Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 65 lines (49 sloc) 3.327 kb
5656da8 @pyu10055 init check in. rewrote the ldap strategy based on the omniauth 1.0
pyu10055 authored
1 # OmniAuth LDAP
2
3 == LDAP
4
5 Use the LDAP strategy as a middleware in your application:
6
7 use OmniAuth::Strategies::LDAP,
8 :title => "My LDAP",
9 :host => '10.101.10.1',
10 :port => 389,
11 :method => :plain,
12 :base => 'dc=intridea, dc=com',
13 :uid => 'sAMAccountName',
14 :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
15 :bind_dn => 'default_bind_dn'
16 :password => 'password'
17
a1feff7 @hube remove beta notice
hube authored
18 All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
5656da8 @pyu10055 init check in. rewrote the ldap strategy based on the omniauth 1.0
pyu10055 authored
19 Allowed values of :method are: :plain, :ssl, :tls.
20
21 :bind_dn and :password is the default credentials to perform user lookup.
22 most LDAP servers require that you supply a complete DN as a binding-credential, along with an authenticator
23 such as a password. But for many applications, you often don’t have a full DN to identify the user.
24 You usually get a simple identifier like a username or an email address, along with a password.
25 Since many LDAP servers don't allow anonymous access, search function will require a bound connection,
26 :bind_dn and :password will be required for searching on the username or email to retrieve the DN attribute
27 for the user. If the LDAP server allows anonymous access, you don't need to provide these two parameters.
28
29 :uid is the LDAP attribute name for the user name in the login form.
30 typically AD would be 'sAMAccountName' or 'UserPrincipalName', while OpenLDAP is 'uid'.
31
32 :name_proc allows you to match the user name entered with the format of the :uid attributes.
33 For example, value of 'sAMAccountName' in AD contains only the windows user name. If your user prefers using
34 email to login, a name_proc as above will trim the email string down to just the windows login name.
35 In summary, use :name_proc to fill the gap between the submitted username and LDAP uid attribute value.
36
37 :try_sasl and :sasl_mechanisms are optional. :try_sasl [true | false], :sasl_mechanisms ['DIGEST-MD5' | 'GSS-SPNEGO']
38 Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
39 please just avoid them.
40
41 Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
42
43
44 ## License
45
46 Copyright (C) 2011 by Ping Yu and Intridea, Inc.
47
48 Permission is hereby granted, free of charge, to any person obtaining a copy
49 of this software and associated documentation files (the "Software"), to deal
50 in the Software without restriction, including without limitation the rights
51 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
52 copies of the Software, and to permit persons to whom the Software is
53 furnished to do so, subject to the following conditions:
54
55 The above copyright notice and this permission notice shall be included in
56 all copies or substantial portions of the Software.
57
58 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
59 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
60 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
61 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
62 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
63 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
64 THE SOFTWARE.
Something went wrong with that request. Please try again.