Skip to content
Browse files

if user's didnot setup username or password in ldap configuration

hash, it will be replace with empty string, which essentially same
as binding with anonymous user.
Also added anonymous bind for user look up even if the default
username and password binding failed.
  • Loading branch information...
1 parent 6c4ca27 commit 2d84dea725841596b7652c8b53d8bdf6b0a439c3 @pyu10055 pyu10055 committed
View
8 oa-enterprise/lib/omniauth/strategies/ldap.rb
@@ -55,7 +55,11 @@ def callback_phase
begin
creds = session.delete 'omniauth.ldap'
@ldap_user_info = {}
- (@adaptor.bind unless @adaptor.bound?) rescue puts "failed to bind with the default credentials"
+ begin
+ (@adaptor.bind(:allow_anonymous => true) unless @adaptor.bound?)
@tanelj
tanelj added a note

Hi!
I'm trying to use this gem for LDAP authentication with GSS-SPNEGO and devise. But it fails when user tries to log in with username and password.

sasl_bind_setup_gss_spnego(bind_dn, options) method returns 'invalid binding information' and LDAP server side response is "Err:DSID-0C090627 comment: In order to perform this operation a successful bind must be completed on the connection, data.".
The reason seems that the provided 'dn' and passoword are blank because only provided option is ':allow_anonymous => true' in first step (anonymous try) - in my case 'base_dn' and 'password' params are not provided in LDAP config.

If I comment out these lines (58-63) then authentication is successful.

Does I miss using this gem or is here something wrong here.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ rescue Exception => e
+ puts "failed to bind with the default credentials: " + e.message
+ end
@ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @name_proc.call(creds['username'])),:limit => 1) if @adaptor.bound?
bind_dn = creds['username']
bind_dn = @ldap_user_info[:dn].to_a.first if @ldap_user_info[:dn]
@@ -66,7 +70,7 @@ def callback_phase
@env['omniauth.auth'] = auth_hash
rescue Exception => e
- fail!(:invalid_credentials, e)
+ return fail!(:invalid_credentials, e)
end
call_app!
end
View
40 oa-enterprise/lib/omniauth/strategies/ldap/adaptor.rb
@@ -15,7 +15,7 @@ class AuthenticationError < StandardError; end
class ConnectionError < StandardError; end
VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password,
- :try_sasl, :sasl_mechanisms, :uid, :base]
+ :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous]
MUST_HAVE_KEYS = [:host, :port, :method, :uid, :base]
@@ -33,15 +33,17 @@ def initialize(configuration={})
@disconnected = false
@bound = false
@configuration = configuration.dup
- @logger = @configuration.delete(:logger)
- message = []
- MUST_HAVE_KEYS.each do |name|
- message << name if configuration[name].nil?
- end
- raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+ @configuration[:allow_anonymous] ||= false
+ @logger = @configuration.delete(:logger)
+ message = []
+ MUST_HAVE_KEYS.each do |name|
+ message << name if configuration[name].nil?
+ end
+ raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
instance_variable_set("@#{name}", configuration[name])
end
+
end
def connect(options={})
@@ -81,14 +83,21 @@ def bind(options={})
bind_dn = (options[:bind_dn] || @bind_dn).to_s
try_sasl = options.has_key?(:try_sasl) ? options[:try_sasl] : @try_sasl
-
+ if options.has_key?(:allow_anonymous)
+ allow_anonymous = options[:allow_anonymous]
+ else
+ allow_anonymous = @allow_anonymous
+ end
# Rough bind loop:
# Attempt 1: SASL if available
# Attempt 2: SIMPLE with credentials if password block
+ # Attempt 3: SIMPLE ANONYMOUS if 1 and 2 fail and allow anonymous is set to true
if try_sasl and sasl_bind(bind_dn, options)
- puts "bind with sasl"
+ puts "bound with sasl"
elsif simple_bind(bind_dn, options)
- puts "bind with simple"
+ puts "bound with simple"
+ elsif allow_anonymous and bind_as_anonymous(options)
+ puts "bound as anonymous"
else
message = yield if block_given?
message ||= ('All authentication methods for %s exhausted.') % target
@@ -242,12 +251,19 @@ def simple_bind(bind_dn, options={})
args = {
:method => :simple,
:username => bind_dn,
- :password => options[:password]||@password,
+ :password => (options[:password]||@password).to_s,
}
+ begin
execute(:bind, args)
true
+ rescue Exception
+ false
end
-
+ end
+ def bind_as_anonymous(options={})
+ execute(:bind, {:method => :anonymous})
+ true
+ end
def construct_uri(host, port, ssl)
protocol = ssl ? "ldaps" : "ldap"
URI.parse("#{protocol}://#{host}:#{port}").to_s

0 comments on commit 2d84dea

Please sign in to comment.
Something went wrong with that request. Please try again.