1

I'm having a heck of a time getting omniauth-ldap to work properly with our AD server, and I believe it is because our usernames have our Domain Names in them.

This will successfully connect to our ldap server:

ldapsearch -h ldap.ourdomain.com -b "dc=ourdomain,dc=int" -D "OURDOMAIN\username" -w <password> '(sAMAccountName=username)'

But, these settings in OmniAuth only result in "invalid credentials"

Padrino.use OmniAuth::Strategies::LDAP,
    :host => "ldap.ourdomain.com",
    :base => "dc=OURDOMAIN,dc=INT",
    :uid => "sAMAccountName",
    :bind_dn => 'OURDOMAIN\%{username}',
    # This is hard coded for now, but I need it to be the value entered by the user
    :password => "mypassword"

UPDATE

Working on this further, I have discovered that omniauth-ldap sets the bind method to :anonymous if the :bind_dn and :password are not set.

However, it does not insert the username and does not provide the user-entered password if the values are set.

What I need is

:bind_dn => 'OURDOMAIN\<user entered username>',
:password => <user entered password>

but the password and entered username are only provided to the connection if you hard code them.

Oranges13
  • 1,084
  • 1
  • 10
  • 33

2 Answers2

1

This is primarily because of a design choice that omniauth-ldap makes. The design is that the user supplied username (email or id) is insufficient to construct a DN (distinguished name) which can be used for binding. Hence what omniauth ldap does is

  1. Call a ldap search (bind_dn and password used if anonymous search not allowed in your AD/LDAP) to extract a DN for user.
  2. Then it binds to LDAP/AP using the DN from step 1 and password entered by user.

I believe step 1) is unnecessary. Most DN can be derived from username.

Tunaki
  • 132,869
  • 46
  • 340
  • 423
punit
  • 11
  • 1
0

I had to solve this by creating a service account. That account logs in then queries for the existence and validity of the user that's actually trying to log in. The service account credentials can be set in your Omniauth configuration, and then you can utilize omniauth-ldap as you would any other omniauth methodology.

Oranges13
  • 1,084
  • 1
  • 10
  • 33