Databases
StackOverflow2013
Postsdbo
POChecking group membership in rails devise ldap gem, is it in the yaml?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POChecking group membership in rails devise ldap gem, is it in the yaml?
    text
    copied!<p>Am I supposed to be using the ldap.yml file to make sure whose authenticating with ldap has the right groups assigned to them to allow them in?</p> <p>I am not an AD pro by any means and this is confusing me...whats a group and attribute. From what I understand. We have a user in AD, they have a samAccount name, I can get it to let them into the app but it doesn't care at this point what their groups are. Its a specialized app and really those that have a memberOf attribute of:</p> <pre><code>HD Admin HD Helper HD Reset Security </code></pre> <p>should all be allowed into the app, I also (after using apache directory studio) have realized that there are many memberOf entries:</p> <p>Bob for instance might have two memberOf entries:</p> <pre><code>memberOf CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu memberOf CN=HD Admin, OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu </code></pre> <p>So how would my yaml look and is that the right spot to do these things?</p> <pre><code>authorizations: &amp;AUTHORIZATIONS group_base: OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=nmsu,DC=edu ## Requires config.ldap_check_group_membership in devise.rb be true # Can have multiple values, must match all to be authorized required_groups: # If only a group name is given, membership will be checked against "uniqueMember" - CN=HD Admin - CN=HD Reset - CN=Security # If an array is given, the first element will be the attribute to check against, the second the group name - ["memberOf", " CN=HD Admin,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"] - ["memberOf", " CN=HD Helper,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"] - ["memberOf", " CN=HD Reset,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"] - ["memberOf", " CN=Security,OU=Groups,OU=Accounts,DC=ACN,DC=ad,DC=tdsu,DC=edu"] require_attribute: memberOf: HD Admin </code></pre> <p>I couldn't get the required attributes to work, so am I off base ? Is there some way to do this in the devise scaffolding that was built from ldap devise gem? Because it really is they can be any of those groups so an OR they don't have to be in all to be let into the app.</p> <p>At least maybe is the yaml the place or not the place to try this? Update:</p> <p>I did try it with the arrays I mentioned above, and the <code>config.ldap_check_group_membership = true;</code> and it does not let me in no matter what now, so its either all or nothing. Even took all the memberOf arrays down to one I know my test user has and it still doesn't let me in.</p> <p>I also wanted to ask, should I just keep the following development: line and deal with all the checking of roles in code (and is there any sort of link on how to do that), maybe I guess an api document (probably on github somewhere) , though it might just be easier to by hand code all the checking etc...means I will have to become much more familiar with devise too.</p> <p>I should add the rest of my ldap.yml that is important:</p> <pre><code>development: host: directory.ldapstuff.com port: 636 attribute: sAMAccountName base: OU=Main Users, OU=Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu admin_user: CN=EASApps, OU=LDAP, OU=Service Accounts, DC=ACN, DC=ad, DC=tdsu, DC=edu admin_password: asfssfaf ssl: true # &lt;&lt;: *AUTHORIZATIONS </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload