/spec/ldap/** rw,
To start hacking on devise_ldap_authentication
, clone the github repository, start the test LDAP server, and run the rake test task:
git clone https://github.com/cschiewek/devise_ldap_authenticatable.git
cd devise_ldap_authenticatable
bundle install
# in a separate console or backgrounded
./spec/ldap/run-server
RAILS_ENV=test bundle exec rake db:migrate # first time only
bundle exec rake spec
References
Released under the MIT license
Copyright (c) 2012 Curtis Schiewek, Daniel McNevin, Steven Xu