Active Directory Authentication

[iainmckenzie]

I was wondering if anyone could help?

I have been tasked at work to authenticate my "rails 3 app" with our Active Directory(Windows 2003), before accessing certain pages.

I have decided to use "devise_ldap_authenticatable", but can't seem to get it to work properly.

I keep getting redirected to the login page with the following error message showing in the logs:

"Completed 401 Unauthorized in 3ms"

Do I have to change the devise email field to a user-name in order for it to connect successfully?

Has anyone got a working config I could can look at?

My ldap.yml consists of the following:
development:
host: myip
port: 389
attribute: sAMAccountName
base: cn=Users,dc="mydomain",dc=uk,dc=com
admin_user: user
admin_password: password
ssl: false

my devise.rb consists of the following:
config.ldap_logger = true
config.ldap_config = "#{Rails.root}/config/ldap.yml"
config.ldap_use_admin_to_bind = true
config.ldap_ad_group_check = false
require 'devise/orm/active_record'
config.authentication_keys = [ :email ]
config.case_insensitive_keys = [ :email ]
config.strip_whitespace_keys = [ :email ]
config.skip_session_storage = [:http_auth]
config.stretches = Rails.env.test? ? 1 : 10
config.reconfirmable = true

my routes.rb consists of the following:

resources osts
devise_for :users
root :to => 'posts#index'
match ':controller(/:action(/:id))(.:format)'

Any help would be much appreciated!

Iain

[markbrown4]

Hi Iain,

Sorry, I don't have experience using AD authentication.
You won't find that many people doing it because Rails dev's tend to avoid Windows like the plague

I'd be trying to debug and see what's causing the 401, do some digging.

[iainmckenzie]

Hi Mark.

I am not a big Windows fan, myself. But, the company I work for have stated that it must authenticate with their AD.

When I check the logs all I can see is that 401 error and that it's hitting "Active Record."

It looks to be binding with the AD, but accessing credentials locally. If that makes sense?

Is there anything I can do to further debug?

I also found this, but not too sure how to intergrate that with my project...

https://github.com/Arcath/Adauth

[logic_earth]

Are you running under Apache or IIS? You need NTLM or Kerberos.

[iainmckenzie]

Thanks for the response. No I am currently using NGINX with passenger. Will this be an issue or is there a module NGINX will need?

[logic_earth]

Looks like someone was working on a Kerberos authication module for NGINX but it hasn't been completed.

[iainmckenzie]

Do you know if it really is a requisite to have these modules enabled? Any tutorial related to AD authentication with Rails I have read(and there isn't many) hasn't stated that the web-server requires any specific modules?

[markbrown4]

Is there anything I can do to further debug?

The first thing I would do is open the code with "bundle show devise_ldap_authenticatable" and open the directory.

ruby-debug is the most popular tool for debugging though, you can set breakpoints in your code with the 'debugger' trigger and then step through the code in a console, output variables etc.

I also found this, but not too sure how to integrate that with my project...
https://github.com/Arcath/Adauth

It doesn't have great docs, but it may still work.
http://adauth.arcath.net/

[iainmckenzie]

Thanks Mark. I had a look at the docs. But, I am unsure as to where I place the following:

"You can now authenticate users against the domain by calling:

Adauth.authenticate("Username", "Password")"

Would that be in my controller or view?

I am relatively new to rails, so, still a bit new to the MVC framework.

Iain

[markbrown4]

That type of site wide authentication could go in a before_filter in ApplicationController

http://guides.rubyonrails.org/action...w.html#filters