LDAP authentication
58 views
Skip to first unread message
jeroen houben
Jan 29, 2009, 7:39:51 AM1/29/09
to Authlogic
Hi,
I'm trying to get AL to work with LDAP authentication. I have it
working up to the point where a user can get himself succesfully
authenticated, but after that things blow up..
After a user is logged in (I can tell by looking at the logfile and
users table) it seems as if the session is not persisted or something
like that. current_user and current_user_session are both nil on
subsequent requests..
My User model is a standard user model, only without the password
fields:
create_table "users", :force => true do |t|
t.string "login"
t.string "persistence_token"
t.integer "login_count"
t.datetime "last_request_at"
t.datetime "last_login_at"
t.datetime "current_login_at"
t.string "last_login_ip"
t.string "current_login_ip"
t.datetime "created_at"
t.datetime "updated_at"
end
acts_as_authentic :validate_password_field => false
I've overwritten the Authlogic::Session::Base#valid_credentials? in
UserSession as that seemed the perfect place to drop in my LDAP
authentication code.
class UserSession < Authlogic::Session::Base
private
def valid_credentials?
unchecked_record = nil
errors.add(login_field, I18n.t
('error_messages.login_blank', :default => "can not be blank")) if
send(login_field).blank?
errors.add(password_field, I18n.t
('error_messages.password_blank', :default => "can not be blank")) if
send("protected_#{password_field}").blank?
return false if errors.count > 0
unchecked_record = search_for_record(find_by_login_method, send
(login_field))
if unchecked_record.blank?
errors.add(login_field, I18n.t
('error_messages.login_not_found', :default => "does not exist"))
return false
end
# the User exists locally, now try to authenticate against the
LDAP server
ldap = Net::LDAP.new
ldap.host = LDAP_HOST
# first create the username/password strings to send to the LDAP
server
# in our case we need to add the domain so it looks like COMPANY
\firstname.lastname
ldap.auth "#{LDAP_DOMAIN}\\" + unchecked_record.send
(login_field), send("protected_#{password_field}")
# now the actual authentication
if !ldap.bind
RAILS_DEFAULT_LOGGER.info { "LDAP authentication failed" }
errors.add(password_field, I18n.t
('error_messages.password_invalid', :default => "is not valid"))
return false
end
RAILS_DEFAULT_LOGGER.info { "LDAP authentication OK" }
self.record = unchecked_record
true
end
end
Any ideas??
I'm trying to get AL to work with LDAP authentication. I have it
working up to the point where a user can get himself succesfully
authenticated, but after that things blow up..
After a user is logged in (I can tell by looking at the logfile and
users table) it seems as if the session is not persisted or something
like that. current_user and current_user_session are both nil on
subsequent requests..
My User model is a standard user model, only without the password
fields:
create_table "users", :force => true do |t|
t.string "login"
t.string "persistence_token"
t.integer "login_count"
t.datetime "last_request_at"
t.datetime "last_login_at"
t.datetime "current_login_at"
t.string "last_login_ip"
t.string "current_login_ip"
t.datetime "created_at"
t.datetime "updated_at"
end
acts_as_authentic :validate_password_field => false
I've overwritten the Authlogic::Session::Base#valid_credentials? in
UserSession as that seemed the perfect place to drop in my LDAP
authentication code.
class UserSession < Authlogic::Session::Base
private
def valid_credentials?
unchecked_record = nil
errors.add(login_field, I18n.t
('error_messages.login_blank', :default => "can not be blank")) if
send(login_field).blank?
errors.add(password_field, I18n.t
('error_messages.password_blank', :default => "can not be blank")) if
send("protected_#{password_field}").blank?
return false if errors.count > 0
unchecked_record = search_for_record(find_by_login_method, send
(login_field))
if unchecked_record.blank?
errors.add(login_field, I18n.t
('error_messages.login_not_found', :default => "does not exist"))
return false
end
# the User exists locally, now try to authenticate against the
LDAP server
ldap = Net::LDAP.new
ldap.host = LDAP_HOST
# first create the username/password strings to send to the LDAP
server
# in our case we need to add the domain so it looks like COMPANY
\firstname.lastname
ldap.auth "#{LDAP_DOMAIN}\\" + unchecked_record.send
(login_field), send("protected_#{password_field}")
# now the actual authentication
if !ldap.bind
RAILS_DEFAULT_LOGGER.info { "LDAP authentication failed" }
errors.add(password_field, I18n.t
('error_messages.password_invalid', :default => "is not valid"))
return false
end
RAILS_DEFAULT_LOGGER.info { "LDAP authentication OK" }
self.record = unchecked_record
true
end
end
Any ideas??
jeroen houben
Jan 29, 2009, 10:30:20 AM1/29/09
to Authlogic
OK i've fixed it now by using a bit of code based on the OpenID
tutorial.
