Smart questions about Active Directory?

44 views
Skip to first unread message

Walter Lee Davis

unread,
Feb 5, 2013, 8:18:28 AM2/5/13
to phil...@googlegroups.com
Meeting with the administrator of a large corporate client's AD at 11 today, need to ask smart questions about integrating with it for single-sign-on with Devise or other Rails auth toolkit. Anyone here done anything with AD? Pitfalls to be aware of? Favorite gems?

Thanks in advance,

Walter

Andrew Libby

unread,
Feb 5, 2013, 9:00:00 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis


Hi Walter,

Last time I did this it was maybe 2007. We didn't do
"single sign on" per se, but we did authenticate against
the customers AD. We simply used Net::LDAP and hacked into
LoginSystem, which was an authentication api used by
some rails apps of that day.

I imagine Devise LDAP Authenticatable would work fine.

https://github.com/cschiewek/devise_ldap_authenticatable

I've had recent experience with the above agains OpenDJ
with errbit (https://github.com/errbit/errbit), the open
source exception catcher.

The technical gotcha we experienced is that we needed to
connect to a non-standard port. When we were connecting to
389, AD kept returning LDAP referrals. Once we figured
that out (and I don't remember the port number) it was
smooth sailing with Net::LDAP.

Best,

Andy
--

Andrew Libby
xforty technologies
http://xforty.com
ali...@xforty.com
484-887-7505 x 1115

Mat Schaffer

unread,
Feb 5, 2013, 9:42:33 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis
I did devise LDAP on AD with Aaron about a year ago. It basically worked, but the query we used was definitely sub-optimal. I'd say the main thing to ask is if they do or can enable the LDAP interface on AD since some companies don't.


--
You received this message because you are subscribed to the Google Groups "Philly.rb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+unsubscribe@googlegroups.com.
To post to this group, send email to phil...@googlegroups.com.
Visit this group at http://groups.google.com/group/phillyrb?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.



Walter Lee Davis

unread,
Feb 5, 2013, 9:44:17 AM2/5/13
to phil...@googlegroups.com
Thanks. So I should ask if they are using a different port than the standard (assuming that's what 389 is here)? Or would we need to use a different port anyway?

Walter
> --
> You received this message because you are subscribed to the Google Groups "Philly.rb" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+u...@googlegroups.com.

Robert Di Marco

unread,
Feb 5, 2013, 9:53:40 AM2/5/13
to phillyrb
I have done Devise/Omniauth to AD a few different ways.

I have had success integrating with LDAP a bunch of times and had no big issues.  
I also had to integrate with Crowd SSO platform from Atlassian and had to write a new OmniAuth plugin to do it (https://github.com/robdimarco/omniauth_crowd/), which wasn't really that bad; I modeled it after LDAP.  So even if a current plugin doesn't do it for you, it's not too bad to write your own

I'm currently on a project where we plan to use SAML 2.0 and Devise/OmniAuth to do SSO.  A little pain in the butt to get going with, but should not be too bad in final implementaiton.

Andrew Libby

unread,
Feb 5, 2013, 9:55:47 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis


I think 389 is active, but there was something about the way
AD treats LDAP that queries on 389 only issued referral
answers - referrals which we could not make sense of.
Chasing down this non-standard port was the solution.


From some googling around I think it might be 3268, but
I don't have the code we wrote.

Frankly, I'd try 389 first and see if that works. But keep
in mind our workaround if you run into the referral issues
we did.

Good luck.


Andy

Walter Lee Davis

unread,
Feb 5, 2013, 10:11:31 AM2/5/13
to phil...@googlegroups.com
Thanks all! Andrew, how did you finally diagnose the correct port to use?

Walter

Carmen Sarlo

unread,
Feb 5, 2013, 10:11:39 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis
If SSO is not needed you could always use Apache / AD authentication. I have setup apache for internal use with AD also added .htaccess for the users that the AD folks do not create accounts for. Contractors, service accounts, stuff like that.


Carmen


To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+unsubscribe@googlegroups.com.

To post to this group, send email to phil...@googlegroups.com.
Visit this group at http://groups.google.com/group/phillyrb?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.



--

Andrew Libby
xforty technologies
http://xforty.com
ali...@xforty.com
484-887-7505 x 1115

--
You received this message because you are subscribed to the Google Groups "Philly.rb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+unsubscribe@googlegroups.com.

Walter Lee Davis

unread,
Feb 5, 2013, 10:17:14 AM2/5/13
to phil...@googlegroups.com
Interesting. I will have to see what flavor of AD I have to deal with here. The biggest issue (in my imagination, anyway) is that there is a mix of internal clients (in and out of the firewall) and external clients (contractors, actors, agents). I am not sure why AD is being pushed as the solution, but I am guessing it might be because IS wants central authority over who is and isn't allowed. We've been operating for a couple of years as a stand-alone service on a Slicehost, completely off the radar. I guess our party is over...

