Ldap authentication issues

[JayP]

Hey guys,

I'm getting this failure when I try to test my ldap settings:

/usr/lib/ruby/gems/1.8/gems/ruby-net-ldap-0.0.4/lib/net/ldap.rb:1059:in `connect': SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)

from /usr/lib/ruby/gems/1.8/gems/ruby-net-ldap-0.0.4/lib/net/ldap.rb:1059:in `setup_encryption'

from /usr/lib/ruby/gems/1.8/gems/ruby-net-ldap-0.0.4/lib/net/ldap.rb:1025:in `initialize'

from /usr/lib/ruby/gems/1.8/gems/ruby-net-ldap-0.0.4/lib/net/ldap.rb:700:in `new'

from /usr/lib/ruby/gems/1.8/gems/ruby-net-ldap-0.0.4/lib/net/ldap.rb:700:in `bind'

from /var/www/gitorious/lib/gitorious/authentication/ldap_authentication.rb:61:in `valid_credentials?'

from script/test_ldap_connection:18

I think it may have to do with our server requires a username and password to the ldap server but I couldn't find out what the exact attributes are for this.  Anyone else doing this?  Thanks in advance for your help.

Thanks,

Jay

[JayP]

Just to add a little more information to this.  We have a username and password to the ldap server that is different from the actual user that I need to authenticate.  Meaning the ldap server username is like so:

"CN=ldap-user,CN=Users,DC=NAME,DC=LOCAL"

Where do I add this and the ldap password in the authentication.yml file?  And when testing the ldap server using the script I am guessing I am using my ldap account to verify.  

Thanks.

[JayP]

So it turns out this error message comes when you use the wrong port and use encryption.  The port is "636" when your using encryption.  

I also had to tweak the valid_credentials? method to use bind_as since we need to bind first with a special username/password then bind_as using the login username/password.

[Bas Vodde]

Hi Jay,

I'm using LDAP over ldaps and with user/password and I didn't need to tweak any of the gitorious code. So, this *shouldn't* be needed AFAIK.

One thing you do want to do is update the LDAP library. I already put in a merge request. But with the old 0.0.4 LDAP library, I would get werid errors.
The upgrade is not difficult, but you need to pay attention because the LDAP library has changed name..

At first, I wanted to use a ldap-user for logging in, like you suggested. But then I realized that you can just login as the actual user. We configured the authentication.yml as:

methods:
- adapter: Gitorious::Authentication::LDAPAuthentication
server: server-name :)
port: 636
base_dn: dc=companyname,dc=com
login_attribute: uid

distinguished_name_template: "uid={},ou=people,dc=company,dc=com"
attribute_mapping:
mail: email

encryption: simple_tls

(I changed the sername and the DNs)

Hope this will help you.

Thanks,

Bas

> --
> To post to this group, send email to gito...@googlegroups.com
> To unsubscribe from this group, send email to
> gitorious+...@googlegroups.com

[JayP]

Hi Bas,

Thanks for the response. Our ldap server isn't setup to authenticate
a user they way the code is currently written. I had to change the
valid_credentials? method in lib/gitorious/authentication/
ldap_authentication.rb to bind to the server with the ldap server
creds then use bind_as to authenticate a user in the ldap system.
Here is the code that I have:

def valid_credentials?(username, password)
return false if password.blank?
@connection = @connection_type.new({:encryption =>
@encryption,
:host => @server,
:port => @port,
:base => @base_dn})
@connection.auth(@ldap_server_user, @ldap_server_pass)
result = @connection.bind_as(:filter =>
"(sAMAccountName=#{username})", :password => password)
result ? true : false
end

I had to create new instance variables: @ldap_server_user and
@ldap_server_pass which I set in authentication.yml these are
credentials I have to use to bind to the ldap server. Then I use the
actual user and password for the user trying to login to bind_as which
will validate the user.

Another note, I found it confusing that in the valid_credentials?
method that the code wasn't using "@" for the instance variable
"connection". When that is the syntax for a local variable which
wasn't the case since they set @connection in the beginning to create
a new instance of ldap. Anyways with the code above I was able to
validate against our ldap server.

Thanks,
Jay

> >    from /var/www/gitorious/lib/gitorious/authentication/ldap_authentication.rb:61:i n `valid_credentials?'

[Martin Sandiford]

Hi Jay,

On Tue, Mar 6, 2012 at 2:55 AM, JayP <boso...@gmail.com> wrote:
> [...]

> Here is the code that I have:
>
>        def valid_credentials?(username, password)
>          return false if password.blank?
>          @connection  = @connection_type.new({:encryption =>
> @encryption,
>                 :host => @server,
>                 :port => @port,
>                 :base => @base_dn})
>          @connection.auth(@ldap_server_user, @ldap_server_pass)
>          result = @connection.bind_as(:filter =>
> "(sAMAccountName=#{username})", :password => password)
>          result ? true : false
>        end
>
> I had to create new instance variables: @ldap_server_user and
> @ldap_server_pass which I set in authentication.yml these are
> credentials I have to use to bind to the ldap server.  Then I use the
> actual user and password for the user trying to login to bind_as which
> will validate the user.

Sorry I came to this a bit late. There is a merge request (181) to
get this into mainline here:
https://gitorious.org/gitorious/mainline/merge_requests/181

I guess this is kind of moot as you seem to have already solved your
own problem :)

Cheers,
Martin

[JayP]

Hi Martin,

No worries.

Thanks,
Jay