I must say I liked my previous attempt better, since it felt more
natural to overwrite Authlogic::Session::Base#valid_credentials? than
to overwrite the Authlogic::Session::Basewhole save method.
Anyways, hopefully somebody can benifit from this code.
class UserSession < Authlogic::Session::Base
def save
super
end
end
tutorial.
I must say I liked my previous attempt better, since it felt more
natural to overwrite Authlogic::Session::Base#valid_credentials? than
to overwrite the Authlogic::Session::Basewhole save method.
Anyways, hopefully somebody can benifit from this code.
class UserSession < Authlogic::Session::Base
record = search_for_record(find_by_login_method, send
(login_field))
if record.blank?
(login_field))
errors.add(login_field, I18n.t
('error_messages.login_not_found', :default => "does not exist"))
return false
end
# the User exists locally, now try to authenticate against the
LDAP server
ldap = Net::LDAP.new
ldap.host = LDAP_HOST
# first create the username/password strings to send to the LDAP
server
# in our case we need to add the domain so it looks like COMPANY
\firstname.lastname
ldap.auth "#{LDAP_DOMAIN}\\" + record.send(login_field), send
('error_messages.login_not_found', :default => "does not exist"))
return false
end
# the User exists locally, now try to authenticate against the
LDAP server
ldap = Net::LDAP.new
ldap.host = LDAP_HOST
# first create the username/password strings to send to the LDAP
server
# in our case we need to add the domain so it looks like COMPANY
\firstname.lastname
("protected_#{password_field}")
# now the actual authentication
if !ldap.bind
RAILS_DEFAULT_LOGGER.info { "LDAP authentication failed" }
errors.add(password_field, I18n.t
('error_messages.password_invalid', :default => "is not valid"))
return false
end
self.unauthorized_record = record
# now the actual authentication
if !ldap.bind
RAILS_DEFAULT_LOGGER.info { "LDAP authentication failed" }
errors.add(password_field, I18n.t
('error_messages.password_invalid', :default => "is not valid"))
return false
end
super
end
end
Ben Johnson
Feb 4, 2009, 12:02:03 AM2/4/09
to Authlogic
It's really up to you, you can implement this however you want. I went
with overriding the save method because it was cleaner in my
controllers. I could implement any type of authentication without
having to change my controller. OpenID did some automatic redirecting
to the OpenID provider for me, so I had to contain any responding code
in a block to keep it from getting executed and avoiding the double
render error. I could have easily done a case statement in my
controller and handled each authentication type differently, but I
feel that logic belongs in the model since that is what the session is
all about.
Anyways, if you don't like the implementation, try messing around with
it until you do. It would be a great tutorial and show that there are
different ways to implement alternate authentication methods.
with overriding the save method because it was cleaner in my
controllers. I could implement any type of authentication without
having to change my controller. OpenID did some automatic redirecting
to the OpenID provider for me, so I had to contain any responding code
in a block to keep it from getting executed and avoiding the double
render error. I could have easily done a case statement in my
controller and handled each authentication type differently, but I
feel that logic belongs in the model since that is what the session is
all about.
Anyways, if you don't like the implementation, try messing around with
it until you do. It would be a great tutorial and show that there are
different ways to implement alternate authentication methods.
jeroen houben
Feb 10, 2009, 8:45:53 AM2/10/09
to Authlogic
> Anyways, if you don't like the implementation, try messing around with
> it until you do.
Well that's what Im trying to do by overriding the valid_credentials
> it until you do.
method, but it's not working (see my first message). I don't know why
that's not working though..
Jeroen
p.s. I really like AuthLogic! especially the extensive docs and usage
examples
jeroen houben
Feb 10, 2009, 1:50:44 PM2/10/09
to Authlogic
I have it working now. This one feels much cleaner than the other
attempts. I wrote about it on my company's blog. Please have a read if
you're interested:
http://lbi.lostboys.nl/blog/artikelen/ruby-on-rails-ldap-integration
attempts. I wrote about it on my company's blog. Please have a read if
you're interested:
http://lbi.lostboys.nl/blog/artikelen/ruby-on-rails-ldap-integration
esparkman
Feb 10, 2009, 5:00:30 PM2/10/09
to Authlogic
I am having trouble getting authlogic to even attempt to make a
connection to our ldap server. I have added the information for the
conenction my user_sessions.rb file attached is a pastie.
http://pastie.textmate.org/private/qmnhf8iip4cgh4ockcfya
Any information in just getting this setup in general would be
awesome.
