我正在使用Devise 3.5.2对Rails 4.2.4上的devise_ldap_authenticable gem进行身份验证。我已经从发布的0.8.5 gem转移到github master级别(0.8.6)。
据我所知,LDAP插件身份验证代码未运行。它没有写任何日志消息。
我之前获得了常规数据库身份验证,可以使用此应用程序。我现在正试图让LDAP身份验证工作。
例如:
Started POST "/users/sign_in" for ::1 at 2015-11-23 16:05:14 -0500
ActiveRecord::SchemaMigration Load (87.6ms) SELECT schema_migrations.* FROM schema_migrations
Processing by Devise::SessionsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"Mos...w==", "user"=>{"login"=>"leonsp", "password"=>"...", "remember_me"=>"0"}}
Completed 401 Unauthorized in 95ms (ActiveRecord: 0.0ms)
那里应该有LDAP日志消息。
我的用户模型:
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
#
# :database_authenticable is not enabled
devise :ldap_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable,
:confirmable, :lockable, :zxcvbnable
attr_accessible :email, :userid, :shortuserid, :login # etc...
# Virtual attribute for authenticating by either userid or email
# This is in addition to a real persisted field like 'userid'
attr_accessor :login
# ...
def self.find_for_database_authentication(warden_conditions)
Rails.logger.debug "Finding for database authentication"
conditions = warden_conditions.dup
login = conditions.delete(:login).try(:downcase)
if login.present?
Rails.logger.debug "Finding by login #{login}"
where(conditions.to_hash).find_by([
"lower(userid) = :value OR lower(shortuserid) = :value OR lower(email) = :value", { value: login }
])
else
Rails.logger.debug "Finding by conditions #{login}"
find_by(conditions.to_hash)
end
end
def self.find_for_ldap_authentication(warden_conditions)
Rails.logger.debug "Finding for ldap authentication"
conditions = warden_conditions.dup
login = conditions.delete(:login).try(:downcase)
if login.present?
Rails.logger.debug "Finding by login #{login}"
if login.include? "@"
conditions[:email] = login
super conditions
else
conditions[:userid] = login
super conditions
end
else
Rails.logger.debug "No login. Using default behaviour"
super
end
end
# ...
这是Devise的初始化程序。我在调试时在前面添加了monkeypatch:
module Devise
module Strategies
class LdapAuthenticatable < Authenticatable
def authenticate!
Rails.logger.debug "=== Starting LDAP Authentication ==="
super
Rails.logger.debug "=== Done LDAP Authentication ==="
end
end
end
end
# Use this hook to configure devise mailer, warden hooks and so forth.
# Many of these configuration options can be set straight in your model.
Devise.setup do |config|
# TODO: https://github.com/cschiewek/devise_ldap_authenticatable/issues/153
# ==> LDAP Configuration
# config.ldap_logger = true
# config.ldap_create_user = false
# config.ldap_update_password = true
# config.ldap_config = "#{Rails.root}/config/ldap.yml"
# config.ldap_check_group_membership = false
# config.ldap_check_group_membership_without_admin = false
# config.ldap_check_attributes = false
# config.ldap_use_admin_to_bind = false
# config.ldap_ad_group_check = false
config.ldap_logger = true
config.ldap_create_user = true
config.ldap_update_password = true
config.ldap_use_admin_to_bind = true
config.ldap_auth_username_builder = proc do |attribute, login, ldap|
username_string = "#{attribute}=#{login},#{ldap.base}"
Rails.logger.debug "Generated username as #{username_string}"
username_string
end
# ==> Configuration for any authentication mechanism
# Configure which keys are used when authenticating a user. The default is
# just :email. You can configure it to use [:username, :subdomain], so for
# authenticating a user, both parameters are required. Remember that those
# parameters are used only when authenticating and not when retrieving from
# session. If you need permissions, you should implement that in a before filter.
# You can also supply a hash where the value is a boolean determining whether
# or not authentication should be aborted when the value is not present.
config.authentication_keys = [:login, :email, :userid]
# ...
我可以使用ldapsearch:
ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com" -H ldap://my_hostname.my_domain.com "(cn=leonsp)"
这是ldap.yml:
的相应配置## Authorizations
# Uncomment out the merging for each environment that you'd like to include.
# You can also just copy and paste the tree (do not include the "authorizations") to each
# environment if you need something different per environment.
authorizations: &AUTHORIZATIONS
allow_unauthenticated_bind: false
group_base: ou=groups,dc=my_domain,dc=com
## Requires config.ldap_check_group_membership in devise.rb be true
# Can have multiple values, must match all to be authorized
required_groups:
## Requires config.ldap_check_attributes in devise.rb to be true
## Can have multiple attributes and values, must match all to be authorized
require_attribute:
objectClass: inetOrgPerson
## Environment
development:
host: ldap://my_hostname.my_domain.com
port: 389
attribute: cn
base: dc=my_domain,dc=com
admin_user: cn=admin,dc=my_domain,dc=com
admin_password: ...
ssl: none
# <<: *AUTHORIZATIONS
我是否认为Devise的LDAP插件代码没有运行?
为什么不运行?
为什么我的调试语句没有到达?
我可以用调试语句进行monkeypatch以调试问题吗?
我可以收集哪些其他诊断信息?
编辑:我正在使用byebug调试程序跟踪执行情况。到目前为止,我可以告诉:ldap_authenticable在登录时显示在策略列表中,但似乎没有导致任何:ldap_authenticable特定代码执行。
答案 0 :(得分:3)
主要问题是我在config.authentication_keys中添加了可选参数。这使Devise::Strategies#parse_authentication_key_values无声地失败。只有强制性参数才应包含在authentication_keys。
与应用程序相关的其他问题旨在允许用户使用其用户名或电子邮件地址登录。为了允许用户使用其中任何一个登录,我必须:
login_with模型User
self.find_for_ldap_authentication模型User
attr_accessor :login重命名为attr_accessor :username,以便更好地将其与宝石中:login的不同含义区分开来最后一个问题:请勿在{{1}}的主机属性中包含协议(例如ldaps://)
答案 1 :(得分:0)
对于那些仍然来到这个线程的人,我能够通过下载到gem版本0.8.4来实现它。