Walter
> To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+u...@googlegroups.com.
> To post to this group, send email to phil...@googlegroups.com.
> Visit this group at http://groups.google.com/group/phillyrb?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
>
> Andrew Libby
> xforty technologies
> http://xforty.com
> ali...@xforty.com
> 484-887-7505 x 1115
>
> --
> You received this message because you are subscribed to the Google Groups "Philly.rb" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+u...@googlegroups.com.
> To post to this group, send email to phil...@googlegroups.com.
> Visit this group at http://groups.google.com/group/phillyrb?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Philly.rb" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to phillyrb+u...@googlegroups.com.

Andrew Libby

unread,
Feb 5, 2013, 10:20:27 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis

Hi Walter,

At the time, we googled around for the referral messages we
were getting back form AD/ LDAP. This time around I just
googled around a bit. So I'm not 100% sure the port number
I suggested is correct. My guess is you can nmap the AD
server and disqualify most known ports to track it down.

Andy

Tim Allen

unread,
Feb 5, 2013, 10:28:20 AM2/5/13
to phil...@googlegroups.com, Walter Lee Davis
LDAP over SSL typically runs on port 636, while non-SSL LDAP typically runs on 389. It is worth checking both ports before looking into whether or not it is configured to run on a non-default port.

Try connecting via telnet and see if it connects on either of those ports:

telnet [your-ldap-or-ad-server] 389
telnet [your-ldap-or-ad-server] 636

If it connects rather than just trying to connect, you've probably found the right port.

Regards,

-Tim

Walter Lee Davis

unread,
Feb 5, 2013, 10:39:27 AM2/5/13
to phil...@googlegroups.com
Thanks!

Walter

Jason Stelzer

unread,
Feb 5, 2013, 12:24:00 PM2/5/13
to phil...@googlegroups.com
On Tue, Feb 5, 2013 at 8:18 AM, Walter Lee Davis <wa...@wdstudio.com> wrote:
> Meeting with the administrator of a large corporate client's AD at 11 today, need to ask smart questions about integrating with it for single-sign-on with Devise or other Rails auth toolkit. Anyone here done anything with AD? Pitfalls to be aware of? Favorite gems?
>
> Thanks in advance,
>


So I'm just wondering, did this end up going full SSO
(kerberos/whatever) or did it end up being just an authentication
backend switch?

Lots of good stuff about ldap in this thread, but if they want full on
SSO this is going to get complex fast.

--
J.

Walter Lee Davis

unread,
Feb 5, 2013, 1:00:13 PM2/5/13
to phil...@googlegroups.com
Had an entertaining chat with an unusually candid member of the corporate security team. We (my direct client and I) are most likely going to continue doing this the Cowboy Way until someone tells us to stop.

The initial dream was that it would be full SSO, that just being logged into your workstation at BigCorp World HQ would give you access to the Web service I'm building. But as you say, there's no clear way to do that. Plus there is an army of freelancers to add to AD, and they would have to have a different experience, unless they were to VPN into the corporate net.

The next idea was that we would authenticate (in the usual Devise manner) against AD, but in a read-only fashion. Adding new users would require requisitions in triplicate, buried in a peat bog for a minimum of six months, recycled as fire-lighters, etc.

My client was suitably chastened by the experience and now feels better about the idea of just building it stand-alone, with appropriate password restrictions to meet corporate policy -- although the security guy admitted that these weren't written down anywhere! How I dearly miss corporate America...

Walter

Nathan Mische

unread,
Feb 5, 2013, 1:00:46 PM2/5/13
to phil...@googlegroups.com
Good point. A lot of people say SSO (sign in once), when they really
mean federated authentication (sign in multiple places with the same
credentials).

If they are a large corp, they are probably already running a SAML
based SSO solution like Ping Federate, or if they are a Windows shop
maybe ADFS. If that is the case you just need a SAML SP on the rails
side.
Looks like there is a Devise extension for Shibboleth (an open source
SAML solution) that may work:
https://github.com/jgeorge300/devise_shibboleth_authenticatable

--Nathan

On Tue, Feb 5, 2013 at 12:24 PM, Jason Stelzer <jason....@gmail.com> wrote:
>
> So I'm just wondering, did this end up going full SSO
> (kerberos/whatever) or did it end up being just an authentication
> backend switch?
>
> Lots of good stuff about ldap in this thread, but if they want full on
> SSO this is going to get complex fast.
>
> --
> J.
>

Nathan Mische

unread,
Feb 5, 2013, 12:03:39 PM2/5/13
to phil...@googlegroups.com
Hi Walter,

As others have mentioned, the the standard LDAP ports can give
referrals that the LDAP client may not be able to resolve if it isn't
using the AD DNS. I've hit this issue a few times trying to configure
various Java clients.

I generally try to query the Global Catalog ports 3268, and 3269 for
SSL, if available. I believe the caveat there is that the Global
Catalog may not be fully populated with all of the available AD
attributes by default, but you can configure the necessary attributes
to be replicated to the GC if needed.

Best,

--Nathan
Reply all
Reply to author
Forward
0 new messages