Thanks-
Evan
connection to our ldap server. I have added the information for the
conenction my user_sessions.rb file attached is a pastie.
http://pastie.textmate.org/private/qmnhf8iip4cgh4ockcfya
Any information in just getting this setup in general would be
awesome.
Thanks-
Evan
Ben Johnson
Feb 11, 2009, 2:46:36 AM2/11/09
to auth...@googlegroups.com
Hi there, that's a really interesting post, good work on integrating
ldap into authlogic. I want to keep authlogic small and focused,
that's why I've hesitated to add in openid, ldap, etc into the core
library. But I have been considering creating authlogic-openid,
authlogic-ldap, etc gems. I don't want to force this kind of code into
the core since there are a million single sign on methods and each can
be implemented depending on preferece. I think this would encourage
people to write their own "add on" gems, and if they want to do ldap
or openid authentication differently they could just create their own
gem.
What do you think about doing that? Maybe using your ldap code to be
the first gem of this sort.
Ben Johnson
Binary Logic
W: www.binarylogic.com
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
ldap into authlogic. I want to keep authlogic small and focused,
that's why I've hesitated to add in openid, ldap, etc into the core
library. But I have been considering creating authlogic-openid,
authlogic-ldap, etc gems. I don't want to force this kind of code into
the core since there are a million single sign on methods and each can
be implemented depending on preferece. I think this would encourage
people to write their own "add on" gems, and if they want to do ldap
or openid authentication differently they could just create their own
gem.
What do you think about doing that? Maybe using your ldap code to be
the first gem of this sort.
Ben Johnson
Binary Logic
W: www.binarylogic.com
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
jeroen houben
Feb 11, 2009, 4:01:23 AM2/11/09
to Authlogic
> What do you think about doing that? Maybe using your ldap code to be
> the first gem of this sort.
Yeah that could be a good I idea I think. I mean in LDAP's case it's
> the first gem of this sort.
not that hard to write it from scratch but you do have to make changes
in several places (User, UserSession, migration) so it's easy to miss
something. A gem could make things easier. How exactly do you envision
this?
I would like for AuthLogic to have a gnerator which does most of the
work described in http://www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup
as that is still quite a bit of manual labor. Maybe it's a good idea
for the generator to accept an authentication method (default, ldap,
openid - depending on which add-on gems you have installed)
Jeroen
> E: bjohn...@binarylogic.com
jeroen houben
Feb 11, 2009, 4:05:42 AM2/11/09
to Authlogic
Can you get the authentication working without rails? just put the
code in a single .rb file and try to run it.
J
On Feb 10, 11:00 pm, esparkman <espark...@esdezines.com> wrote:
> I am having trouble getting authlogic to even attempt to make a
> connection to our ldap server. I have added the information for the
> conenction my user_sessions.rb file attached is a pastie.http://pastie.textmate.org/private/qmnhf8iip4cgh4ockcfya
code in a single .rb file and try to run it.
J
On Feb 10, 11:00 pm, esparkman <espark...@esdezines.com> wrote:
> I am having trouble getting authlogic to even attempt to make a
> connection to our ldap server. I have added the information for the
Ben Johnson
Feb 11, 2009, 4:10:14 AM2/11/09
to auth...@googlegroups.com
Also, a good way to single out the problem and break down your code
would be with tests. Trying doing what jeroen mentioned, break down
your code and test it out and save those tests so you can be sure ldap
is always working.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
would be with tests. Trying doing what jeroen mentioned, break down
your code and test it out and save those tests so you can be sure ldap
is always working.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
esparkman
Feb 16, 2009, 10:19:58 AM2/16/09
to Authlogic
I have broken out my ldap code to a single file but it still isn't
working. I'm not 100% sure my code is accurate. I am still very new to
ruby and rails. http://pastie.textmate.org/private/oicnpcsvnkycogvpvoixa
that is my code if you guys can let me know if i am on the right
track?
Any help is more then appreciated.
