This is a fork of https://github.com/cschiewek/devise_ldap_authenticatable intended to be used simultaneously with database_authenticatable.

to use it:

• add t.database_authenticatable :null => true, :default => nil to your users migration. the :default => nil is to avoid empty duplicates error on email
• add t.ldap_authenticatable :null => false to your users migration
• add devise :database_authenticatable, :ldap_authenticatable in your user model (ldap after db)
• push database_authenticable on pole position in warden stack manager.default_strategies(:scope => :user).unshift :database_authenticatable (to be tried before ldap) in the devise initializer at the bottom (config/initializers/devise.rb)
• override valid_password? in your user model to rescue invalid hash (DB auth tryes to authenticate first but when it finds an invalid password_salt BCrypt errors and we want to silence it and return false).

# ldap useers have no salt so we rescue BCrypt::Errors::InvalidHash def valid_password?(password) super rescue BCrypt::Errors::InvalidHash => e false end

and any other steps the original ldap_authenticable required as explained further in this readme.

Notable differences from the original:

• updated to devise 1.3.4

Tested on mri 1.9.2 and ree 1.8.7

Devise LDAP Authenticatable is a LDAP based authentication strategy for the Devise authentication framework.

If you are building applications for use within your organization which require authentication and you want to use LDAP, this plugin is for you.

Devise LDAP Authenticatable works in replacement of Database Authenticatable. This devise plugin has not been tested with DatabaseAuthenticatable enabled at the same time. This is meant as a drop in replacement for DatabaseAuthenticatable allowing for a semi single sign on approach.

For a screencast with an example application, please visit: http://random-rails.blogspot.com/2010/07/ldap-authentication-with-devise.html

• devise ~> 3.0.0 (which requires rails ~> 4.0)
• net-ldap ~> 0.3.1

Note: Rails 3.x / Devise 2.x has been moved to the 0.7 branch. All 0.7.x gems will support Rails 3, where as 0.8.x will support Rails 4.

In the Gemfile for your application:

gem "devise_ldap_authenticatable" 

To get the latest version, pull directly from github instead of the gem:

gem "devise_ldap_authenticatable", :git => "git://github.com/cschiewek/devise_ldap_authenticatable.git" 

Run the rails generators for devise (please check the devise documents for further instructions)

rails generate devise:install rails generate devise MODEL_NAME 

Run the rails generator for devise_ldap_authenticatable

rails generate devise_ldap_authenticatable:install [options] 

This will install the sample.yml, update the devise.rb initializer, and update your user model. There are some options you can pass to it:

Options:

[--user-model=USER_MODEL] # Model to update # Default: user [--update-model] # Update model to change from database_authenticatable to ldap_authenticatable # Default: true [--add-rescue] # Update Application Controller with rescue_from for DeviseLdapAuthenticatable::LdapException # Default: true [--advanced] # Add advanced config options to the devise initializer 

Given that ldap_create_user is set to true and you are authenticating with username, you can query an LDAP server for other attributes.

in your user model:

before_save :get_ldap_email def get_ldap_email self.email = Devise::LDAP::Adapter.get_ldap_param(self.username,"mail") end 

In initializer config/initializers/devise.rb :

• ldap_logger (default: true)

  • If set to true, will log LDAP queries to the Rails logger.

• ldap_create_user (default: false)

  • If set to true, all valid LDAP users will be allowed to login and an appropriate user record will be created. If set to false, you will have to create the user record before they will be allowed to login.

• ldap_config (default: #{Rails.root}/config/ldap.yml)

  • Where to find the LDAP config file. Commented out to use the default, change if needed.

• ldap_update_password (default: true)

  • When doing password resets, if true will update the LDAP server. Requires admin password in the ldap.yml

• ldap_check_group_membership (default: false)

  • When set to true, the user trying to login will be checked to make sure they are in all of groups specified in the ldap.yml file.

• ldap_check_attributes (default: false)

  • When set to true, the user trying to login will be checked to make sure they have all of the attributes in the ldap.yml file.

• ldap_use_admin_to_bind (default: false)

  • When set to true, the admin user will be used to bind to the LDAP server during authentication.

These parameters will be added to config/initializers/devise.rb when you pass the --advanced switch to the generator:

• ldap_auth_username_builder (default: Proc.new() {|attribute, login, ldap| "#{attribute}=#{login},#{ldap.base}" })

  • You can pass a proc to the username option to explicitly specify the format that you search for a users' DN on your LDAP server.

• ldap_auth_password_build (default: Proc.new() {|new_password| Net::LDAP::Password.generate(:sha, new_password) })

  • Optionally you can define a proc to create custom password encrption when user reset password

Using a "username" instead of an "email": The field that is used for logins is the first key that's configured in the config/devise.rb file under config.authentication_keys, which by default is email. For help changing this, please see the Railscast that goes through how to customize Devise.

SSL certificate invalid: If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., /etc/openldap/ldap.conf or /etc/ldap/ldap.conf) to read TLS_REQCERT never.

For additional support, questions or discussions, please see the discussion forum on Google Groups

To contribute to devise_ldap_authentication, you should be able to run a test OpenLDAP server. Specifically, you need the slapd, ldapadd, and ldapmodify binaries.

This seems to come out of the box with Mac OS X 10.6.

On Ubuntu (tested on 12.04 and 12.10), you can run sudo apt-get install slapd ldap-utils. You will also likely have to add the spec/ldap directory of your local git clone to the slapd apparmor profile /etc/apparmor.d/usr.sbin.slapd if you get permissions errors. Something like this should do:

/path/to/devise_ldap_authenticatable/spec/ldap/** rw,$ 

To start hacking on devise_ldap_authentication, clone the github repository, start the test LDAP server, and run the rake test task:

git clone https://github.com/cschiewek/devise_ldap_authenticatable.git cd devise_ldap_authenticatable bundle install # in a separate console or backgrounded ./spec/ldap/run-server bundle exec rake db:migrate # first time only bundle exec rake spec 

• OpenLDAP
• Devise
• Warden

Released under the MIT license

Copyright (c) 2012 Curtis Schiewek, Daniel McNevin, Steven Xu