On Feb 11, 4:10 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> Also, a good way to single out the problem and break down your code
> would be with tests. Trying doing what jeroen mentioned, break down
> your code and test it out and save those tests so you can be sure ldap
> is always working.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
> E: bjohn...@binarylogic.com
working. I'm not 100% sure my code is accurate. I am still very new to
ruby and rails. http://pastie.textmate.org/private/oicnpcsvnkycogvpvoixa
that is my code if you guys can let me know if i am on the right
track?
Any help is more then appreciated.
On Feb 11, 4:10 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> Also, a good way to single out the problem and break down your code
> would be with tests. Trying doing what jeroen mentioned, break down
> your code and test it out and save those tests so you can be sure ldap
> is always working.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
esparkman
Feb 16, 2009, 10:40:57 AM2/16/09
to Authlogic
@Jeroen
Where are you calling your actual ldap config from?
On Feb 16, 10:19 am, esparkman <espark...@esdezines.com> wrote:
> I have broken out my ldap code to a single file but it still isn't
> working. I'm not 100% sure my code is accurate. I am still very new to
> ruby and rails.http://pastie.textmate.org/private/oicnpcsvnkycogvpvoixa
Where are you calling your actual ldap config from?
On Feb 16, 10:19 am, esparkman <espark...@esdezines.com> wrote:
> I have broken out my ldap code to a single file but it still isn't
> working. I'm not 100% sure my code is accurate. I am still very new to
Ben Johnson
Feb 16, 2009, 12:41:27 PM2/16/09
to auth...@googlegroups.com
You might want to also checkout this tutorial:
http://lbi.lostboys.nl/blog/artikelen/ruby-on-rails-ldap-integration
This is working so you could work your way backwards from that.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
http://lbi.lostboys.nl/blog/artikelen/ruby-on-rails-ldap-integration
This is working so you could work your way backwards from that.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
Ben Johnson
Feb 17, 2009, 2:49:25 AM2/17/09
to auth...@googlegroups.com
For the record, I am going to extract the open id implementation into
a separate gem. This way I can make sure there is a clear defined API
for implementing alternative methods, and it will also server as a
good example for building your own gem and will asist in implementing
ldap.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
a separate gem. This way I can make sure there is a clear defined API
for implementing alternative methods, and it will also server as a
good example for building your own gem and will asist in implementing
ldap.
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
On Feb 16, 2009, at 10:40 AM, esparkman wrote:
>
>
esparkman
Mar 9, 2009, 10:31:53 AM3/9/09
to Authlogic
Hey Ben,
What's the status on pulling this logic out?
Thanks-
Evan
On Feb 17, 3:49 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> For the record, I am going to extract the open id implementation into
> a separate gem. This way I can make sure there is a clear defined API
> for implementing alternative methods, and it will also server as a
> good example for building your own gem and will asist in implementing
> ldap.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
What's the status on pulling this logic out?
Thanks-
Evan
On Feb 17, 3:49 am, Ben Johnson <bjohn...@binarylogic.com> wrote:
> For the record, I am going to extract the open id implementation into
> a separate gem. This way I can make sure there is a clear defined API
> for implementing alternative methods, and it will also server as a
> good example for building your own gem and will asist in implementing
> ldap.
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
Ben Johnson
Mar 9, 2009, 12:09:04 PM3/9/09
to auth...@googlegroups.com
esparkman
Mar 9, 2009, 12:40:48 PM3/9/09
to Authlogic
Awesome Ben!
On Mar 9, 12:09 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> I'm working on it
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
On Mar 9, 12:09 pm, Ben Johnson <bjohn...@binarylogic.com> wrote:
> I'm working on it
>
> Ben Johnson
> Binary Logic
>
> W:www.binarylogic.com
esparkman
Mar 9, 2009, 2:36:25 PM3/9/09
to Authlogic
Well. I have managed to get basic ldap authentication working in an
external rb file. Just can't get it to work in my rails app.
http://pastie.textmate.org/private/kpdyeokidekmyhws9fz7a
and my working external rb file.
http://pastie.textmate.org/private/qcgdydfo7l2zpprftpnuig
external rb file. Just can't get it to work in my rails app.
http://pastie.textmate.org/private/kpdyeokidekmyhws9fz7a
and my working external rb file.
http://pastie.textmate.org/private/qcgdydfo7l2zpprftpnuig
Ben Johnson
Mar 9, 2009, 3:53:11 PM3/9/09
to auth...@googlegroups.com
Nice, I will look at this when I start making "add ons"
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
E: bjoh...@binarylogic.com
1430 Broadway
7th Floor - NECO
New York, NY 10018
Reply all
Reply to author
Forward
0 new messages